diff --git a/.github/workflows/deploy-ephemeral.yml b/.github/workflows/deploy-ephemeral.yml
index 72d0a20a..05c90570 100644
--- a/.github/workflows/deploy-ephemeral.yml
+++ b/.github/workflows/deploy-ephemeral.yml
@@ -247,6 +247,8 @@ jobs:
           # Format: array of cron expressions (Cloudflare doesn't support named triggers)
           # - "0 0 * * *" = midnight UTC daily (subscription downgrade)
           # - "0 4 * * *" = 4 AM UTC daily (webhook cleanup)
+          # NOTE: Custom domain polling is done manually via admin panel
+          # in ephemeral/staging due to cron trigger limits.
           [triggers]
           crons = ["0 0 * * *", "0 4 * * *"]
 
@@ -278,12 +280,14 @@ jobs:
           MAILGUN_BASE_URL = "${{ secrets.MAILGUN_BASE_URL }}"
           MAILGUN_FROM = "${{ secrets.MAILGUN_FROM }}"
           DOMAIN = "rushomon-pr-${{ env.PR_NUMBER }}.${{ env.WORKERS_DOMAIN }}"
+          FALLBACK_DOMAIN = "rushomon-pr-${{ env.PR_NUMBER }}.${{ env.WORKERS_DOMAIN }}"
           FRONTEND_URL = "https://rushomon-pr-${{ env.PR_NUMBER }}.${{ env.WORKERS_DOMAIN }}"
           ALLOWED_ORIGINS = "http://localhost:5173,http://localhost:5174,https://rushomon-pr-${{ env.PR_NUMBER }}.${{ env.WORKERS_DOMAIN }}"
           EPHEMERAL_ORIGIN_PATTERN = "https://rushomon-pr-{}.${{ env.WORKERS_DOMAIN }}"
           ENABLE_KV_RATE_LIMITING = "false"
           POLAR_ORG_SLUG = "${{ secrets.POLAR_ORG_SLUG }}"
           POLAR_SANDBOX = "true"
+          CF_ZONE_ID = "${{ secrets.CF_ZONE_ID }}"
           EOF
 
       - name: Apply D1 Migrations
@@ -328,6 +332,7 @@ jobs:
           MAILGUN_API_KEY: ${{ secrets.MAILGUN_API_KEY }}
           POLAR_ACCESS_TOKEN: ${{ secrets.POLAR_ACCESS_TOKEN }}
           POLAR_WEBHOOK_SECRET: ${{ secrets.POLAR_WEBHOOK_SECRET }}
+          CF_SAAS_API_TOKEN: ${{ secrets.CF_SAAS_API_TOKEN }}
         run: |
           # Set secrets using wrangler secrets API (not visible in Worker dashboard)
           echo "$GH_CLIENT_SECRET" | wrangler secret put GITHUB_CLIENT_SECRET -c wrangler.ephemeral.toml
@@ -338,6 +343,9 @@ jobs:
             echo "$POLAR_ACCESS_TOKEN" | wrangler secret put POLAR_ACCESS_TOKEN -c wrangler.ephemeral.toml
             echo "$POLAR_WEBHOOK_SECRET" | wrangler secret put POLAR_WEBHOOK_SECRET -c wrangler.ephemeral.toml
           fi
+          if [ -n "$CF_SAAS_API_TOKEN" ]; then
+            echo "$CF_SAAS_API_TOKEN" | wrangler secret put CF_API_TOKEN -c wrangler.ephemeral.toml
+          fi
 
       - name: Deploy to Ephemeral Environment
         env:
diff --git a/Cargo.toml b/Cargo.toml
index b0710ef7..1d626c0a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ crate-type = ["cdylib", "rlib"]
 
 [dependencies]
 worker = { version = "0.8.0", features = ["d1"] }
-wasm-bindgen = { version = "0.2.114", features = ["serde-serialize"] }
+wasm-bindgen = { version = "0.2.121", features = ["serde-serialize"] }
 web-sys = { version = "0.3", features = ["Window", "Request", "RequestInit", "Response", "Headers", "RequestMode"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
diff --git a/README.md b/README.md
index 72f5eb24..d8f32da1 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,7 @@ Never forget that naming things is a hard problem to solve. Nevertheless, I'm gl
 - **Rate Limiting**: Comprehensive IP, user, and session-based rate limiting
 - **Instance Settings**: Configurable admin settings including signup control and default tiers
 - **Email Notifications**: Transactional email via Mailgun for team invitations
+- **Custom Domains**: Pro (1) and Business (3) custom domains per organization with SSL via Cloudflare for SaaS
 
 ## Planned Features
 
@@ -39,7 +40,6 @@ Never forget that naming things is a hard problem to solve. Nevertheless, I'm gl
 - **More OAuth providers**: GitLab and other providers beyond GitHub/Google
 - **QR Codes Generation**: Generate QR codes for links
 - **Bulk link operations**: Import/export and batch management
-- **Custom domains per organization**: Organization-specific branded domains
 
 ## How to try it out
 
diff --git a/docs/SELF_HOSTING.md b/docs/SELF_HOSTING.md
index 08483458..b1f45cab 100644
--- a/docs/SELF_HOSTING.md
+++ b/docs/SELF_HOSTING.md
@@ -478,6 +478,7 @@ GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token"
 GOOGLE_USER_URL = "https://openidconnect.googleapis.com/v1/userinfo"
 
 DOMAIN = "api.myapp.com"  # Where OAuth callbacks go (your API domain)
+FALLBACK_DOMAIN = "redirect.myapp.com"  # CNAME target for custom domains (optional, defaults to DOMAIN)
 FRONTEND_URL = "https://myapp.com"  # Main web interface URL
 ALLOWED_ORIGINS = "https://myapp.com,https://api.myapp.com"  # CORS allowed origins
 # KV-based rate limiting is disabled by default in favor of Cloudflare rate limiting rules
@@ -497,6 +498,7 @@ Replace the placeholder values:
 - `YOUR_GITHUB_CLIENT_ID` — from Step 3a (omit key entirely to disable GitHub login)
 - `YOUR_GOOGLE_CLIENT_ID` — from Step 3b (omit key entirely to disable Google login)
 - `api.myapp.com` — your API domain/subdomain (must match OAuth callback URL)
+- `redirect.myapp.com` — optional fallback domain for custom domain CNAMEs (defaults to DOMAIN if not set)
 - `myapp.com` — your main web domain
 - Adjust `ALLOWED_ORIGINS` to match your domain setup
 - Set Mailgun values to match your [Mailgun account](https://www.mailgun.com/) configuration (see Step 3c)
@@ -543,6 +545,17 @@ wrangler secret put JWT_SECRET -c wrangler.toml
 
 # Mailgun API key (from Step 3c) — required for team invitation emails
 wrangler secret put MAILGUN_API_KEY -c wrangler.toml
+
+# Cloudflare for SaaS (optional — required for custom domains)
+# IMPORTANT: Cloudflare for SaaS is an Enterprise-only feature
+# Requires quota allocation from Cloudflare - not available on Free/Pro/Business plans
+# Contact Cloudflare sales or use Enterprise preview: https://developers.cloudflare.com/billing/understand/preview-services/
+# Get your Zone ID from Cloudflare Dashboard → Select zone → Overview → Zone ID
+wrangler secret put CF_ZONE_ID -c wrangler.toml
+
+# Get API token from Cloudflare Dashboard → My Profile → API Tokens → Create Token
+# Required permissions: Zone - SSL and Certificates - Edit
+wrangler secret put CF_API_TOKEN -c wrangler.toml
 ```
 
 **Security Requirements**:
@@ -910,6 +923,7 @@ As an admin, you can:
 | `GITHUB_TOKEN_URL` | GitHub OAuth token endpoint | `https://github.com/login/oauth/access_token` |
 | `GITHUB_USER_URL` | GitHub user API endpoint | `https://api.github.com/user` |
 | `DOMAIN` | Domain where OAuth callbacks go (no protocol) | `api.myapp.com` |
+| `FALLBACK_DOMAIN` | CNAME target for custom domains (optional, defaults to DOMAIN) | `redirect.myapp.com` |
 | `FRONTEND_URL` | Main web interface URL (with protocol) | `https://myapp.com` |
 | `ALLOWED_ORIGINS` | Comma-separated CORS origins | `https://myapp.com,https://api.myapp.com` |
 | `ENABLE_KV_RATE_LIMITING` | Enable KV-based rate limiting (default: false) | `false` |
@@ -925,6 +939,8 @@ As an admin, you can:
 | `GOOGLE_CLIENT_SECRET` | Google OAuth App client secret (if enabled) |
 | `JWT_SECRET` | JWT signing key (32+ random characters) |
 | `MAILGUN_API_KEY` | Mailgun API key (team invitations) |
+| `CF_ZONE_ID` | Cloudflare Zone ID for custom domains (Cloudflare for SaaS - Enterprise only) |
+| `CF_API_TOKEN` | Cloudflare API token with SSL/Certificates Edit permission (custom domains - Enterprise only) |
 
 ### Frontend Build-Time Variables
 
diff --git a/docs/openapi/main.json b/docs/openapi/main.json
index 5ae40c82..03927cdd 100644
--- a/docs/openapi/main.json
+++ b/docs/openapi/main.json
@@ -3503,6 +3503,14 @@
             ],
             "description": "Desktop-specific destination URL (Business tier feature).",
             "example": "https://example.com/desktop-app"
+          },
+          "custom_domain": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Custom domain to associate this link with (must be an active domain on the org).\nImmutable after creation. None = use default short domain.",
+            "example": "go.mybrand.com"
           }
         },
         "additionalProperties": false
@@ -3652,6 +3660,14 @@
             ],
             "description": "Desktop-specific destination URL (Business tier feature).\nRedirects desktop users (Windows, macOS, Linux) to this URL instead of the default.",
             "example": "https://example.com/desktop-app"
+          },
+          "custom_domain": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Custom domain this link was created under (immutable after creation).\nNone means the link uses the default short domain.",
+            "example": "go.mybrand.com"
           }
         }
       },
@@ -4143,6 +4159,14 @@
             "type": "integer",
             "format": "int64",
             "example": 50
+          },
+          "custom_domain": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Custom domain this link belongs to, if any.",
+            "example": "go.mybrand.com"
           }
         }
       },
diff --git a/frontend/src/config/pricing.ts b/frontend/src/config/pricing.ts
index 4826e01a..69a53af9 100644
--- a/frontend/src/config/pricing.ts
+++ b/frontend/src/config/pricing.ts
@@ -125,6 +125,7 @@ export const createPricingTiers = (
       "Custom short codes",
       "Advanced QR codes (sizes, SVG, org logo)",
       "Redirect type selection (301/307)",
+      "1 custom domain",
       "API access",
       "Email support"
     ],
@@ -190,6 +191,7 @@ export const createPricingTiers = (
       "3-year analytics retention",
       "3 organizations",
       "20 team members",
+      "3 custom domains",
       "Device-based routing",
       "Password protection",
       "API access",
diff --git a/frontend/src/lib/api/admin.ts b/frontend/src/lib/api/admin.ts
index c7c743c6..3777c10d 100644
--- a/frontend/src/lib/api/admin.ts
+++ b/frontend/src/lib/api/admin.ts
@@ -9,6 +9,7 @@ import type {
   User
 } from "$lib/types/api";
 import { apiClient } from "./client";
+import type { CustomDomain } from "./domains";
 
 export interface AdminUsersResponse {
   users: User[];
@@ -18,6 +19,13 @@ export interface AdminUsersResponse {
   org_tiers: Record<string, string>;
 }
 
+export interface PollDomainsResponse {
+  success: boolean;
+  domains_processed: number;
+  status_changes: number;
+  message: string;
+}
+
 export interface UpdateUserRoleRequest {
   role: "admin" | "member";
 }
@@ -654,5 +662,19 @@ export const adminApi = {
       `/api/admin/api-keys/${id}/restore`,
       { method: "POST" }
     );
+  },
+
+  /**
+   * List all custom domains across all orgs (admin only)
+   */
+  async listDomains(): Promise<CustomDomain[]> {
+    return apiClient.get<CustomDomain[]>("/api/admin/domains");
+  },
+
+  /**
+   * Manually poll all pending custom domains (admin only)
+   */
+  async pollDomains(): Promise<PollDomainsResponse> {
+    return apiClient.post<PollDomainsResponse>("/api/admin/domains/poll", {});
   }
 };
diff --git a/frontend/src/lib/api/domains.ts b/frontend/src/lib/api/domains.ts
new file mode 100644
index 00000000..25d69403
--- /dev/null
+++ b/frontend/src/lib/api/domains.ts
@@ -0,0 +1,66 @@
+import { apiClient } from "./client";
+
+export interface CustomDomain {
+  id: string;
