> ## Documentation Index
> Fetch the complete documentation index at: https://help.revenuehero.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security settings overview

> Control who can sign into your RevenueHero account, which login methods they use, and which websites are allowed to embed your scheduler.

Two questions sit behind your RevenueHero security settings: who is allowed into your account, and where is your scheduler allowed to run. The Security page answers both from one place. It controls account access (who can sign up, how they log in) and embedding (which of your domains can host the booking widget). This page walks through each section so you know what every control does before you change it.

<Note>
  **BEFORE YOU BEGIN**

  Security settings are account-wide and affect every member. Changes here can lock people out or block your live scheduler, so review each section before saving.
</Note>

## Open Security settings

In the left sidebar, click **Settings → Security**.

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/revenuehero/images/settings/security/security-overview_01_page.png" alt="" />
</Frame>

The page is made of four cards. Each one opens its own modal when you click **Edit**.

## Who can sign up to your account

Controls whether anyone can create an account under your organization or only people you invite. Click **Edit** to choose between open signup and invite-only, and to set a domain allowlist so only addresses on your company domains can join.

Use invite-only with a domain allowlist when you want tight control over who becomes a RevenueHero user.

## Login methods

Sets how your members authenticate: password, Google SSO, Microsoft SSO, or Okta. Click **Edit** to turn methods on and off. At least one method must stay enabled.

For the full walkthrough, see [Login methods](/settings/security/login-methods). To provision through Okta, see [Set up Okta](/settings/security/okta).

## Trusted Origins

Controls which websites are allowed to embed your scheduler. This works as an allowlist: click **Add trusted origins** and enter each site's full origin URL (for example `https://www.yourcompany.com`). Once you've added at least one origin, scheduling is allowed only from those origins, and a submission from any other domain is blocked.

Here's the behavior to understand: when no trusted origins are specified, RevenueHero allows submissions from **any** domain. The moment you add your first origin, you switch from "any domain" to a strict allowlist of exactly the origins you listed.

<Tip>
  Add every domain and subdomain your forms live on, including staging and landing-page subdomains. A scheduler that works on your main site but fails on a campaign subdomain is almost always a missing trusted origin.
</Tip>

<Warning>
  Leaving Trusted Origins empty means any website can embed your booking widget, since no allowlist is enforced. Add your real domains to lock embedding down to the sites you control, but make sure you've listed every domain your forms run on first, or you'll block your own live scheduler.
</Warning>

***

That is the Security page. Account access on the left, scheduler embedding on the right, all in one place. 🎉🎉🎉

<CardGroup cols={2}>
  <Card title="Login methods" icon="key" iconType="solid" href="/settings/security/login-methods">
    Turn password, Google, and Microsoft sign-in on or off.
  </Card>

  <Card title="Set up Okta" icon="shield-halved" iconType="solid" href="/settings/security/okta">
    Provision access through your Okta tenant.
  </Card>

  <Card title="Members" icon="users" iconType="solid" href="/settings/organization/all-users">
    Invite users and manage their access.
  </Card>

  <Card title="User roles" icon="user-gear" iconType="solid" href="/settings/user-roles">
    Set what each role is allowed to do.
  </Card>
</CardGroup>