Configure self-signup
Let colleagues on your email domain join your org without an admin sending an invite for every new starter.
By default, joining your org requires an invite from an ADMIN. Self-signup lets anyone with an email on a domain you trust skip that step. Useful when your team grows faster than you can send invites; risky if the domain is broader than you expect.
Before you start
You need:
- ADMIN role on your org.
- A clear list of which email domains belong to your team.
acme.org.auis fine;gmail.comis not (you would let the whole internet in). - A decision on the default role new self-signups should land on. The platform default is VIEWER, which is safer if you want to vet people before giving them edit rights. Bump it to EDITOR if you trust everyone on the listed domains to do day-to-day work.
The three modes
| Mode | Who can join | When to use |
|---|---|---|
| Invitation only | Only people you explicitly invite from Settings -> Users. | Default. Pick this if you want every new user reviewed by an admin. |
| Specific email domains | Anyone whose verified email ends in a domain you list. | Most orgs. Add your own domain (for example acme.org.au). |
| Open | Anyone who can verify an email address. | Development environments only. The Open radio is hidden in production builds. |
Steps
-
Go to Settings -> Access. The page is titled Access Control and the choice you are about to make sits under the Registration Mode heading.
Settings > Access after self-signup is configured. -
Pick a mode (Invitation only or Specific email domains).
-
If you picked Specific email domains, type each allowed domain and press Enter. The form lower-cases and trims as it stores. Add multiple entries for orgs with several email suffixes (
acme.org,acme.org.au). -
Pick the default role new self-signups should receive. ADMIN, EDITOR, or VIEWER. The platform default is VIEWER.
-
Click Save changes.
Together's sign-up flow lives at /get-started. A new person who arrives there with an email on one of your allowed domains is shown a one-click join screen as part of the funnel, and on confirmation lands on your dashboard with the default role. People on a different domain go through the standard create-a-new-org path.
How match works
Together compares the verified email domain (case-insensitive) against your allowed list. LUKE@Acme.Org matches acme.org. Subdomains do not match unless you list them explicitly: mail.acme.org is a different entry from acme.org.
Email verification is part of the match. An unverified address is never auto-joined; the new user must click the verification link Together emails them before they get the auto-join screen.
A person is added to your org only on the first sign-up. Once they have a User row, role changes happen at Settings -> Users the same way they do for invited users. Changing the self-signup default role afterwards does not retroactively update existing users.
If two orgs list the same domain, auto-join breaks the tie by refusing to
pick: the new user lands on /setup without a default org and has to be
invited explicitly. Coordinate with any other Together orgs that share your
email domain before relying on this flow.
Treat the allowed-domain list as a security boundary. Anyone with an email on
a listed domain gets your default role immediately on sign-up. Do not list
shared-mailbox providers (gmail.com, outlook.com, hotmail.com). Use
Invitation only for orgs whose team members are on consumer email.
If you change your mind
You can switch back to Invitation only at any time. Existing users keep their access; the next person trying to sign up via /get-started is blocked.
You can also remove a domain from the list without affecting existing users. Removing acme.org.au stops new sign-ups from that domain but does not revoke anyone already in.
What to do next
- Invite the rest of your team with explicit invites: Invite your team.
- Review who can do what by role: Roles.