+  org_id: string;
+  hostname: string;
+  status: "pending" | "active" | "failed";
+  cf_hostname_id: string | null;
+  ssl_status: "pending" | "active" | "failed";
+  created_at: number;
+  verified_at: number | null;
+}
+
+export interface DnsInstructions {
+  cname_target: string;
+  txt_records: TxtRecord[];
+  needs_cname: boolean;
+  needs_txt: boolean;
+}
+
+export interface TxtRecord {
+  name: string;
+  value: string;
+  purpose: "ownership" | "ssl_validation";
+}
+
+export interface DomainWithInstructions {
+  domain: CustomDomain;
+  dns_instructions: DnsInstructions | null;
+}
+
+export type CreateDomainResponse = DomainWithInstructions;
+
+export const domainsApi = {
+  async listDomains(orgId: string): Promise<CustomDomain[]> {
+    return apiClient.get<CustomDomain[]>(`/api/orgs/${orgId}/domains`);
+  },
+
+  async addDomain(
+    orgId: string,
+    hostname: string
+  ): Promise<CreateDomainResponse> {
+    return apiClient.post<CreateDomainResponse>(`/api/orgs/${orgId}/domains`, {
+      hostname
+    });
+  },
+
+  async deleteDomain(
+    orgId: string,
+    hostname: string
+  ): Promise<{ deleted: boolean }> {
+    return apiClient.delete<{ deleted: boolean }>(
+      `/api/orgs/${orgId}/domains/${hostname}`
+    );
+  },
+
+  async refreshDomain(
+    orgId: string,
+    hostname: string
+  ): Promise<DomainWithInstructions> {
+    return apiClient.post<DomainWithInstructions>(
+      `/api/orgs/${orgId}/domains/${hostname}/refresh`,
+      {}
+    );
+  }
+};
diff --git a/frontend/src/lib/components/LinkCard.svelte b/frontend/src/lib/components/LinkCard.svelte
index 753d093d..44d5b217 100644
--- a/frontend/src/lib/components/LinkCard.svelte
+++ b/frontend/src/lib/components/LinkCard.svelte
@@ -54,7 +54,11 @@
     PUBLIC_VITE_SHORT_LINK_BASE_URL ||
     PUBLIC_VITE_API_BASE_URL ||
     "http://localhost:8787";
-  const shortUrl = $derived(`${SHORT_LINK_BASE}/${link.short_code}`);
+  const shortUrl = $derived(
+    link.custom_domain
+      ? `https://${link.custom_domain}/${link.short_code}`
+      : `${SHORT_LINK_BASE}/${link.short_code}`
+  );
 
   let showDeleteConfirm = $state(false);
   let copySuccess = $state(false);
diff --git a/frontend/src/lib/components/LinkModal.svelte b/frontend/src/lib/components/LinkModal.svelte
index f5528559..bbec5a5d 100644
--- a/frontend/src/lib/components/LinkModal.svelte
+++ b/frontend/src/lib/components/LinkModal.svelte
@@ -1,4 +1,5 @@
 <script lang="ts">
+  import type { CustomDomain } from "$lib/api/domains";
   import { linksApi, tagsApi } from "$lib/api/links";
   import TagInput from "$lib/components/TagInput.svelte";
   import type {
@@ -17,12 +18,14 @@
     link?: Link | null;
     isOpen?: boolean;
     usage?: UsageResponse | null;
+    activeDomains?: CustomDomain[];
   }
 
   let {
     link = null,
     isOpen = $bindable(false),
-    usage = null
+    usage = null,
+    activeDomains = []
   }: Props = $props();
 
   const dispatch = createEventDispatcher<{ saved: Link }>();
@@ -71,6 +74,9 @@
   let androidUrl = $state("");
   let desktopUrl = $state("");
 
+  // Domain selection: default is the first active custom domain (if any), else "" (default domain)
+  let selectedDomain = $state("");
+
   const hasUtmParams = $derived(
     !!(
       utmSource.trim() ||
@@ -162,6 +168,8 @@
     androidUrl = "";
     desktopUrl = "";
     showDeviceRouting = false;
+    selectedDomain =
+      activeDomains.length === 1 ? activeDomains[0].hostname : "";
     populatedLinkId = null;
   }
 
@@ -214,6 +222,14 @@
     }
   });
 
+  // When activeDomains loads (or changes), set the default selected domain for create mode
+  $effect(() => {
+    if (!isEditMode && activeDomains) {
+      selectedDomain =
+        activeDomains.length === 1 ? activeDomains[0].hostname : "";
+    }
+  });
+
   function handleClose() {
     if (!loading) {
       isOpen = false;
@@ -310,6 +326,9 @@
         if (shortCode) {
           linkData.short_code = shortCode;
         }
+        if (selectedDomain) {
+          linkData.custom_domain = selectedDomain;
+        }
         savedLink = await linksApi.create(linkData);
       }
 
@@ -450,6 +469,45 @@
           />
         </div>
 
+        <!-- Domain Selection -->
+        {#if activeDomains.length > 0 || (isEditMode && link?.custom_domain)}
+          <div>
+            <label
+              for="link-domain"
+              class="block text-sm font-medium text-gray-700 mb-2"
+            >
+              Domain
+            </label>
+            {#if isEditMode}
+              <div class="flex items-center gap-2">
+                <span
+                  class="inline-flex items-center px-3 py-2 rounded-lg text-sm bg-gray-100 text-gray-700 border border-gray-300 font-mono"
+                >
+                  {link?.custom_domain ?? "Default domain"}
+                </span>
+                <span class="text-xs text-gray-500"
+                  >Domain cannot be changed after creation</span
+                >
+              </div>
+            {:else}
+              <select
+                id="link-domain"
+                bind:value={selectedDomain}
+                disabled={loading}
+                class="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-orange-500 focus:border-transparent disabled:bg-gray-100 disabled:cursor-not-allowed"
+              >
+                <option value="">Default domain</option>
+                {#each activeDomains as domain (domain.id)}
+                  <option value={domain.hostname}>{domain.hostname}</option>
+                {/each}
+              </select>
+              <p class="text-xs text-gray-500 mt-1">
+                Domain is locked after creation
+              </p>
+            {/if}
+          </div>
+        {/if}
+
         <!-- Short Code -->
         <div>
           <label
diff --git a/frontend/src/lib/components/OrgLinkSlideOver.svelte b/frontend/src/lib/components/OrgLinkSlideOver.svelte
index 0a2ffc03..bd560016 100644
--- a/frontend/src/lib/components/OrgLinkSlideOver.svelte
+++ b/frontend/src/lib/components/OrgLinkSlideOver.svelte
@@ -51,7 +51,11 @@
     PUBLIC_VITE_API_BASE_URL ||
     "http://localhost:8787";
 
-  const shortUrl = $derived(`${SHORT_LINK_BASE}/${link.short_code}`);
+  const shortUrl = $derived(
+    link.custom_domain
+      ? `https://${link.custom_domain}/${link.short_code}`
+      : `${SHORT_LINK_BASE}/${link.short_code}`
+  );
 
   let analytics = $state<LinkAnalyticsResponse | null>(null);
   let loading = $state(true);
diff --git a/frontend/src/lib/types/api.ts b/frontend/src/lib/types/api.ts
index e9b8f69a..66a9ce03 100644
--- a/frontend/src/lib/types/api.ts
+++ b/frontend/src/lib/types/api.ts
@@ -45,6 +45,7 @@ export interface Link {
   ios_url?: string | null;
   android_url?: string | null;
   desktop_url?: string | null;
+  custom_domain?: string | null;
 }
 
 export interface TagWithCount {
@@ -64,6 +65,7 @@ export interface CreateLinkRequest {
   ios_url?: string;
   android_url?: string;
   desktop_url?: string;
+  custom_domain?: string;
 }
 
 export interface UpdateLinkRequest {
@@ -151,6 +153,7 @@ export interface TopLinkCount {
   short_code: string;
   title: string | null;
   count: number;
+  custom_domain?: string | null;
 }
 
 export interface OrgAnalyticsResponse {
@@ -175,6 +178,7 @@ export interface UsageResponse {
     allow_query_forwarding: boolean;
     allow_device_routing: boolean;
     max_tags: number | null;
+    max_custom_domains: number | null;
   };
   usage: {
     links_created_this_month: number;
diff --git a/frontend/src/routes/admin/+layout.svelte b/frontend/src/routes/admin/+layout.svelte
index 28791585..9e3fa52b 100644
--- a/frontend/src/routes/admin/+layout.svelte
+++ b/frontend/src/routes/admin/+layout.svelte
@@ -15,7 +15,8 @@
     | "blacklist"
     | "reports"
     | "api-keys"
-    | "settings";
+    | "settings"
+    | "domains";
 
   const { children } = $props();
 
@@ -122,6 +123,13 @@
         <span class="nav-icon">🔗</span>
         <span class="nav-label">Links</span>
       </button>
+      <button
+        class="nav-item {activeModule === 'domains' ? 'active' : ''}"
+        onclick={() => navigateTo("domains")}
+      >
+        <span class="nav-icon">🌐</span>
+        <span class="nav-label">Custom Domains</span>
+      </button>
       <button
         class="nav-item {activeModule === 'blacklist' ? 'active' : ''}"
         onclick={() => navigateTo("blacklist")}
@@ -278,6 +286,14 @@
           <span class="mobile-nav-icon">🔗</span>
           <span>Links</span>
         </a>
+        <a
+          href="/admin/domains"
+          class="mobile-nav-item {activeModule === 'domains' ? 'active' : ''}"
+          onclick={() => (mobileMenuOpen = false)}
+        >
+          <span class="mobile-nav-icon">🌐</span>
+          <span>Custom Domains</span>
+        </a>
         <a
           href="/admin/blacklist"
           class="mobile-nav-item {activeModule === 'blacklist' ? 'active' : ''}"
diff --git a/frontend/src/routes/admin/domains/+page.svelte b/frontend/src/routes/admin/domains/+page.svelte
new file mode 100644
index 00000000..8bbac536
--- /dev/null
+++ b/frontend/src/routes/admin/domains/+page.svelte
@@ -0,0 +1,283 @@
+<script lang="ts">
+  import { adminApi } from "$lib/api/admin";
+  import type { CustomDomain } from "$lib/api/domains";
+  import { onMount } from "svelte";
+
+  let domains = $state<CustomDomain[]>([]);
+  let loading = $state(true);
+  let error = $state("");
+  let polling = $state(false);
+  let pollResult = $state("");
+
+  onMount(async () => {
+    await loadDomains();
+  });
+
+  async function loadDomains() {
+    try {
+      loading = true;
+      error = "";
+      domains = await adminApi.listDomains();
+    } catch (err) {
+      error = "Failed to load custom domains";
+      console.error("Domains load error:", err);
+    } finally {
+      loading = false;
+    }
+  }
+
+  async function handlePollDomains() {
+    try {
+      polling = true;
+      pollResult = "";
+      const result = await adminApi.pollDomains();
+      pollResult = result.message;
+      // Refresh domain list after polling
+      await loadDomains();
+    } catch (err) {
+      pollResult = "Failed to poll domains";
+      console.error("Poll domains error:", err);
+    } finally {
+      polling = false;
+    }
+  }
+
+  function getStatusBadge(status: string): string {
+    switch (status) {
+      case "active":
+        return "status-badge status-active";
+      case "pending":
+        return "status-badge status-pending";
+      case "failed":
+        return "status-badge status-failed";
+      default:
+        return "status-badge";
+    }
+  }
+</script>
+
+<div class="domains-page">
+  <div class="page-header">
+    <h1>Custom Domains</h1>
+    <p class="subtitle">
+      Manage custom domains and poll their verification status
+    </p>
+  </div>
+
+  {#if pollResult}
+    <div class="alert alert-info">
+      {pollResult}
+    </div>
+  {/if}
+
+  <div class="action-bar">
+    <button
+      class="btn btn-primary"
+      onclick={handlePollDomains}
+      disabled={polling}
+    >
+      {#if polling}
+        <span class="spinner"></span>
+        Polling...
