Skip to main content

Restrict Sign-ups and Organization Creation

By default, anyone who can reach your Agenta instance can sign up and gets their own organization. This guide shows how to close that down. All settings on this page work in both the open source and Enterprise editions.

Restrict who can create organizations

Set AGENTA_ACCESS_ALLOWED_OWNER_EMAILS to a comma-separated list of emails allowed to create organizations:

AGENTA_ACCESS_ALLOWED_OWNER_EMAILS=admin@company.com,ops@company.com

When this variable is set, only the listed emails get an organization on signup and can create new ones. Everyone else must be invited to an existing organization. When it is not set, any user who signs up gets their own organization (the default).

The legacy names AGENTA_ORG_CREATION_ALLOWLIST and AGENTA_ACCESS_ORG_CREATION_ALLOWLIST are still parsed as aliases.

First user must be in the allowlist

The first user to sign up needs to be in the allowlist. Otherwise, they will not be able to create the initial organization.

Restrict who can sign up

To limit sign-ups to your own domains, set AGENTA_ACCESS_ALLOWED_DOMAINS:

AGENTA_ACCESS_ALLOWED_DOMAINS=company.com

Subdomains match too (user@team.company.com is allowed by company.com). Any email outside the listed domains is denied at sign-in and sign-up.

To block specific addresses or domains instead, use the block lists:

AGENTA_ACCESS_BLOCKED_EMAILS=spammer@example.com
AGENTA_ACCESS_BLOCKED_DOMAINS=example.org

When AGENTA_ACCESS_ALLOWED_DOMAINS is set, the block lists for domains are not consulted; the allowlist wins.

Restart your Agenta deployment after changing any of these variables.

How restricted users join

Users who pass the sign-up checks but are not allowed to create an organization can still sign in. They have no organization until someone invites them:

  1. As an organization member with invite rights, go to Settings > Workspace > Members and invite their email.
  2. The user accepts the invitation and becomes a member of that organization.

On Enterprise, you can also enable auto-join for a verified domain from Settings > Access & Security, so users from that domain join the organization automatically on signup.

Reference

VariableEffect
AGENTA_ACCESS_ALLOWED_OWNER_EMAILSOnly listed emails can create organizations
AGENTA_ACCESS_ALLOWED_DOMAINSOnly listed domains (and subdomains) can sign up
AGENTA_ACCESS_BLOCKED_DOMAINSListed domains cannot sign up
AGENTA_ACCESS_BLOCKED_EMAILSListed emails cannot sign up

See the configuration reference for the full list of environment variables.