Email-domain allowlisting is now available for OIDC providers. Set HIVE_GOOGLE_ALLOWED_DOMAINS or HIVE_OIDC_ALLOWED_DOMAINS to a comma-separated list, and Hive will reject users whose email domain is not on the list during the callback. When a single domain is configured for Google, the authorize redirect also includes Google’s hd= hint to pre-filter the account picker. Domain matching is case-insensitive. Sources: https://github.com/tuist/hive/commit/dcccd7b, https://github.com/tuist/hive/commit/03e477e
Hive
OIDC sign-in can be restricted by email domain
Published
May 29, 2026 · 14:40 UTC
Repository
tuist/hive