+      {:else}
+        🔄 Poll Pending Domains
+      {/if}
+    </button>
+  </div>
+
+  {#if loading}
+    <div class="loading">Loading domains...</div>
+  {:else if error}
+    <div class="alert alert-error">{error}</div>
+  {:else if domains.length === 0}
+    <div class="empty-state">
+      <p>No custom domains have been added yet.</p>
+    </div>
+  {:else}
+    <div class="domains-table-container">
+      <table class="domains-table">
+        <thead>
+          <tr>
+            <th>Hostname</th>
+            <th>Organization</th>
+            <th>Status</th>
+            <th>Created</th>
+          </tr>
+        </thead>
+        <tbody>
+          {#each domains as domain (domain.id)}
+            <tr>
+              <td class="hostname">{domain.hostname}</td>
+              <td>{domain.org_id}</td>
+              <td>
+                <span class={getStatusBadge(domain.status)}>
+                  {domain.status}
+                </span>
+              </td>
+              <td>{new Date(domain.created_at * 1000).toLocaleDateString()}</td>
+            </tr>
+          {/each}
+        </tbody>
+      </table>
+    </div>
+  {/if}
+</div>
+
+<style>
+  .domains-page {
+    padding: 2rem;
+  }
+
+  .page-header {
+    margin-bottom: 2rem;
+  }
+
+  .page-header h1 {
+    font-size: 1.75rem;
+    font-weight: 600;
+    color: #1f2937;
+    margin: 0 0 0.5rem 0;
+  }
+
+  .subtitle {
+    color: #6b7280;
+    margin: 0;
+  }
+
+  .action-bar {
+    margin-bottom: 1.5rem;
+  }
+
+  .btn {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.5rem;
+    padding: 0.625rem 1rem;
+    border-radius: 0.375rem;
+    font-size: 0.875rem;
+    font-weight: 500;
+    border: none;
+    cursor: pointer;
+    transition: all 0.2s;
+  }
+
+  .btn-primary {
+    background: #4f46e5;
+    color: white;
+  }
+
+  .btn-primary:hover:not(:disabled) {
+    background: #4338ca;
+  }
+
+  .btn:disabled {
+    opacity: 0.6;
+    cursor: not-allowed;
+  }
+
+  .spinner {
+    display: inline-block;
+    width: 1rem;
+    height: 1rem;
+    border: 2px solid rgba(255, 255, 255, 0.3);
+    border-top-color: white;
+    border-radius: 50%;
+    animation: spin 0.8s linear infinite;
+  }
+
+  @keyframes spin {
+    to {
+      transform: rotate(360deg);
+    }
+  }
+
+  .alert {
+    padding: 0.75rem 1rem;
+    border-radius: 0.375rem;
+    margin-bottom: 1.5rem;
+    font-size: 0.875rem;
+  }
+
+  .alert-info {
+    background: #eff6ff;
+    color: #1e40af;
+    border: 1px solid #bfdbfe;
+  }
+
+  .alert-error {
+    background: #fef2f2;
+    color: #991b1b;
+    border: 1px solid #fecaca;
+  }
+
+  .loading,
+  .empty-state {
+    text-align: center;
+    padding: 3rem;
+    color: #6b7280;
+  }
+
+  .domains-table-container {
+    overflow-x: auto;
+    border: 1px solid #e5e7eb;
+    border-radius: 0.5rem;
+  }
+
+  .domains-table {
+    width: 100%;
+    border-collapse: collapse;
+    font-size: 0.875rem;
+  }
+
+  .domains-table thead {
+    background: #f9fafb;
+  }
+
+  .domains-table th {
+    padding: 0.75rem 1rem;
+    text-align: left;
+    font-weight: 600;
+    color: #374151;
+    border-bottom: 1px solid #e5e7eb;
+  }
+
+  .domains-table td {
+    padding: 0.75rem 1rem;
+    border-bottom: 1px solid #f3f4f6;
+    color: #4b5563;
+  }
+
+  .domains-table tbody tr:hover {
+    background: #f9fafb;
+  }
+
+  .hostname {
+    font-family: monospace;
+    font-weight: 500;
+    color: #1f2937;
+  }
+
+  .status-badge {
+    display: inline-block;
+    padding: 0.25rem 0.625rem;
+    border-radius: 9999px;
+    font-size: 0.75rem;
+    font-weight: 500;
+    text-transform: capitalize;
+  }
+
+  .status-active {
+    background: #d1fae5;
+    color: #065f46;
+  }
+
+  .status-pending {
+    background: #fef3c7;
+    color: #92400e;
+  }
+
+  .status-failed {
+    background: #fee2e2;
+    color: #991b1b;
+  }
+</style>
diff --git a/frontend/src/routes/dashboard/+page.svelte b/frontend/src/routes/dashboard/+page.svelte
index 87cba02d..bdbb1864 100644
--- a/frontend/src/routes/dashboard/+page.svelte
+++ b/frontend/src/routes/dashboard/+page.svelte
@@ -1,5 +1,7 @@
 <script lang="ts">
   import { goto, invalidate } from "$app/navigation";
+  import type { CustomDomain } from "$lib/api/domains";
+  import { domainsApi } from "$lib/api/domains";
   import { linksApi, tagsApi } from "$lib/api/links";
   import LinkList from "$lib/components/LinkList.svelte";
   import LinkModal from "$lib/components/LinkModal.svelte";
@@ -60,6 +62,7 @@
   let isExporting = $state(false);
   let deletingLinkId = $state<string | null>(null);
   let recentlySavedLinkId = $state<string | null>(null);
+  let activeDomains = $state<CustomDomain[]>([]);
 
   let highlightTimer: ReturnType<typeof setTimeout>;
 
@@ -93,6 +96,15 @@
     } catch {
       // Non-critical
     }
+    // Load active custom domains for domain selector in LinkModal
+    if (orgId) {
+      try {
+        const all = await domainsApi.listDomains(orgId);
+        activeDomains = all.filter((d) => d.status === "active");
+      } catch {
+        // Non-critical — domain selector just won't appear
+      }
+    }
   });
 
   // Initialize links, pagination, and stats from data (runs on mount and when data changes)
@@ -121,6 +133,20 @@
     selectedTags = data.initialTags || [];
   });
 
+  // Re-fetch active domains when orgId is available (it's loaded from data effect above)
+  $effect(() => {
+    if (orgId) {
+      domainsApi
+        .listDomains(orgId)
+        .then((all) => {
+          activeDomains = all.filter((d) => d.status === "active");
+        })
+        .catch(() => {
+          // Non-critical
+        });
+    }
+  });
+
   const linksUsagePercent = $derived(
     usage?.limits.max_links_per_month
       ? Math.min(
@@ -680,6 +706,7 @@
         link={editingLink}
         bind:isOpen={isModalOpen}
         {usage}
+        {activeDomains}
         on:saved={handleLinkSaved}
       />
 
diff --git a/frontend/src/routes/dashboard/links/[short_code]/+page.svelte b/frontend/src/routes/dashboard/links/[short_code]/+page.svelte
index 96c42e55..f90c06a8 100644
--- a/frontend/src/routes/dashboard/links/[short_code]/+page.svelte
+++ b/frontend/src/routes/dashboard/links/[short_code]/+page.svelte
@@ -71,7 +71,11 @@
   const analytics = $derived(data.analytics);
   const days = $derived(data.days ?? 7);
   const shortUrl = $derived(
-    link ? `${SHORT_LINK_BASE}/${link.short_code}` : ""
+    link
+      ? link.custom_domain
+        ? `https://${link.custom_domain}/${link.short_code}`
+        : `${SHORT_LINK_BASE}/${link.short_code}`
+      : ""
   );
 
   // Reset loading state when data loads
diff --git a/frontend/src/routes/dashboard/org/+page.svelte b/frontend/src/routes/dashboard/org/+page.svelte
index 39988bb0..638e6b0b 100644
--- a/frontend/src/routes/dashboard/org/+page.svelte
+++ b/frontend/src/routes/dashboard/org/+page.svelte
@@ -2,8 +2,11 @@
   import type { BillingStatus } from "$lib/api/billing";
   import { billingApi } from "$lib/api/billing";
   import { resolveLogoUrl } from "$lib/api/client";
+  import type { CreateDomainResponse, CustomDomain } from "$lib/api/domains";
+  import { domainsApi } from "$lib/api/domains";
   import { tagsApi } from "$lib/api/links";
   import { orgsApi } from "$lib/api/orgs";
+  import { usageApi } from "$lib/api/usage";
   import Avatar from "$lib/components/Avatar.svelte";
   import LoadingButton from "$lib/components/LoadingButton.svelte";
   import type {
@@ -12,7 +15,8 @@
     OrgMember,
     OrgSettings,
     OrgWithRole,
-    TagWithCount
+    TagWithCount,
+    UsageResponse
   } from "$lib/types/api";
   import type { PageData } from "./$types";
 
@@ -22,6 +26,7 @@
   let loading = $state(true);
   let error = $state("");
   let billingStatus = $state<BillingStatus | null>(null);
+  let usage = $state<UsageResponse | null>(null);
 
   // Rename org
   let editingName = $state(false);
@@ -39,6 +44,36 @@
   let actionError = $state("");
   let actionSuccess = $state("");
 
+  // Custom domains
+  let domains = $state<CustomDomain[]>([]);
+  let domainsLoading = $state(false);
+  let domainsError = $state("");
+  let newHostname = $state("");
+  let addingDomain = $state(false);
+  let addDomainError = $state("");
+  let newDomainResult = $state<CreateDomainResponse | null>(null);
+  let refreshingDomain = $state<string | null>(null);
+  let deletingDomain = $state<string | null>(null);
+
+  // Copy to clipboard feedback
+  let copiedValue = $state<string | null>(null);
+  let copyTimeout: ReturnType<typeof setTimeout> | null = null;
+
+  async function copyToClipboard(value: string) {
+    try {
+      await navigator.clipboard.writeText(value);
+      copiedValue = value;
+      if (copyTimeout) clearTimeout(copyTimeout);
+      copyTimeout = setTimeout(() => {
+        copiedValue = null;
+      }, 2000);
+    } catch {
+      // Fallback for browsers that don't support clipboard API
+      console.error("Failed to copy to clipboard");
+    }
+  }
+  let confirmingDomainHostname = $state<string | null>(null);
+
   // Tags management
   let tags = $state<TagWithCount[]>([]);
   let tagsLoading = $state(false);
@@ -62,6 +97,8 @@
       orgDetails = await orgsApi.getOrg(currentOrgId);
       await loadOrgSettings(currentOrgId);
       await loadTags();
+      await loadDomains(currentOrgId);
+      usage = await usageApi.getUsage();
     } catch (e: unknown) {
       error =
         e instanceof Error ? e.message : "Failed to load organization details.";
@@ -228,6 +265,28 @@
     ["business", "unlimited"].includes(orgDetails?.org.tier ?? "")
   );
 
+  // Custom domain quota check
+  const maxCustomDomains = $derived(usage?.limits.max_custom_domains);
+  const activeDomainCount = $derived(
+    domains.filter((d) => d.status === "active").length
+  );
+  const domainQuotaReached = $derived(
+    usage !== null &&
+      maxCustomDomains !== null &&
+      maxCustomDomains !== undefined &&
+      maxCustomDomains > 0 &&
+      activeDomainCount >= maxCustomDomains
+  );
+  const domainFeatureLocked = $derived(
+    usage !== null && maxCustomDomains === 0
+  );
+  const domainUpgradeTarget = $derived(() => {
+    const tier = orgDetails?.org.tier ?? "free";
+    if (tier === "free") return "Pro";
+    if (tier === "pro") return "Business";
+    return null;
+  });
+
   // Org settings: forward_query_params
   let orgSettings = $state<OrgSettings | null>(null);
   let settingsError = $state("");
@@ -241,6 +300,114 @@
     }
   }
 
+  async function loadDomains(orgId: string) {
+    domainsLoading = true;
+    domainsError = "";
+    try {
+      domains = await domainsApi.listDomains(orgId);
+      // Check if any domain has pending SSL status and fetch DNS instructions
+      const pendingSslDomain = domains.find((d) => d.ssl_status === "pending");
+      if (pendingSslDomain) {
+        try {
+          const result = await domainsApi.refreshDomain(
+            orgId,
+            pendingSslDomain.hostname
+          );
+          if (result.dns_instructions?.needs_txt) {
+            newDomainResult = result;
+          } else {
+            // Clear DNS instructions if SSL is now active
+            if (
+              newDomainResult?.domain.hostname === pendingSslDomain.hostname
+            ) {
+              newDomainResult = null;
+            }
+          }
+        } catch {
+          // Non-critical - if refresh fails, we'll just not show DNS instructions
+        }
+      } else {
+        // If no domains have pending SSL, clear any stale DNS instructions
+        newDomainResult = null;
+      }
+    } catch (e: unknown) {
+      domainsError = e instanceof Error ? e.message : "Failed to load domains.";
+    } finally {
+      domainsLoading = false;
+    }
+  }
+
+  async function handleAddDomain() {
+    if (!orgDetails || !newHostname.trim()) return;
+    addingDomain = true;
+    addDomainError = "";
+    newDomainResult = null;
+    try {
+      const result = await domainsApi.addDomain(
+        orgDetails.org.id,
+        newHostname.trim()
+      );
+      domains = [...domains, result.domain];
+      newDomainResult = result;
+      newHostname = "";
+    } catch (e: unknown) {
+      addDomainError = e instanceof Error ? e.message : "Failed to add domain.";
+    } finally {
+      addingDomain = false;
+    }
+  }
+
+  async function handleDeleteDomain(hostname: string) {
+    if (!orgDetails) return;
+    confirmingDomainHostname = hostname;
+  }
+
+  async function confirmDeleteDomain() {
+    if (!orgDetails || !confirmingDomainHostname) return;
+    const hostname = confirmingDomainHostname;
+    deletingDomain = hostname;
+    try {
+      await domainsApi.deleteDomain(orgDetails.org.id, hostname);
+      domains = domains.filter((d) => d.hostname !== hostname);
+      if (newDomainResult?.domain.hostname === hostname) newDomainResult = null;
+    } catch (e: unknown) {
+      actionError = e instanceof Error ? e.message : "Failed to remove domain.";
+      setTimeout(() => (actionError = ""), 5000);
+    } finally {
+      deletingDomain = null;
+      confirmingDomainHostname = null;
+    }
+  }
+
+  function closeConfirmDomain() {
+    confirmingDomainHostname = null;
+  }
+
+  async function handleRefreshDomain(hostname: string) {
+    if (!orgDetails) return;
+    refreshingDomain = hostname;
+    try {
+      const result = await domainsApi.refreshDomain(
+        orgDetails.org.id,
+        hostname
+      );
+      domains = domains.map((d) =>
+        d.hostname === hostname ? result.domain : d
+      );
+      // If refresh returned SSL validation records and domain is still pending,
+      // show them in the DNS instructions panel
+      if (result.dns_instructions?.needs_txt) {
+        newDomainResult = result;
+      }
+    } catch (e: unknown) {
+      actionError =
+        e instanceof Error ? e.message : "Failed to refresh domain status.";
+      setTimeout(() => (actionError = ""), 5000);
+    } finally {
+      refreshingDomain = null;
+    }
+  }
+
   async function loadTags() {
     tagsLoading = true;
     tagsError = "";
@@ -940,6 +1107,285 @@
         {/if}
       </div>
 
+      <!-- Custom Domains -->
+      <div class="bg-white rounded-xl border border-gray-200 p-6 mb-6">
+        <div class="flex items-center justify-between mb-1">
+          <h2 class="text-lg font-semibold text-gray-900">Custom Domains</h2>
+          {#if orgDetails.org.tier === "free"}
+            <span
+              class="text-xs bg-amber-100 text-amber-700 px-2 py-1 rounded-full font-medium"
+              >Pro+ feature</span
+            >
+          {/if}
+        </div>
+        <p class="text-sm text-gray-500 mb-4">
+          Point your own domain at your short links (e.g. <code
+            class="bg-gray-100 px-1 rounded">go.example.com</code
+          >).
+        </p>
+
+        {#if orgDetails.org.tier === "free"}
+          <div class="bg-orange-50 border border-orange-200 rounded-lg p-4">
+            <p class="text-sm text-orange-800">
+              Custom domains require a <strong>Pro plan</strong> or higher.
+              <a href="/billing" class="underline font-medium"
+                >Upgrade your plan</a
+              > to add custom domains.
+            </p>
+          </div>
+        {:else}
+          {#if domainsLoading}
+            <div class="flex items-center gap-2 text-sm text-gray-500">
+              <div
+                class="animate-spin w-4 h-4 border-2 border-gray-300 border-t-gray-600 rounded-full"
+              ></div>
+              Loading domains...
+            </div>
+          {:else if domainsError}
+            <div class="text-sm text-red-600 mb-3">{domainsError}</div>
+          {/if}
+
+          {#if domains.length > 0}
+            <ul class="space-y-3 mb-4">
+              {#each domains as domain (domain.id)}
+                <li
+                  class="flex items-center justify-between p-3 bg-gray-50 rounded-lg"
+                >
+                  <div class="flex-1 min-w-0">
+                    <div class="flex items-center gap-2">
+                      <span class="font-mono text-sm text-gray-800 truncate"
+                        >{domain.hostname}</span
+                      >
+                      {#if domain.status === "active" && domain.ssl_status === "pending"}
+                        <span
+                          class="text-xs bg-blue-100 text-blue-700 px-2 py-0.5 rounded-full"
+                          >Pending Certificate</span
+                        >
+                      {:else if domain.status === "active"}
+                        <span
+                          class="text-xs bg-green-100 text-green-700 px-2 py-0.5 rounded-full"
+                          >Active</span
+                        >
+                      {:else if domain.status === "pending"}
+                        <span
+                          class="text-xs bg-yellow-100 text-yellow-700 px-2 py-0.5 rounded-full"
+                          >Pending DNS</span
+                        >
+                      {:else}
+                        <span
+                          class="text-xs bg-red-100 text-red-700 px-2 py-0.5 rounded-full"
+                          >Failed</span
+                        >
+                      {/if}
+                    </div>
+                    {#if domain.status === "pending"}
+                      <p class="text-xs text-gray-500 mt-1">
+                        Add the CNAME record, then click Refresh to check
+                        status.
