Learn Β· Running an organization Β· 3 min read

Members and domains

Wodo grows with how formal your organization wants to be about identity. There are two models, and you move from the first to the second when you're ready β€” not before.

The invite model (how every organization starts)

People join because someone invited them: to the organization or a space. Anyone can be invited at any email address. This is right for small teams, agencies, and any group whose membership is a matter of trust rather than payroll.

In this model, every person owns their own account. You can remove someone from your organization, but the account is theirs.

The verified-domain model

If you want your organization to be the authority over @yourcompany.com accounts β€” central sign-in through your own identity provider, colleagues who join without invitation round-trips, a clean offboarding story β€” you verify the domain: publish a DNS record proving you control it (plus a sign-in check that you actually operate mailboxes there). First come, first served per domain; public providers like gmail.com can't be verified.

Verification unlocks, each one its own switch:

  • Managed vs. external. The members list now distinguishes people whose identity you govern (Managed β€” your domain) from everyone else (External). Access levels don't change; visibility does.
  • Enforced sign-in. Connect your own identity provider β€” Okta, Entra ID, anything OIDC β€” and sign-in for your domain's users must go through it. Disable someone in your IdP and they can't sign in to Wodo. No passkey or fallback route around it.
  • Auto-join. Optionally, anyone signing in with a verified-domain address joins your organization automatically β€” no invitation round-trips for new colleagues.
  • Authoritative offboarding. Managed users can be removed and their accounts deactivated by the organization β€” the leaver workflow compliance expects, which the invite model deliberately doesn't offer.

The safety nets

Locking sign-in to your own IdP raises an obvious fear: what if the IdP config breaks? A dedicated recovery route (/sso-recovery) lets an admin prove identity via a code sent to all admins, reach only the SSO settings, and fix or disable the configuration. Every use is audited and announced to all admins.

And domain verification is re-checked continuously. If your DNS record disappears, admins get warnings for six weeks before governance lapses β€” nothing snaps off because a DNS migration dropped a TXT record.

Like everything here: enforced SSO and domain management are included features, not an enterprise tier. See pricing.