Verify a domain
Prove that your organization controls an email domain like example.com so MintMCP can route sign-ins for that domain through your identity provider.
Contact enterprise@mintmcp.com and the MintMCP team will assist with alternate verification paths.
Why verify a domain
Before MintMCP routes authentication for a domain through your identity provider, it needs evidence that you control the domain. Without that check, anyone could claim an email domain they don't own and intercept logins.
Verifying a domain enables:
- SSO for users on that domain. You cannot configure SSO until at least one domain is verified. Once verified, sign-ins from that domain are routed through your IdP.
- Directory sync scoping. SCIM-provisioned users are tied to the organization that owns their domain.
- Organization membership. A verified domain anchors a workforce email to the right MintMCP organization.
Verification does not by itself force SSO or block password-based login: those are separate settings configured during SSO setup.
Prerequisites
- An administrator account with the enterprise settings permission
- Access to your DNS provider, so you can add a TXT record to the domain's zone
Add the DNS TXT record
Domain verification is managed from the Enterprise page in the MintMCP app, alongside SSO and SCIM.
- Sign in as an administrator and open Enterprise in the sidebar.
- In the identity and provisioning card, click Verify domain. A guided portal opens in a new tab.
- Enter the domain you want to verify (for example,
acme.com). - Add the DNS TXT record the portal issues to that domain's DNS zone with your DNS provider.
- Return to the portal and click Verify. Propagation can take minutes to hours depending on your DNS TTL.
Once verification succeeds, the Enterprise page shows the domain in its Verified domains summary, and the button changes to Manage domains so you can add more domains or review status later.
Verification states
The Enterprise page shows the current state of every domain associated with your organization:
| State | Meaning | What to do |
|---|---|---|
| Verified | The DNS record was observed and ownership is confirmed | Nothing: the domain is ready for SSO |
| Pending | The verification record has been issued but not yet seen | Re-check after DNS has propagated |
| Failed | The portal could not find the expected record | Confirm the TXT record was added to the correct zone and re-run verification |
Organizations onboarded before self-serve verification was available may already show as verified through the legacy flow, so no action is needed.
Auto-join vs invite-only
By default, verifying a domain enables domain-based auto-join: any user with an email address on that domain can create a MintMCP account and gain member-level access to the organization by completing a one-time verification code, so no manual provisioning is required for them to join.
Some organizations prefer invite-only access, where users must be manually added before they can sign in, for example, when the admin team wants to pre-provision accounts or tightly control who has access. Domain-based auto-join can be disabled on a per-organization basis by contacting the MintMCP team at enterprise@mintmcp.com. This setting is not yet available in the admin UI.
When auto-join is disabled, users on the verified domain who have not been explicitly added cannot create an account or access the organization, even though the domain is verified. Admins retain full control over membership.
Edge cases
Multiple domains. You can verify more than one. Common cases include organizations with a parent company plus an acquired brand, or a domain migration in progress. Each domain goes through the same DNS TXT flow independently, and the Enterprise page shows a count once you have more than a couple.
Subdomains. Verification is scoped to the exact domain you submit, so verifying acme.com does not automatically cover eu.acme.com, so submit each one you need. Verifying a subdomain does not grant any claim over its parent.
Shared consumer domains. Domains like gmail.com cannot be verified because no single organization controls them. Use a domain your organization owns.
Removing a domain. Use Manage domains to remove a domain you no longer use. Remove a domain only after SSO no longer depends on it, since sign-ins for users on that domain route through it.
Can't modify DNS? Contact enterprise@mintmcp.com and the MintMCP team can assist with alternate verification paths.
Next steps
- Configure SSO and SCIM: set up your identity provider now that the domain is verified