+                      </p>
+                    {/if}
+                  </div>
+                  <div class="flex items-center gap-2 ml-4">
+                    {#if domain.status === "pending" || domain.status === "active"}
+                      <button
+                        onclick={() => handleRefreshDomain(domain.hostname)}
+                        disabled={refreshingDomain === domain.hostname}
+                        class="text-xs text-blue-600 hover:text-blue-800 disabled:opacity-50 transition-colors"
+                      >
+                        {refreshingDomain === domain.hostname
+                          ? "Checking..."
+                          : "Refresh"}
+                      </button>
+                    {/if}
+                    <button
+                      onclick={() => handleDeleteDomain(domain.hostname)}
+                      disabled={deletingDomain === domain.hostname}
+                      class="text-xs text-red-500 hover:text-red-700 disabled:opacity-50 transition-colors"
+                    >
+                      {deletingDomain === domain.hostname
+                        ? "Removing..."
+                        : "Remove"}
+                    </button>
+                  </div>
+                </li>
+              {/each}
+            </ul>
+          {:else if !domainsLoading}
+            <p class="text-sm text-gray-500 mb-4">
+              No custom domains configured yet.
+            </p>
+          {/if}
+
+          <!-- Add domain form -->
+          {#if newDomainResult && newDomainResult.dns_instructions}
+            <div class="bg-blue-50 border border-blue-200 rounded-lg p-4 mb-4">
+              <h3 class="text-sm font-semibold text-blue-900 mb-2">
+                DNS Setup Required
+              </h3>
+              <p class="text-sm text-blue-800 mb-3">
+                Add the following DNS records at your DNS provider to verify
+                ownership and enable routing:
+              </p>
+              <div class="space-y-2">
+                {#if newDomainResult.dns_instructions.needs_cname}
+                  <div class="bg-white rounded border border-blue-200 p-4">
+                    <div class="text-xs font-medium text-gray-500 mb-3">
+                      CNAME Record
+                    </div>
+                    <div class="space-y-2">
+                      <div>
+                        <div class="text-xs text-gray-400 mb-1">Name</div>
+                        <div class="flex items-center gap-2">
+                          <span
+                            class="font-mono text-sm text-gray-700 bg-gray-50 px-2 py-1 rounded"
+                            >{newDomainResult.domain.hostname}</span
+                          >
+                          <button
+                            onclick={() =>
+                              copyToClipboard(newDomainResult!.domain.hostname)}
+                            class="text-xs text-blue-600 hover:text-blue-800 underline"
+                            title="Copy"
+                          >
+                            {copiedValue === newDomainResult!.domain.hostname
+                              ? "Copied!"
+                              : "Copy"}
+                          </button>
+                        </div>
+                      </div>
+                      <div>
+                        <div class="text-xs text-gray-400 mb-1">Target</div>
+                        <div class="flex items-center gap-2">
+                          <span
+                            class="font-mono text-sm text-blue-700 bg-blue-50 px-2 py-1 rounded"
+                            >{newDomainResult.dns_instructions
+                              .cname_target}</span
+                          >
+                          <button
+                            onclick={() =>
+                              copyToClipboard(
+                                newDomainResult!.dns_instructions!.cname_target
+                              )}
+                            class="text-xs text-blue-600 hover:text-blue-800 underline"
+                            title="Copy"
+                          >
+                            {copiedValue ===
+                            newDomainResult!.dns_instructions!.cname_target
+                              ? "Copied!"
+                              : "Copy"}
+                          </button>
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                {/if}
+                {#if newDomainResult.dns_instructions.needs_txt && newDomainResult.dns_instructions.txt_records.length > 0}
+                  {#each newDomainResult.dns_instructions.txt_records as record, index (index)}
+                    <div
+                      class="bg-white rounded border border-blue-200 p-4 mb-2 last:mb-0"
+                    >
+                      <div class="text-xs font-medium text-gray-500 mb-3">
+                        TXT Record
+                        {record.purpose === "ownership"
+                          ? " (domain ownership verification)"
+                          : " (SSL certificate validation)"}
+                      </div>
+                      <div class="space-y-2">
+                        <div>
+                          <div class="text-xs text-gray-400 mb-1">Name</div>
+                          <div class="flex items-center gap-2">
+                            <span
+                              class="font-mono text-sm text-gray-700 bg-gray-50 px-2 py-1 rounded"
+                              >{record.name}</span
+                            >
+                            <button
+                              onclick={() => copyToClipboard(record.name)}
+                              class="text-xs text-blue-600 hover:text-blue-800 underline"
+                              title="Copy"
+                            >
+                              {copiedValue === record.name ? "Copied!" : "Copy"}
+                            </button>
+                          </div>
+                        </div>
+                        <div>
+                          <div class="text-xs text-gray-400 mb-1">Value</div>
+                          <div class="flex items-start gap-2">
+                            <span
+                              class="font-mono text-sm text-blue-700 bg-blue-50 px-2 py-1 rounded break-all flex-1"
+                              >{record.value}</span
+                            >
+                            <button
+                              onclick={() => copyToClipboard(record.value)}
+                              class="text-xs text-blue-600 hover:text-blue-800 underline"
+                              title="Copy"
+                            >
+                              {copiedValue === record.value
+                                ? "Copied!"
+                                : "Copy"}
+                            </button>
+                          </div>
+                        </div>
+                      </div>
+                    </div>
+                  {/each}
+                {/if}
+              </div>
+              <p class="text-xs text-blue-700 mt-3">
+                DNS propagation can take a few minutes. Use the Refresh button
+                to check verification status.
+              </p>
+              <button
+                onclick={() => {
+                  newDomainResult = null;
+                }}
+                class="mt-2 text-xs text-blue-600 hover:text-blue-800 underline"
+                >Dismiss</button
+              >
+            </div>
+          {/if}
+
+          {#if domainFeatureLocked || domainQuotaReached}
+            <div
+              class="bg-amber-50 border border-amber-200 rounded-lg p-3 mt-2 text-sm text-amber-800"
+            >
+              {#if domainFeatureLocked}
+                Custom domains require the <strong>Pro plan</strong> or higher.
+                <a href="/billing" class="underline font-medium"
+                  >Upgrade your plan</a
+                >
+              {:else}
+                You've reached your custom domain limit ({activeDomainCount}/
+                {maxCustomDomains}). Upgrade to
+                <strong>{domainUpgradeTarget()}</strong>
+                to add more domains.
+                <a href="/billing" class="underline font-medium">Upgrade</a>
+              {/if}
+            </div>
+          {:else}
+            <div class="flex items-center gap-2">
+              <input
+                type="text"
+                bind:value={newHostname}
+                placeholder="go.yourdomain.com"
+                class="flex-1 px-3 py-2 border border-gray-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-orange-300 font-mono"
+                onkeydown={(e) => {
+                  if (e.key === "Enter") handleAddDomain();
+                }}
+              />
+              <button
+                onclick={handleAddDomain}
+                disabled={addingDomain || !newHostname.trim()}
+                class="px-4 py-2 bg-orange-500 hover:bg-orange-600 disabled:opacity-50 text-white rounded-lg text-sm font-medium transition-colors"
+              >
+                {addingDomain ? "Adding..." : "Add Domain"}
+              </button>
+            </div>
+          {/if}
+          {#if addDomainError}
+            <p class="text-xs text-red-600 mt-2">{addDomainError}</p>
+          {/if}
+        {/if}
+      </div>
+
       <!-- Tags Management -->
       <div class="bg-white rounded-xl border border-gray-200 p-6 mb-6">
         <h2 class="text-lg font-semibold text-gray-900 mb-4">Tags</h2>
@@ -1239,6 +1685,47 @@
   </div>
 {/if}
 
+<!-- Domain Deletion Confirmation Modal -->
+{#if confirmingDomainHostname}
+  <div
+    class="modal-backdrop"
+    role="button"
+    tabindex="0"
+    onclick={closeConfirmDomain}
+    onkeydown={(e) => e.key === "Enter" && closeConfirmDomain()}
+  >
+    <div
+      class="modal"
+      onclick={(e) => e.stopPropagation()}
+      role="dialog"
+      aria-modal="true"
+      tabindex="0"
+      onkeydown={(e) => e.key === "Escape" && closeConfirmDomain()}
+    >
+      <div class="modal-header">
+        <h3>Remove Custom Domain?</h3>
+        <button class="modal-close" onclick={closeConfirmDomain}>&times;</button
+        >
+      </div>
+      <div class="modal-body">
+        <p>
+          Remove custom domain "{confirmingDomainHostname}"? All short links
+          served through this domain will stop working. This action cannot be
+          undone.
+        </p>
+      </div>
+      <div class="modal-footer">
+        <button class="btn btn-secondary" onclick={closeConfirmDomain}>
+          Cancel
+        </button>
+        <button class="btn btn-danger" onclick={confirmDeleteDomain}>
+          Remove
+        </button>
+      </div>
+    </div>
+  </div>
+{/if}
+
 <style>
   /* Modal Styles */
   .modal-backdrop {
diff --git a/migrations/0030_custom_domains.sql b/migrations/0030_custom_domains.sql
new file mode 100644
index 00000000..50a4f7ae
--- /dev/null
+++ b/migrations/0030_custom_domains.sql
@@ -0,0 +1,15 @@
+-- Custom domains for organizations (Pro+ feature)
+-- Allows orgs to use their own domain (e.g. go.mybrand.com) for short links
+-- SSL and domain verification are handled via Cloudflare for SaaS API
+CREATE TABLE custom_domains (
+    id TEXT PRIMARY KEY NOT NULL,
+    org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+    hostname TEXT NOT NULL UNIQUE,
+    status TEXT NOT NULL DEFAULT 'pending',
+    cf_hostname_id TEXT,
+    created_at INTEGER NOT NULL,
+    verified_at INTEGER
+);
+
+CREATE INDEX idx_custom_domains_org ON custom_domains(org_id);
+CREATE INDEX idx_custom_domains_hostname ON custom_domains(hostname);
diff --git a/migrations/0031_ssl_status.sql b/migrations/0031_ssl_status.sql
new file mode 100644
index 00000000..c86cb9f2
--- /dev/null
+++ b/migrations/0031_ssl_status.sql
@@ -0,0 +1,4 @@
+-- Add SSL certificate status tracking to custom_domains
+-- This allows us to track SSL certificate status separately from hostname status
+-- Hostname can be "active" (CNAME verified) while SSL cert is still "pending"
+ALTER TABLE custom_domains ADD COLUMN ssl_status TEXT NOT NULL DEFAULT 'pending';
diff --git a/migrations/0032_link_custom_domain.sql b/migrations/0032_link_custom_domain.sql
new file mode 100644
index 00000000..6da82293
--- /dev/null
+++ b/migrations/0032_link_custom_domain.sql
@@ -0,0 +1,5 @@
+-- Track which custom domain a link was created under.
+-- NULL means the link uses the default short domain.
+-- Immutable after creation (same as short_code) — changing domain would
+-- orphan all previously shared links since the KV key is {hostname}:{short_code}.
+ALTER TABLE links ADD COLUMN custom_domain TEXT;
diff --git a/src/api/admin/domains.rs b/src/api/admin/domains.rs
new file mode 100644
index 00000000..bed1b270
--- /dev/null
+++ b/src/api/admin/domains.rs
@@ -0,0 +1,112 @@
+/// Admin custom domain handlers
+///
+/// GET /api/admin/domains — List all custom domains
+/// POST /api/admin/domains/poll — Manually poll all pending custom domains
+use crate::auth;
+use crate::models::CustomDomain;
+use crate::repositories::CustomDomainRepository;
+use crate::scheduled::poll_domain_status::poll_pending_domains;
+use crate::utils::AppError;
+use utoipa::ToSchema;
+use worker::d1::D1Database;
+use worker::*;
+
+#[utoipa::path(
+    get,
+    path = "/api/admin/domains",
+    tag = "Admin",
+    summary = "List all custom domains",
+    responses(
+        (status = 200, description = "List of custom domains", body = Vec<CustomDomain>),
+        (status = 401, description = "Unauthorized"),
+        (status = 403, description = "Admin required"),
+    ),
+    security(("Bearer" = []), ("session_cookie" = []))
+)]
+pub async fn handle_admin_list_domains(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner_handle_admin_list_domains(req, ctx)
+        .await
+        .unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner_handle_admin_list_domains(
+    req: Request,
+    ctx: RouteContext<()>,
+) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+    auth::require_admin(&user_ctx).map_err(AppError::from)?;
+
+    let db = ctx
+        .env
+        .get_binding::<D1Database>("rushomon")
+        .map_err(|_| AppError::Internal("Database not available".to_string()))?;
+
+    let domains = CustomDomainRepository::new().get_all(&db).await.map_err(|e| {
+        console_log!("{}", serde_json::json!({"event": "admin_list_domains_failed", "error": e.to_string(), "level": "error"}));
+        AppError::Internal("Failed to list custom domains".to_string())
+    })?;
+
+    Ok(Response::from_json(&domains)?)
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/admin/domains/poll",
+    tag = "Admin",
+    summary = "Poll pending custom domains",
+    responses(
+        (status = 200, description = "Polling complete", body = PollDomainsResponse),
+        (status = 401, description = "Unauthorized"),
+        (status = 403, description = "Admin required"),
+    ),
+    security(("Bearer" = []), ("session_cookie" = []))
+)]
+pub async fn handle_admin_poll_domains(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner_handle_admin_poll_domains(req, ctx)
+        .await
+        .unwrap_or_else(|e| e.into_response()))
+}
+
+#[derive(serde::Serialize, ToSchema)]
+struct PollDomainsResponse {
+    success: bool,
+    domains_processed: u64,
+    status_changes: u64,
+    message: String,
+}
+
+async fn inner_handle_admin_poll_domains(
+    req: Request,
+    ctx: RouteContext<()>,
+) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+    auth::require_admin(&user_ctx).map_err(AppError::from)?;
+
+    let db = ctx
+        .env
+        .get_binding::<D1Database>("rushomon")
+        .map_err(|_| AppError::Internal("Database not available".to_string()))?;
+    let kv = ctx
+        .kv("URL_MAPPINGS")
+        .map_err(|e| AppError::Internal(format!("KV store not available: {}", e)))?;
+
+    let (processed, changes) = poll_pending_domains(&db, &kv, &ctx.env).await;
+
+    let message = if processed == 0 {
+        "No pending domains found".to_string()
+    } else if changes == 0 {
+        format!("Polled {} domain(s), no status changes", processed)
+    } else {
+        format!(
+            "Polled {} domain(s), {} status change(s)",
+            processed, changes
+        )
+    };
+
+    Ok(Response::from_json(&PollDomainsResponse {
+        success: true,
+        domains_processed: processed as u64,
+        status_changes: changes as u64,
+        message,
+    })?)
