Skip to main content
Two questions sit behind your RevenueHero security settings: who is allowed into your account, and where is your scheduler allowed to run. The Security page answers both from one place. It controls account access (who can sign up, how they log in) and embedding (which of your domains can host the booking widget). This page walks through each section so you know what every control does before you change it.
BEFORE YOU BEGINSecurity settings are account-wide and affect every member. Changes here can lock people out or block your live scheduler, so review each section before saving.

Open Security settings

In the left sidebar, click Settings → Security.
The page is made of four cards. Each one opens its own modal when you click Edit.

Who can sign up to your account

Controls whether anyone can create an account under your organization or only people you invite. Click Edit to choose between open signup and invite-only, and to set a domain allowlist so only addresses on your company domains can join. Use invite-only with a domain allowlist when you want tight control over who becomes a RevenueHero user.

Login methods

Sets how your members authenticate: password, Google SSO, Microsoft SSO, or Okta. Click Edit to turn methods on and off. At least one method must stay enabled. For the full walkthrough, see Login methods. To provision through Okta, see Set up Okta.

Trusted Origins

Controls which websites are allowed to embed your scheduler. This works as an allowlist: click Add trusted origins and enter each site’s full origin URL (for example https://www.yourcompany.com). Once you’ve added at least one origin, scheduling is allowed only from those origins, and a submission from any other domain is blocked. Here’s the behavior to understand: when no trusted origins are specified, RevenueHero allows submissions from any domain. The moment you add your first origin, you switch from “any domain” to a strict allowlist of exactly the origins you listed.
Add every domain and subdomain your forms live on, including staging and landing-page subdomains. A scheduler that works on your main site but fails on a campaign subdomain is almost always a missing trusted origin.
Leaving Trusted Origins empty means any website can embed your booking widget, since no allowlist is enforced. Add your real domains to lock embedding down to the sites you control, but make sure you’ve listed every domain your forms run on first, or you’ll block your own live scheduler.
That is the Security page. Account access on the left, scheduler embedding on the right, all in one place. 🎉🎉🎉

Login methods

Turn password, Google, and Microsoft sign-in on or off.

Set up Okta

Provision access through your Okta tenant.

Members

Invite users and manage their access.

User roles

Set what each role is allowed to do.