+}
diff --git a/src/api/admin/mod.rs b/src/api/admin/mod.rs
index 80361fee..3a5b8f1d 100644
--- a/src/api/admin/mod.rs
+++ b/src/api/admin/mod.rs
@@ -2,4 +2,5 @@ pub mod api_keys;
 pub mod billing;
 pub mod blacklist;
 pub mod counters;
+pub mod domains;
 pub mod users;
diff --git a/src/api/analytics/usage.rs b/src/api/analytics/usage.rs
index b9f60476..75a35812 100644
--- a/src/api/analytics/usage.rs
+++ b/src/api/analytics/usage.rs
@@ -44,6 +44,7 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
             "allow_query_forwarding": usage_info.limits.allow_query_forwarding,
             "allow_device_routing": usage_info.limits.allow_device_routing,
             "max_tags": usage_info.limits.max_tags,
+            "max_custom_domains": usage_info.limits.max_custom_domains,
         },
         "usage": {
             "links_created_this_month": usage_info.links_created_this_month,
diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
new file mode 100644
index 00000000..06bc07c2
--- /dev/null
+++ b/src/api/domains/create.rs
@@ -0,0 +1,221 @@
+/// POST /api/orgs/:id/domains
+/// Add a custom domain to an organization (Pro+ only)
+use crate::auth;
+use crate::models::custom_domain::{
+    CustomDomain, DnsInstructions, SSL_STATUS_PENDING, STATUS_PENDING, TxtRecord, TxtRecordPurpose,
+};
+use crate::repositories::{BillingRepository, CustomDomainRepository, OrgRepository};
+use crate::services::OrgService;
+use crate::utils::env::get_fallback_domain;
+use crate::utils::{AppError, cf_saas};
+use worker::d1::D1Database;
+use worker::*;
+
+pub async fn handle_create_domain(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner(req, ctx).await.unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+
+    let org_id = ctx
+        .param("id")
+        .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
+        .to_string();
+
+    let db = ctx.env.get_binding::<D1Database>("rushomon")?;
+
+    OrgService::new()
+        .require_owner_or_admin(
+            &db,
+            &org_id,
+            &user_ctx.user_id,
+            "Only org owners and admins can manage custom domains",
+        )
+        .await?;
+
+    let body: serde_json::Value = req
+        .json()
+        .await
+        .map_err(|_| AppError::BadRequest("Invalid JSON body".to_string()))?;
+
+    let hostname = body["hostname"]
+        .as_str()
+        .map(|s| s.trim().to_lowercase())
+        .filter(|s| !s.is_empty())
+        .ok_or_else(|| AppError::BadRequest("hostname is required".to_string()))?;
+
+    validate_hostname(&hostname)?;
+
+    let org = OrgRepository::new()
+        .get_by_id(&db, &org_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Organization not found".to_string()))?;
+
+    // Check tier allows custom domains
+    let billing_repo = BillingRepository::new();
+    let billing_account = billing_repo
+        .get_for_org(&db, &org_id)
+        .await?
+        .ok_or_else(|| {
+            AppError::Internal("No billing account found for organization".to_string())
+        })?;
+
+    let tier = crate::models::Tier::from_str_value(&billing_account.tier)
+        .unwrap_or(crate::models::Tier::Free);
+    let limits = tier.limits();
+
+    match limits.max_custom_domains {
+        Some(0) => {
+            return Err(AppError::Forbidden(
+                "Custom domains are not available on the Free plan. Upgrade to Pro or Business."
+                    .to_string(),
+            ));
+        }
+        Some(max) => {
+            let current = CustomDomainRepository::new()
+                .count_non_failed_for_org(&db, &org_id)
+                .await
+                .map_err(AppError::from)?;
+            if current >= max {
+                return Err(AppError::Forbidden(format!(
+                    "Custom domain limit reached ({}/{}). Upgrade your plan to add more domains.",
+                    current, max
+                )));
+            }
+        }
+        None => {}
+    }
+
+    // Check hostname is not already taken (globally)
+    let existing = CustomDomainRepository::new()
+        .get_by_hostname(&db, &hostname)
+        .await
+        .map_err(AppError::from)?;
+    if existing.is_some() {
+        return Err(AppError::BadRequest(format!(
+            "'{}' is already registered as a custom domain.",
+            hostname
+        )));
+    }
+
+    // Register with Cloudflare for SaaS
+    let cf_result = match cf_saas::create_custom_hostname(&ctx.env, &hostname).await {
+        Ok(result) => result,
+        Err(e) => {
+            // Check if it's a quota error (Enterprise-only feature)
+            let error_msg = e.to_string();
+            if error_msg.contains("quota") || error_msg.contains("1404") {
+                // CF for SaaS not available - fall back to dev/test mode
+                None
+            } else {
+                return Err(AppError::Internal(format!(
+                    "Failed to register domain with Cloudflare: {}",
+                    e
+                )));
+            }
+        }
+    };
+
+    let (cf_hostname_id, dns_instructions) = if let Some(cf) = cf_result {
+        // Collect all TXT records needed for verification
+        let mut txt_records: Vec<TxtRecord> = Vec::new();
+
+        // Add ownership verification TXT record (if present)
+        if let Some(ownership) = cf.ownership_verification {
+            txt_records.push(TxtRecord {
+                name: ownership.name,
+                value: ownership.value,
+                purpose: TxtRecordPurpose::Ownership,
+            });
+        }
+
+        // Add SSL validation TXT records from validation_records (if present)
+        if let Some(records) = cf.ssl.validation_records {
+            for record in records {
+                if let (Some(name), Some(value)) = (record.txt_name, record.txt_value) {
+                    txt_records.push(TxtRecord {
+                        name,
+                        value,
+                        purpose: TxtRecordPurpose::SslValidation,
+                    });
+                }
+            }
+        }
+
+        let needs_txt = !txt_records.is_empty();
+        let cname_target = get_fallback_domain(&ctx.env);
+        let instructions = DnsInstructions {
+            cname_target,
+            txt_records,
+            needs_cname: true,
+            needs_txt,
+        };
+        (Some(cf.id), instructions)
+    } else {
+        // CF for SaaS not configured (dev/test mode) — return stub instructions
+        let cname_target = get_fallback_domain(&ctx.env);
+        let instructions = DnsInstructions {
+            cname_target,
+            txt_records: vec![],
+            needs_cname: true,
+            needs_txt: false,
+        };
+        (None, instructions)
+    };
+
+    let domain = CustomDomain {
+        id: CustomDomain::generate_id(),
+        org_id: org.id,
+        hostname,
+        status: STATUS_PENDING.to_string(),
+        cf_hostname_id,
+        ssl_status: SSL_STATUS_PENDING.to_string(),
+        created_at: crate::utils::now_timestamp(),
+        verified_at: None,
+    };
+
+    CustomDomainRepository::new()
+        .create(&db, &domain)
+        .await
+        .map_err(AppError::from)?;
+
+    Ok(Response::from_json(&serde_json::json!({
+        "domain": domain,
+        "dns_instructions": dns_instructions,
+    }))?)
+}
+
+/// Basic hostname validation: must look like a valid subdomain or domain
+fn validate_hostname(hostname: &str) -> Result<(), AppError> {
+    if hostname.is_empty() || hostname.len() > 253 {
+        return Err(AppError::BadRequest("Invalid hostname length".to_string()));
+    }
+    // Must not start/end with hyphen or dot
+    if hostname.starts_with('-')
+        || hostname.ends_with('-')
+        || hostname.starts_with('.')
+        || hostname.ends_with('.')
+    {
+        return Err(AppError::BadRequest(
+            "Hostname must not start or end with a hyphen or dot".to_string(),
+        ));
+    }
+    // Must contain at least one dot (e.g. go.example.com)
+    if !hostname.contains('.') {
+        return Err(AppError::BadRequest(
+            "Hostname must contain at least one dot (e.g. go.example.com)".to_string(),
+        ));
+    }
+    // Only allow valid hostname characters
+    if !hostname
+        .chars()
+        .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.')
+    {
+        return Err(AppError::BadRequest(
+            "Hostname contains invalid characters. Use only a-z, 0-9, hyphens, and dots."
+                .to_string(),
+        ));
+    }
+    Ok(())
+}
diff --git a/src/api/domains/delete.rs b/src/api/domains/delete.rs
new file mode 100644
index 00000000..e2ac817f
--- /dev/null
+++ b/src/api/domains/delete.rs
@@ -0,0 +1,82 @@
+/// DELETE /api/orgs/:id/domains/:hostname
+/// Remove a custom domain from an organization
+use crate::auth;
+use crate::repositories::CustomDomainRepository;
+use crate::services::OrgService;
+use crate::utils::{AppError, cf_saas};
+use worker::d1::D1Database;
+use worker::*;
+
+pub async fn handle_delete_domain(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner(req, ctx).await.unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+
+    let org_id = ctx
+        .param("id")
+        .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
+        .to_string();
+
+    let hostname = ctx
+        .param("hostname")
+        .ok_or_else(|| AppError::BadRequest("Missing hostname".to_string()))?
+        .to_string();
+
+    let db = ctx.env.get_binding::<D1Database>("rushomon")?;
+
+    OrgService::new()
+        .require_owner_or_admin(
+            &db,
+            &org_id,
+            &user_ctx.user_id,
+            "Only org owners and admins can manage custom domains",
+        )
+        .await?;
+
+    let domain_repo = CustomDomainRepository::new();
+    let domain = domain_repo
+        .get_by_hostname_and_org(&db, &hostname, &org_id)
+        .await
+        .map_err(AppError::from)?
+        .ok_or_else(|| AppError::NotFound("Custom domain not found".to_string()))?;
+
+    // Delete from Cloudflare for SaaS (if registered)
+    if let Some(ref cf_id) = domain.cf_hostname_id {
+        cf_saas::delete_custom_hostname(&ctx.env, cf_id)
+            .await
+            .map_err(|e| {
+                AppError::Internal(format!("Failed to remove domain from Cloudflare: {}", e))
+            })?;
+    }
+
+    // Clean up all KV entries for this hostname
+    let kv = ctx.kv("URL_MAPPINGS")?;
+    let short_codes_result = db
+        .prepare("SELECT short_code FROM links WHERE org_id = ?1 AND status = 'active'")
+        .bind(&[org_id.as_str().into()])
+        .map_err(|e| AppError::Internal(e.to_string()))?
+        .all()
+        .await
+        .map_err(|e| AppError::Internal(e.to_string()))?
+        .results::<serde_json::Value>()
+        .map_err(|e| AppError::Internal(e.to_string()))?;
+
+    for row in &short_codes_result {
+        if let Some(sc) = row["short_code"].as_str() {
+            let key = format!("{}:{}", hostname, sc);
+            let _ = kv.delete(&key).await;
+        }
+    }
+
+    // Delete from D1
+    domain_repo
+        .delete(&db, &domain.id, &org_id)
+        .await
+        .map_err(AppError::from)?;
+
+    Ok(Response::from_json(
+        &serde_json::json!({ "deleted": true }),
+    )?)
+}
diff --git a/src/api/domains/list.rs b/src/api/domains/list.rs
new file mode 100644
index 00000000..256da9cf
--- /dev/null
+++ b/src/api/domains/list.rs
@@ -0,0 +1,34 @@
+/// GET /api/orgs/:id/domains
+/// List all custom domains for an organization
+use crate::auth;
+use crate::repositories::CustomDomainRepository;
+use crate::services::OrgService;
+use crate::utils::AppError;
+use worker::d1::D1Database;
+use worker::*;
+
+pub async fn handle_list_domains(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner(req, ctx).await.unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+
+    let org_id = ctx
+        .param("id")
+        .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
+        .to_string();
+
+    let db = ctx.env.get_binding::<D1Database>("rushomon")?;
+
+    OrgService::new()
+        .require_owner_or_admin(&db, &org_id, &user_ctx.user_id, "Access denied")
+        .await?;
+
+    let domains = CustomDomainRepository::new()
+        .get_by_org(&db, &org_id)
+        .await
+        .map_err(AppError::from)?;
+
+    Ok(Response::from_json(&domains)?)
+}
diff --git a/src/api/domains/mod.rs b/src/api/domains/mod.rs
new file mode 100644
index 00000000..226044c9
--- /dev/null
+++ b/src/api/domains/mod.rs
@@ -0,0 +1,13 @@
+/// Custom domain management API
+///
+/// Endpoints for managing custom domains per organization (Pro+ feature).
+/// SSL certificates are handled via Cloudflare for SaaS.
+pub mod create;
+pub mod delete;
+pub mod list;
+pub mod refresh;
+
+pub use create::handle_create_domain;
+pub use delete::handle_delete_domain;
+pub use list::handle_list_domains;
+pub use refresh::handle_refresh_domain;
diff --git a/src/api/domains/refresh.rs b/src/api/domains/refresh.rs
new file mode 100644
index 00000000..fa05bcfe
--- /dev/null
+++ b/src/api/domains/refresh.rs
@@ -0,0 +1,203 @@
+/// POST /api/orgs/:id/domains/:hostname/refresh
+/// Poll CF for SaaS to update the status of a pending custom domain.
+/// If the domain is now active, also syncs KV entries for all active links in the org.
+use crate::auth;
+use crate::models::custom_domain::{
+    DnsInstructions, SSL_STATUS_ACTIVE, SSL_STATUS_FAILED, SSL_STATUS_PENDING, STATUS_ACTIVE,
+    TxtRecord, TxtRecordPurpose,
+};
+use crate::repositories::CustomDomainRepository;
+use crate::services::OrgService;
+use crate::utils::env::get_fallback_domain;
+use crate::utils::{AppError, cf_saas};
+use worker::d1::D1Database;
+use worker::*;
+
+pub async fn handle_refresh_domain(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner(req, ctx).await.unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+
+    let org_id = ctx
+        .param("id")
+        .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
+        .to_string();
+
+    let hostname = ctx
+        .param("hostname")
+        .ok_or_else(|| AppError::BadRequest("Missing hostname".to_string()))?
+        .to_string();
+
+    let db = ctx.env.get_binding::<D1Database>("rushomon")?;
+
+    OrgService::new()
+        .require_owner_or_admin(
+            &db,
+            &org_id,
+            &user_ctx.user_id,
+            "Only org owners and admins can manage custom domains",
+        )
+        .await?;
+
+    let domain_repo = CustomDomainRepository::new();
+    let domain = domain_repo
+        .get_by_hostname_and_org(&db, &hostname, &org_id)
+        .await
+        .map_err(AppError::from)?
+        .ok_or_else(|| AppError::NotFound("Custom domain not found".to_string()))?;
+
+    let cf_hostname_id = domain.cf_hostname_id.as_deref().ok_or_else(|| {
+        AppError::BadRequest(
+            "Domain has no Cloudflare record — it may have been registered without CF for SaaS."
+                .to_string(),
+        )
+    })?;
+
+    let cf_result = cf_saas::get_custom_hostname(&ctx.env, cf_hostname_id)
+        .await
+        .map_err(|e| AppError::Internal(format!("Failed to poll Cloudflare: {}", e)))?;
+
+    let new_status = if let Some(ref cf) = cf_result {
+        match cf.status.as_str() {
+            "active" => STATUS_ACTIVE,
+            "pending" | "pending_validation" => "pending",
+            _ => "failed",
+        }
+    } else {
+        "pending"
+    };
+
+    // Determine SSL status from Cloudflare response
+    let new_ssl_status = if let Some(ref cf) = cf_result {
+        match cf.ssl.status.as_str() {
+            "active" => SSL_STATUS_ACTIVE,
+            "pending_validation" | "pending" | "initializing" => SSL_STATUS_PENDING,
+            _ => SSL_STATUS_FAILED,
+        }
+    } else {
+        SSL_STATUS_PENDING
+    };
+
+    // Persist updated status
+    domain_repo
+        .update_status(
+            &db,
+            &domain.id,
+            new_status,
+            cf_result.as_ref().map(|cf| cf.id.as_str()),
+            if new_status == STATUS_ACTIVE {
+                Some(crate::utils::now_timestamp())
+            } else {
+                None
+            },
+        )
+        .await
+        .map_err(AppError::from)?;
+
+    // Persist SSL status
+    domain_repo
+        .update_ssl_status(&db, &domain.id, new_ssl_status)
+        .await
+        .map_err(AppError::from)?;
+
+    // If domain just became active, sync KV for all active org links
+    if new_status == STATUS_ACTIVE {
+        sync_kv_for_domain(&ctx, &db, &org_id, &hostname).await?;
+    }
+
+    let updated = domain_repo
+        .get_by_hostname_and_org(&db, &hostname, &org_id)
+        .await
+        .map_err(AppError::from)?;
+
+    // Build dns_instructions with current SSL validation records
+    // Return them if SSL certificate is still pending validation (even if hostname is active)
+    let ssl_pending = cf_result.as_ref().is_some_and(|cf| {
+        matches!(
+            cf.ssl.status.as_str(),
+            "pending_validation" | "pending" | "initializing"
+        )
+    });
+
+    // Check if CNAME is still needed (hostname is not active yet)
+    let cname_needed = cf_result.as_ref().is_some_and(|cf| cf.status != "active");
+
+    let dns_instructions = if ssl_pending || cname_needed {
+        let mut txt_records: Vec<TxtRecord> = Vec::new();
+
+        if let Some(ref cf) = cf_result {
+            // Add ownership TXT (always present while hostname is pending)
+            if cname_needed && let Some(ref ownership) = cf.ownership_verification {
+                txt_records.push(TxtRecord {
+                    name: ownership.name.clone(),
+                    value: ownership.value.clone(),
+                    purpose: TxtRecordPurpose::Ownership,
+                });
+            }
+            // Add SSL validation TXT records if certificate is pending
+            if ssl_pending && let Some(ref records) = cf.ssl.validation_records {
+                for record in records {
+                    if let (Some(name), Some(value)) =
+                        (record.txt_name.clone(), record.txt_value.clone())
+                    {
+                        txt_records.push(TxtRecord {
+                            name,
+                            value,
+                            purpose: TxtRecordPurpose::SslValidation,
+                        });
+                    }
+                }
+            }
+        }
+
+        let needs_txt = !txt_records.is_empty();
+        Some(DnsInstructions {
+            cname_target: get_fallback_domain(&ctx.env),
+            txt_records,
+            needs_cname: cname_needed,
+            needs_txt,
+        })
+    } else {
+        None
+    };
+
+    Ok(Response::from_json(&serde_json::json!({
+        "domain": updated,
+        "dns_instructions": dns_instructions,
+    }))?)
+}
+
+/// Write {hostname}:{short_code} KV entries for all active links in the org.
+async fn sync_kv_for_domain(
+    ctx: &RouteContext<()>,
+    db: &D1Database,
+    org_id: &str,
+    hostname: &str,
+) -> Result<(), AppError> {
+    use crate::repositories::OrgRepository;
+
+    let org_repo = OrgRepository::new();
+    let links = org_repo
+        .get_links(db, org_id)
+        .await
+        .map_err(AppError::from)?;
+
+    let kv = ctx.kv("URL_MAPPINGS")?;
+
+    for link in links {
+        if link.status == crate::models::link::LinkStatus::Active {
+            let resolved_forward = link.forward_query_params.unwrap_or(false);
+            let mapping = link.to_mapping(resolved_forward);
+            let key = format!("{}:{}", hostname, link.short_code);
+            kv.put(&key, &mapping)
+                .map_err(|e| AppError::Internal(e.to_string()))?
+                .execute()
+                .await
+                .map_err(|e| AppError::Internal(e.to_string()))?;
+        }
+    }
+
+    Ok(())
+}
diff --git a/src/api/links/create.rs b/src/api/links/create.rs
index 389fcbdd..0b276fd2 100644
--- a/src/api/links/create.rs
+++ b/src/api/links/create.rs
@@ -2,6 +2,7 @@ use crate::auth;
 use crate::kv;
 use crate::middleware::{RateLimitConfig, RateLimiter, is_kv_rate_limiting_enabled};
 use crate::models::link::{CreateLinkRequest, Link, LinkStatus};
+use crate::repositories::CustomDomainRepository;
 use crate::services::LinkService;
 use crate::utils::validate_and_normalize_tags;
 use crate::utils::{generate_short_code, now_timestamp, validate_short_code, validate_url};
@@ -98,6 +99,7 @@ pub async fn handle_create_link(mut req: Request, ctx: RouteContext<()>) -> Resu
         "ios_url",
         "android_url",
         "desktop_url",
+        "custom_domain",
     ];
     if let Some(obj) = raw_body.as_object() {
         for field_name in obj.keys() {
@@ -182,6 +184,24 @@ pub async fn handle_create_link(mut req: Request, ctx: RouteContext<()>) -> Resu
         );
     }
 
+    // Validate custom_domain if provided: it must be an active domain on this org.
+    let custom_domain: Option<String> = if let Some(ref hostname) = body.custom_domain {
+        let repo = CustomDomainRepository::new();
+        let active_domains = repo.get_active_for_org(&db, org_id).await.map_err(|e| {
+            worker::Error::RustError(format!("Failed to query custom domains: {:?}", e))
+        })?;
+        let found = active_domains.iter().any(|d| &d.hostname == hostname);
+        if !found {
+            return Response::error(
+                "The specified custom domain is not an active domain for your organization.",
+                400,
+            );
+        }
+        Some(hostname.clone())
+    } else {
+        None
+    };
+
     let kv = ctx.kv("URL_MAPPINGS")?;
 
     let short_code = if let Some(custom_code) = body.short_code {
@@ -258,6 +278,7 @@ pub async fn handle_create_link(mut req: Request, ctx: RouteContext<()>) -> Resu
         ios_url: body.ios_url,
         android_url: body.android_url,
         desktop_url: body.desktop_url,
+        custom_domain,
     };
 
     let link_service = LinkService::new();
diff --git a/src/api/links/import.rs b/src/api/links/import.rs
index e6d67d1d..b21f0627 100644
--- a/src/api/links/import.rs
+++ b/src/api/links/import.rs
@@ -287,6 +287,7 @@ pub async fn handle_import_links(mut req: Request, ctx: RouteContext<()>) -> Res
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         links_to_import.push(link);
diff --git a/src/api/links/redirect.rs b/src/api/links/redirect.rs
index 160b5f35..e0b151e2 100644
--- a/src/api/links/redirect.rs
+++ b/src/api/links/redirect.rs
@@ -9,6 +9,29 @@ use std::pin::Pin;
 use worker::d1::D1Database;
 use worker::*;
 
+/// Determine if the request is on a custom domain by comparing the request host
+/// to the configured SHORT_DOMAIN. Returns Some(hostname) if it's a custom domain,
+/// or None if it's the default short domain.
+fn get_custom_host(req: &Request, env: &Env) -> Option<String> {
+    let short_domain = env.var("SHORT_DOMAIN").ok().map(|v| v.to_string());
+    let request_host = req
+        .url()
+        .ok()
+        .and_then(|u| u.host_str().map(|h| h.to_string()));
+
+    match (short_domain, request_host) {
+        (Some(sd), Some(rh)) if sd != rh => {
+            // Never treat localhost / loopback addresses as custom domains
+            if rh == "localhost" || rh == "127.0.0.1" || rh.starts_with("localhost:") {
+                None
+            } else {
+                Some(rh)
+            }
+        }
+        _ => None,
+    }
+}
+
 /// Result of a redirect operation, containing the response and optional deferred analytics work.
 pub struct RedirectResult {
     pub response: Response,
@@ -71,20 +94,30 @@ pub async fn handle_redirect(
         });
     }
 
-    let mapping = kv::get_link_mapping(&kv, &short_code).await?;
+    // Determine if request came via a custom domain
+    let custom_host = get_custom_host(&req, &ctx.env);
+
+    let mapping = if let Some(ref hostname) = custom_host {
+        kv::links::get_link_mapping_for_domain(&kv, hostname, &short_code).await?
+    } else {
+        kv::get_link_mapping(&kv, &short_code).await?
+    };
+
+    let not_found_url = match &custom_host {
+        Some(hostname) => Url::parse(&format!("https://{}/404", hostname))?,
+        None => Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?,
+    };
 
     let Some(mapping) = mapping else {
-        let url = Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?;
         return Ok(RedirectResult {
-            response: Response::redirect_with_status(url, 302)?,
+            response: Response::redirect_with_status(not_found_url, 302)?,
             analytics_future: None,
         });
     };
 
     if !matches!(mapping.status, LinkStatus::Active) {
-        let url = Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?;
         return Ok(RedirectResult {
-            response: Response::redirect_with_status(url, 302)?,
+            response: Response::redirect_with_status(not_found_url, 302)?,
             analytics_future: None,
         });
     }
@@ -92,9 +125,8 @@ pub async fn handle_redirect(
     if let Some(expires_at) = mapping.expires_at {
         let now = now_timestamp();
         if now > expires_at {
-            let url = Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?;
             return Ok(RedirectResult {
-                response: Response::redirect_with_status(url, 302)?,
+                response: Response::redirect_with_status(not_found_url, 302)?,
                 analytics_future: None,
             });
         }
diff --git a/src/api/mod.rs b/src/api/mod.rs
index e93e2f95..e35a420f 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -2,6 +2,7 @@ pub mod admin;
 pub mod analytics;
 pub mod auth;
 pub mod billing;
+pub mod domains;
 pub mod keys;
 pub mod links;
 pub mod orgs;
diff --git a/src/api/router.rs b/src/api/router.rs
index 09f6999b..bbb88273 100644
--- a/src/api/router.rs
+++ b/src/api/router.rs
@@ -25,23 +25,20 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
                 .to_string();
 
             // Skip API routes and known frontend routes on the frontend domain.
-            // Frontend routes (dashboard, auth, settings, admin, 404) must not be
+            // Frontend routes (dashboard, auth, settings, admin) must not be
             // treated as short codes — they should fall through to the SPA fallback.
-            // Without this, /404 would redirect to /404 in an infinite loop.
+            // The /404 path is reserved globally on all domains to prevent infinite
+            // redirect loops when a short code is not found.
             if code.starts_with("api") {
                 return Response::error("Not found", 404);
             }
+            if code == "404" {
+                return Response::error("Not found", 404);
+            }
             if is_frontend_domain
                 && matches!(
                     code.as_str(),
-                    "dashboard"
-                        | "auth"
-                        | "settings"
-                        | "admin"
-                        | "404"
-                        | "login"
-                        | "billing"
-                        | "pricing"
+                    "dashboard" | "auth" | "settings" | "admin" | "login" | "billing" | "pricing"
                 )
             {
                 return Response::error("Not found", 404);
@@ -62,17 +59,13 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
             if code.starts_with("api") {
                 return Response::error("Not found", 404);
             }
+            if code == "404" {
+                return Response::error("Not found", 404);
+            }
             if is_frontend_domain
                 && matches!(
                     code.as_str(),
-                    "dashboard"
-                        | "auth"
-                        | "settings"
-                        | "admin"
-                        | "404"
-                        | "login"
-                        | "billing"
-                        | "pricing"
+                    "dashboard" | "auth" | "settings" | "admin" | "login" | "billing" | "pricing"
                 )
             {
                 return Response::error("Not found", 404);
@@ -234,6 +227,15 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
             "/api/admin/products/save",
             crate::api::billing::products::handle_admin_save_products,
         )
+        // Admin custom domain routes
+        .get_async(
+            "/api/admin/domains",
+            crate::api::admin::domains::handle_admin_list_domains,
+        )
+        .post_async(
+            "/api/admin/domains/poll",
+            crate::api::admin::domains::handle_admin_poll_domains,
+        )
         // Admin API keys routes
         .get_async(
             "/api/admin/api-keys",
@@ -294,6 +296,23 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
             "/api/settings/api-keys/:id",
             crate::api::keys::handle_revoke_api_key,
         )
+        // Custom domain routes (Pro+ feature)
+        .get_async(
+            "/api/orgs/:id/domains",
+            crate::api::domains::handle_list_domains,
+        )
+        .post_async(
+            "/api/orgs/:id/domains",
+            crate::api::domains::handle_create_domain,
+        )
+        .delete_async(
+            "/api/orgs/:id/domains/:hostname",
+            crate::api::domains::handle_delete_domain,
+        )
+        .post_async(
+            "/api/orgs/:id/domains/:hostname/refresh",
+            crate::api::domains::handle_refresh_domain,
+        )
         // Org management routes
         .get_async("/api/orgs", crate::api::orgs::handle_list_user_orgs)
         .post_async("/api/orgs", crate::api::orgs::handle_create_org)
@@ -374,7 +393,19 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
         // Title fetch route (public, can be called by anyone)
         .post_async("/api/fetch-title", crate::api::title_fetch::fetch_title)
         // Root redirect: redirect to frontend (e.g., rush.mn/ → rushomon.cc/)
-        .get_async("/", |_req, ctx| async move {
+        // Skip redirect if request comes via the fallback domain (used for Cloudflare for SaaS
+        // custom hostname routing) — the fallback domain is internal infrastructure and should
+        // not redirect, otherwise Cloudflare for SaaS will see a 301 and fail with a 522 error.
+        .get_async("/", |req, ctx| async move {
+            let fallback_domain = crate::utils::get_fallback_domain(&ctx.env);
+            let request_host = req
+                .url()
+                .ok()
+                .and_then(|u| u.host_str().map(|h| h.to_string()))
+                .unwrap_or_default();
+            if request_host == fallback_domain {
+                return Response::error("Not found", 404);
+            }
             let url = Url::parse(&crate::utils::get_frontend_url(&ctx.env))?;
             Response::redirect_with_status(url, 301)
         })
diff --git a/src/kv/links.rs b/src/kv/links.rs
index 6a4be74f..d5fa1950 100644
--- a/src/kv/links.rs
+++ b/src/kv/links.rs
@@ -9,6 +9,47 @@ fn make_key(_org_id: &str, short_code: &str) -> String {
     short_code.to_string()
 }
 
+/// KV key for custom-domain-scoped lookups: {hostname}:{short_code}
+fn make_domain_key(hostname: &str, short_code: &str) -> String {
+    format!("{}:{}", hostname, short_code)
+}
+
+/// Store a link mapping for a specific custom domain
+pub async fn store_link_mapping_for_domain(
+    kv: &KvStore,
+    hostname: &str,
+    short_code: &str,
+    mapping: &LinkMapping,
+) -> Result<()> {
+    let key = make_domain_key(hostname, short_code);
+    kv.put(&key, mapping)?.execute().await?;
+    Ok(())
+}
+
+/// Get a link mapping for a specific custom domain
+pub async fn get_link_mapping_for_domain(
+    kv: &KvStore,
+    hostname: &str,
+    short_code: &str,
+) -> Result<Option<LinkMapping>> {
+    let key = make_domain_key(hostname, short_code);
+    kv.get(&key)
+        .json::<LinkMapping>()
+        .await
+        .map_err(|e| worker::Error::RustError(format!("KV error: {:?}", e)))
+}
+
+/// Delete a link mapping for a specific custom domain
+pub async fn delete_link_mapping_for_domain(
+    kv: &KvStore,
+    hostname: &str,
+    short_code: &str,
+) -> Result<()> {
+    let key = make_domain_key(hostname, short_code);
+    kv.delete(&key).await?;
+    Ok(())
+}
+
 /// Store a link mapping in KV
 pub async fn store_link_mapping(
     kv: &KvStore,
diff --git a/src/kv/mod.rs b/src/kv/mod.rs
index a7b657c4..d072366c 100644
--- a/src/kv/mod.rs
+++ b/src/kv/mod.rs
@@ -1,3 +1,5 @@
 pub mod links;
+pub mod sync;
 
 pub use links::{delete_link_mapping, get_link_mapping, store_link_mapping, update_link_mapping};
+pub use sync::sync_custom_domain_kv;
diff --git a/src/kv/sync.rs b/src/kv/sync.rs
new file mode 100644
index 00000000..671f5315
--- /dev/null
+++ b/src/kv/sync.rs
@@ -0,0 +1,40 @@
+/// KV sync helpers for custom domain dual-write
+///
+/// When a link is created, updated, or deleted, we must also update KV
+/// for every active custom domain on the same org, using the key format:
+///   {hostname}:{short_code}
+use crate::models::LinkMapping;
+use crate::repositories::CustomDomainRepository;
+use worker::Result;
+use worker::d1::D1Database;
+use worker::kv::KvStore;
+
+/// Sync KV entries for all active custom domains on an org for a specific short_code.
+///
+/// - `mapping = Some(m)` → write (or overwrite) the `{hostname}:{short_code}` key
+/// - `mapping = None`    → delete the `{hostname}:{short_code}` key (link deleted/disabled)
+pub async fn sync_custom_domain_kv(
+    kv: &KvStore,
+    db: &D1Database,
+    org_id: &str,
+    short_code: &str,
+    mapping: Option<&LinkMapping>,
+) -> Result<()> {
+    let repo = CustomDomainRepository::new();
+    let active_domains = repo.get_active_for_org(db, org_id).await?;
+
+    for domain in &active_domains {
+        match mapping {
+            Some(m) => {
+                super::links::store_link_mapping_for_domain(kv, &domain.hostname, short_code, m)
+                    .await?;
+            }
+            None => {
+                super::links::delete_link_mapping_for_domain(kv, &domain.hostname, short_code)
+                    .await?;
+            }
+        }
+    }
+
+    Ok(())
+}
diff --git a/src/models/analytics.rs b/src/models/analytics.rs
index 31ca28f6..2bb808d9 100644
--- a/src/models/analytics.rs
+++ b/src/models/analytics.rs
@@ -543,6 +543,9 @@ pub struct TopLinkCount {
     pub title: Option<String>,
     #[schema(example = 50)]
     pub count: i64,
+    /// Custom domain this link belongs to, if any.
+    #[schema(example = "go.mybrand.com")]
+    pub custom_domain: Option<String>,
 }
 
 #[derive(Debug, Serialize, ToSchema)]
diff --git a/src/models/custom_domain.rs b/src/models/custom_domain.rs
new file mode 100644
index 00000000..97234777
--- /dev/null
+++ b/src/models/custom_domain.rs
@@ -0,0 +1,114 @@
+use serde::{Deserialize, Serialize};
+use utoipa::ToSchema;
+
+/// Status values for a custom domain
+pub const STATUS_PENDING: &str = "pending";
+pub const STATUS_ACTIVE: &str = "active";
+#[allow(dead_code)]
+pub const STATUS_FAILED: &str = "failed";
+
+/// SSL certificate status values
+pub const SSL_STATUS_PENDING: &str = "pending";
+pub const SSL_STATUS_ACTIVE: &str = "active";
+#[allow(dead_code)]
+pub const SSL_STATUS_FAILED: &str = "failed";
+
+/// A custom domain registered to an organization.
+///
+/// SSL certificates and domain verification are managed via Cloudflare for SaaS.
+/// Once a domain is `active`, redirects on that hostname use KV key `{hostname}:{short_code}`.
+#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
+pub struct CustomDomain {
+    #[schema(example = "cd_abc123")]
+    pub id: String,
+    #[schema(example = "org-123456")]
+    pub org_id: String,
+    #[schema(example = "go.mybrand.com")]
+    pub hostname: String,
+    /// "pending" | "active" | "failed"
+    #[schema(example = "pending")]
+    pub status: String,
+    /// Cloudflare for SaaS custom hostname record ID
+    pub cf_hostname_id: Option<String>,
+    /// SSL certificate status ("pending" | "active" | "failed")
+    #[schema(example = "pending")]
+    pub ssl_status: String,
+    #[schema(example = 1609459200)]
+    pub created_at: i64,
+    pub verified_at: Option<i64>,
+}
+
+impl CustomDomain {
+    pub fn generate_id() -> String {
+        format!("cd_{}", crate::utils::generate_short_code_with_length(16))
+    }
+
+    #[allow(dead_code)]
+    pub fn is_active(&self) -> bool {
+        self.status == STATUS_ACTIVE
+    }
+}
+
+/// DNS instructions returned to the user after adding a custom domain
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+pub struct DnsInstructions {
+    /// The CNAME target the user should point their subdomain to
+    #[schema(example = "rush.mn")]
+    pub cname_target: String,
+    /// TXT records for verification (may include both ownership and SSL validation)
+    pub txt_records: Vec<TxtRecord>,
+    /// Whether the user needs to add a CNAME record
+    pub needs_cname: bool,
+    /// Whether the user needs to add TXT records (for CF verification)
+    pub needs_txt: bool,
+}
+
+/// A single TXT record for domain verification
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+pub struct TxtRecord {
+    /// The DNS record name (e.g., "_cf-custom-hostname.go.example.com" or "_acme-challenge.go.example.com")
+    pub name: String,
+    /// The DNS record value
+    pub value: String,
+    /// The purpose of this TXT record
+    pub purpose: TxtRecordPurpose,
+}
+
+/// The purpose of a TXT record
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+#[serde(rename_all = "snake_case")]
+pub enum TxtRecordPurpose {
+    /// Domain ownership verification (hostname validation)
+    Ownership,
+    /// SSL certificate validation (DCV for certificate issuance)
+    SslValidation,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_custom_domain_is_active() {
+        let mut d = CustomDomain {
+            id: "cd_test".to_string(),
+            org_id: "org-1".to_string(),
+            hostname: "go.example.com".to_string(),
+            status: STATUS_PENDING.to_string(),
+            cf_hostname_id: None,
+            ssl_status: SSL_STATUS_PENDING.to_string(),
+            created_at: 0,
+            verified_at: None,
+        };
+        assert!(!d.is_active());
+        d.status = STATUS_ACTIVE.to_string();
+        assert!(d.is_active());
+    }
+
+    #[test]
+    fn test_generate_id_prefix() {
+        let id = CustomDomain::generate_id();
+        assert!(id.starts_with("cd_"));
+        assert!(id.len() > 3);
+    }
+}
diff --git a/src/models/link.rs b/src/models/link.rs
index 8f991a66..c7c1198b 100644
--- a/src/models/link.rs
+++ b/src/models/link.rs
@@ -116,6 +116,10 @@ pub struct Link {
     /// Redirects desktop users (Windows, macOS, Linux) to this URL instead of the default.
     #[schema(example = "https://example.com/desktop-app")]
     pub desktop_url: Option<String>,
+    /// Custom domain this link was created under (immutable after creation).
+    /// None means the link uses the default short domain.
+    #[schema(example = "go.mybrand.com")]
+    pub custom_domain: Option<String>,
 }
 
 impl<'de> Deserialize<'de> for Link {
@@ -142,6 +146,7 @@ impl<'de> Deserialize<'de> for Link {
             ios_url: Option<String>,           // Device routing URL
             android_url: Option<String>,       // Device routing URL
             desktop_url: Option<String>,       // Device routing URL
+            custom_domain: Option<String>,     // Custom domain this link belongs to
         }
 
         let helper = LinkHelper::deserialize(deserializer)?;
@@ -182,6 +187,7 @@ impl<'de> Deserialize<'de> for Link {
             ios_url: helper.ios_url,
             android_url: helper.android_url,
             desktop_url: helper.desktop_url,
+            custom_domain: helper.custom_domain,
         })
     }
 }
@@ -252,6 +258,10 @@ pub struct CreateLinkRequest {
     /// Desktop-specific destination URL (Business tier feature).
     #[schema(example = "https://example.com/desktop-app")]
     pub desktop_url: Option<String>,
+    /// Custom domain to associate this link with (must be an active domain on the org).
+    /// Immutable after creation. None = use default short domain.
+    #[schema(example = "go.mybrand.com")]
+    pub custom_domain: Option<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize, ToSchema)]
@@ -353,6 +363,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
         assert!(!link.is_expired());
     }
@@ -384,6 +395,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
         assert!(!link.is_expired());
     }
@@ -411,6 +423,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
         assert!(link.is_expired());
     }
@@ -436,6 +449,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         let mapping = link.to_mapping(false);
@@ -468,6 +482,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         let mapping = link.to_mapping(false);
@@ -536,6 +551,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         let mapping = link.to_mapping(true);
@@ -613,6 +629,7 @@ mod redirect_type_tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         let json = serde_json::to_string(&link).unwrap();
diff --git a/src/models/mod.rs b/src/models/mod.rs
index 34ca77b9..e020edff 100644
--- a/src/models/mod.rs
+++ b/src/models/mod.rs
@@ -1,5 +1,6 @@
 pub mod analytics;
 pub mod billing_account;
+pub mod custom_domain;
 pub mod link;
 pub mod org_member;
 pub mod organization;
@@ -9,6 +10,7 @@ pub mod user;
 
 pub use analytics::{AnalyticsEvent, LinkAnalyticsResponse, TimeRange};
 pub use billing_account::BillingAccount;
+pub use custom_domain::CustomDomain;
 pub use link::{Link, LinkMapping};
 pub use org_member::{OrgInvitation, OrgMember, OrgMemberWithUser, OrgWithRole};
 pub use organization::Organization;
diff --git a/src/models/tier.rs b/src/models/tier.rs
index a62b43d0..567d5995 100644
--- a/src/models/tier.rs
+++ b/src/models/tier.rs
@@ -34,7 +34,7 @@ impl Tier {
 
     pub fn limits(&self) -> TierLimits {
         match self {
-            // Free: 1 user, 1 org, 15 links/month, 7-day analytics, 5 tags, no API keys
+            // Free: 1 user, 1 org, 15 links/month, 7-day analytics, 5 tags, no API keys, no custom domains
             Tier::Free => TierLimits {
                 max_links_per_month: Some(15),
                 analytics_retention_days: Some(7),
@@ -46,8 +46,9 @@ impl Tier {
                 max_members: Some(1),
                 max_orgs: Some(1),
                 max_tags: Some(5),
+                max_custom_domains: Some(0),
             },
-            // Pro ($9): 1 user, 1 org, 1000 links/month, 1-year analytics, custom codes, 25 tags, API keys
+            // Pro ($9): 1 user, 1 org, 1000 links/month, 1-year analytics, custom codes, 25 tags, API keys, 1 custom domain
             Tier::Pro => TierLimits {
                 max_links_per_month: Some(1000),
                 analytics_retention_days: Some(365),
@@ -59,8 +60,9 @@ impl Tier {
                 max_members: Some(1),
                 max_orgs: Some(1),
                 max_tags: Some(25),
+                max_custom_domains: Some(1),
             },
-            // Business ($29): 20 users, 3 orgs, 10000 links/month, unlimited analytics, unlimited tags, API keys
+            // Business ($29): 20 users, 3 orgs, 10000 links/month, unlimited analytics, unlimited tags, API keys, 3 custom domains
             Tier::Business => TierLimits {
                 max_links_per_month: Some(10000),
                 analytics_retention_days: None,
@@ -72,6 +74,7 @@ impl Tier {
                 max_members: Some(20),
                 max_orgs: Some(3),
                 max_tags: None,
+                max_custom_domains: Some(3),
             },
             // Unlimited (self-hosted): no limits
             Tier::Unlimited => TierLimits {
@@ -85,6 +88,7 @@ impl Tier {
                 max_members: None,
                 max_orgs: None,
                 max_tags: None,
+                max_custom_domains: None,
             },
         }
     }
@@ -120,6 +124,8 @@ pub struct TierLimits {
     pub max_orgs: Option<i64>,
     /// Maximum distinct tag names across all orgs in the billing account. None = unlimited.
     pub max_tags: Option<i64>,
+    /// Maximum custom domains per organization. None = unlimited. Some(0) = not allowed.
+    pub max_custom_domains: Option<u32>,
 }
 
 #[cfg(test)]
@@ -153,6 +159,7 @@ mod tests {
         assert_eq!(limits.max_members, Some(1));
         assert_eq!(limits.max_orgs, Some(1));
         assert_eq!(limits.max_tags, Some(5));
+        assert_eq!(limits.max_custom_domains, Some(0));
     }
 
     #[test]
@@ -165,6 +172,7 @@ mod tests {
         assert_eq!(limits.max_members, Some(1));
         assert_eq!(limits.max_orgs, Some(1));
         assert_eq!(limits.max_tags, Some(25));
+        assert_eq!(limits.max_custom_domains, Some(1));
     }
 
     #[test]
@@ -177,6 +185,7 @@ mod tests {
         assert_eq!(limits.max_members, Some(20));
         assert_eq!(limits.max_orgs, Some(3));
         assert!(limits.max_tags.is_none());
+        assert_eq!(limits.max_custom_domains, Some(3));
     }
 
     #[test]
@@ -189,6 +198,7 @@ mod tests {
         assert!(limits.max_members.is_none());
         assert!(limits.max_orgs.is_none());
         assert!(limits.max_tags.is_none());
+        assert!(limits.max_custom_domains.is_none());
     }
 
     #[test]
diff --git a/src/repositories/analytics_repository.rs b/src/repositories/analytics_repository.rs
index 917edc7d..6214636c 100644
--- a/src/repositories/analytics_repository.rs
+++ b/src/repositories/analytics_repository.rs
@@ -312,7 +312,7 @@ impl AnalyticsRepository {
         limit: i64,
     ) -> Result<Vec<TopLinkCount>> {
         let stmt = db.prepare(
-            "SELECT ae.link_id, l.short_code, l.title, COUNT(*) as count
+            "SELECT ae.link_id, l.short_code, l.title, l.custom_domain, COUNT(*) as count
              FROM analytics_events ae
              JOIN links l ON ae.link_id = l.id
              WHERE ae.org_id = ?1 AND ae.timestamp >= ?2 AND ae.timestamp <= ?3
@@ -338,12 +338,14 @@ impl AnalyticsRepository {
                 let link_id = row["link_id"].as_str()?.to_string();
                 let short_code = row["short_code"].as_str()?.to_string();
                 let title = row["title"].as_str().map(|s| s.to_string());
+                let custom_domain = row["custom_domain"].as_str().map(|s| s.to_string());
                 let count = row["count"].as_f64()? as i64;
                 Some(TopLinkCount {
                     link_id,
                     short_code,
                     title,
                     count,
+                    custom_domain,
                 })
             })
             .collect();
diff --git a/src/repositories/custom_domain_repository.rs b/src/repositories/custom_domain_repository.rs
new file mode 100644
index 00000000..a379df4f
--- /dev/null
+++ b/src/repositories/custom_domain_repository.rs
@@ -0,0 +1,237 @@
+use crate::models::CustomDomain;
+use crate::models::custom_domain::{STATUS_ACTIVE, STATUS_PENDING};
+use crate::utils::now_timestamp;
+use wasm_bindgen::JsValue;
+use worker::Result;
+use worker::d1::D1Database;
+
+pub struct CustomDomainRepository;
+
+impl CustomDomainRepository {
+    pub fn new() -> Self {
+        Self
+    }
+
+    /// Insert a new custom domain record (status = pending)
+    pub async fn create(&self, db: &D1Database, domain: &CustomDomain) -> Result<()> {
+        db.prepare(
+            "INSERT INTO custom_domains (id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at)
+             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8)",
+        )
+        .bind(&[
+            domain.id.as_str().into(),
+            domain.org_id.as_str().into(),
+            domain.hostname.as_str().into(),
+            domain.status.as_str().into(),
+            domain
+                .cf_hostname_id
+                .as_deref()
+                .map(|s| s.into())
+                .unwrap_or(JsValue::NULL),
+            domain.ssl_status.as_str().into(),
+            (domain.created_at as f64).into(),
+            domain
+                .verified_at
+                .map(|v| (v as f64).into())
+                .unwrap_or(JsValue::NULL),
+        ])?
+        .run()
+        .await?;
+        Ok(())
+    }
+
+    /// Get all custom domains for an organization
+    pub async fn get_by_org(&self, db: &D1Database, org_id: &str) -> Result<Vec<CustomDomain>> {
+        let results = db
+            .prepare(
+                "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
+                 FROM custom_domains
+                 WHERE org_id = ?1
+                 ORDER BY created_at ASC",
+            )
+            .bind(&[org_id.into()])?
+            .all()
+            .await?;
+
+        results.results::<CustomDomain>()
+    }
+
+    /// Get a custom domain by hostname (used during redirect to resolve org)
+    pub async fn get_by_hostname(
+        &self,
+        db: &D1Database,
+        hostname: &str,
+    ) -> Result<Option<CustomDomain>> {
+        db.prepare(
+            "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
+             FROM custom_domains
+             WHERE hostname = ?1",
+        )
+        .bind(&[hostname.into()])?
+        .first::<CustomDomain>(None)
+        .await
+    }
+
+    /// Get a custom domain by ID (must belong to org for authorization)
+    #[allow(dead_code)]
+    pub async fn get_by_id_and_org(
+        &self,
+        db: &D1Database,
+        id: &str,
+        org_id: &str,
+    ) -> Result<Option<CustomDomain>> {
+        db.prepare(
+            "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
+             FROM custom_domains
+             WHERE id = ?1 AND org_id = ?2",
+        )
+        .bind(&[id.into(), org_id.into()])?
+        .first::<CustomDomain>(None)
+        .await
+    }
+
+    /// Get a custom domain by hostname that belongs to a specific org
+    pub async fn get_by_hostname_and_org(
+        &self,
+        db: &D1Database,
+        hostname: &str,
+        org_id: &str,
+    ) -> Result<Option<CustomDomain>> {
+        db.prepare(
+            "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
+             FROM custom_domains
+             WHERE hostname = ?1 AND org_id = ?2",
+        )
+        .bind(&[hostname.into(), org_id.into()])?
+        .first::<CustomDomain>(None)
+        .await
+    }
+
+    /// Count custom domains for an org (all statuses, excluding failed)
+    pub async fn count_non_failed_for_org(&self, db: &D1Database, org_id: &str) -> Result<u32> {
+        let result = db
+            .prepare(
+                "SELECT COUNT(*) as count FROM custom_domains
+                 WHERE org_id = ?1 AND status != 'failed'",
+            )
+            .bind(&[org_id.into()])?
+            .first::<serde_json::Value>(None)
+            .await?;
+
+        Ok(result.and_then(|v| v["count"].as_f64()).unwrap_or(0.0) as u32)
+    }
+
+    /// Get all active custom domains for an org (used for KV dual-write)
+    pub async fn get_active_for_org(
+        &self,
+        db: &D1Database,
+        org_id: &str,
+    ) -> Result<Vec<CustomDomain>> {
+        let results = db
+            .prepare(
+                "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
+                 FROM custom_domains
+                 WHERE org_id = ?1 AND status = 'active'",
+            )
+            .bind(&[org_id.into()])?
+            .all()
+            .await?;
+
+        results.results::<CustomDomain>()
+    }
+
+    /// Update domain status and optionally set cf_hostname_id and verified_at
+    pub async fn update_status(
+        &self,
+        db: &D1Database,
+        id: &str,
+        status: &str,
+        cf_hostname_id: Option<&str>,
+        verified_at: Option<i64>,
+    ) -> Result<()> {
+        db.prepare(
+            "UPDATE custom_domains
+             SET status = ?1, cf_hostname_id = COALESCE(?2, cf_hostname_id), verified_at = ?3
+             WHERE id = ?4",
+        )
+        .bind(&[
+            status.into(),
+            cf_hostname_id.map(|s| s.into()).unwrap_or(JsValue::NULL),
+            verified_at
+                .map(|v| (v as f64).into())
+                .unwrap_or(JsValue::NULL),
+            id.into(),
+        ])?
+        .run()
+        .await?;
+        Ok(())
+    }
+
+    /// Update SSL certificate status (separate from hostname status)
+    pub async fn update_ssl_status(
+        &self,
+        db: &D1Database,
+        id: &str,
+        ssl_status: &str,
+    ) -> Result<()> {
+        db.prepare("UPDATE custom_domains SET ssl_status = ?1 WHERE id = ?2")
+            .bind(&[ssl_status.into(), id.into()])?
+            .run()
+            .await?;
+        Ok(())
+    }
+
+    /// Delete a custom domain record
+    pub async fn delete(&self, db: &D1Database, id: &str, org_id: &str) -> Result<()> {
+        db.prepare("DELETE FROM custom_domains WHERE id = ?1 AND org_id = ?2")
+            .bind(&[id.into(), org_id.into()])?
+            .run()
+            .await?;
+        Ok(())
+    }
+
+    /// Get all custom domains across all orgs (admin only)
+    pub async fn get_all(&self, db: &D1Database) -> Result<Vec<CustomDomain>> {
+        let results = db
+            .prepare(
+                "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
+                 FROM custom_domains
+                 ORDER BY created_at ASC",
+            )
+            .bind(&[])?
+            .all()
+            .await?;
+
+        results.results::<CustomDomain>()
+    }
+
+    /// Get all pending custom domains across all orgs (used by scheduled status poller)
+    pub async fn get_all_pending(&self, db: &D1Database) -> Result<Vec<CustomDomain>> {
+        let results = db
+            .prepare(
+                "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
+                 FROM custom_domains
+                 WHERE status = 'pending'
+                 ORDER BY created_at ASC",
+            )
+            .bind(&[])?
+            .all()
+            .await?;
+
+        results.results::<CustomDomain>()
+    }
+
+    /// Activate a domain: set status=active, verified_at=now, and update cf_hostname_id
+    #[allow(dead_code)]
+    pub async fn activate(&self, db: &D1Database, id: &str, cf_hostname_id: &str) -> Result<()> {
+        let now = now_timestamp();
+        self.update_status(db, id, STATUS_ACTIVE, Some(cf_hostname_id), Some(now))
+            .await
+    }
+
+    /// Mark a domain as pending (reset after failed)
+    #[allow(dead_code)]
+    pub async fn set_pending(&self, db: &D1Database, id: &str) -> Result<()> {
+        self.update_status(db, id, STATUS_PENDING, None, None).await
+    }
+}
diff --git a/src/repositories/link_repository.rs b/src/repositories/link_repository.rs
index 3fad3812..445767ca 100644
--- a/src/repositories/link_repository.rs
+++ b/src/repositories/link_repository.rs
@@ -90,8 +90,8 @@ impl LinkRepository {
         let utm_json = link.utm_params.as_ref().and_then(|u| u.to_json_string());
 
         let stmt = db.prepare(
-            "INSERT INTO links (id, org_id, short_code, destination_url, title, created_by, created_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url)
-             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16)"
+            "INSERT INTO links (id, org_id, short_code, destination_url, title, created_by, created_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain)
+             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17)"
         );
 
         stmt.bind(&[
@@ -127,6 +127,10 @@ impl LinkRepository {
                 .clone()
                 .map(|s| s.into())
                 .unwrap_or(JsValue::NULL),
+            link.custom_domain
+                .clone()
+                .map(|s| s.into())
+                .unwrap_or(JsValue::NULL),
         ])?
         .run()
         .await?;
@@ -142,7 +146,7 @@ impl LinkRepository {
         org_id: &str,
     ) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE id = ?1
              AND org_id = ?2
@@ -156,7 +160,7 @@ impl LinkRepository {
     /// Get a link by ID without org check — active only (public redirects)
     pub async fn get_by_id_no_auth(&self, db: &D1Database, link_id: &str) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE id = ?1
              AND status = 'active'"
@@ -171,7 +175,7 @@ impl LinkRepository {
         link_id: &str,
     ) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE id = ?1"
         );
@@ -186,7 +190,7 @@ impl LinkRepository {
         org_id: &str,
     ) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE short_code = ?1
              AND org_id = ?2
@@ -204,7 +208,7 @@ impl LinkRepository {
         short_code: &str,
     ) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE short_code = ?1
              AND status = 'active'"
@@ -226,7 +230,7 @@ impl LinkRepository {
         tags_filter: Option<&[String]>,
     ) -> Result<Vec<Link>> {
         let mut query = String::from(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE org_id = ?1"
         );
@@ -668,7 +672,7 @@ impl LinkRepository {
     /// Get all active/disabled links for an org (for CSV/JSON export)
     pub async fn get_all_for_export(&self, db: &D1Database, org_id: &str) -> Result<Vec<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE org_id = ?1
              AND status IN ('active', 'disabled')
diff --git a/src/repositories/mod.rs b/src/repositories/mod.rs
index a8a06b27..17056b4e 100644
--- a/src/repositories/mod.rs
+++ b/src/repositories/mod.rs
@@ -18,6 +18,7 @@ pub mod analytics_repository;
 pub mod api_key_repository;
 pub mod billing_repository;
 pub mod blacklist_repository;
+pub mod custom_domain_repository;
 pub mod link_repository;
 pub mod org_repository;
 pub mod product_repository;
@@ -29,6 +30,7 @@ pub use analytics_repository::AnalyticsRepository;
 pub use api_key_repository::ApiKeyRepository;
 pub use billing_repository::BillingRepository;
 pub use blacklist_repository::BlacklistRepository;
+pub use custom_domain_repository::CustomDomainRepository;
 pub use link_repository::LinkRepository;
 pub use org_repository::OrgRepository;
 pub use product_repository::ProductRepository;
diff --git a/src/scheduled/downgrade_expired_subscriptions.rs b/src/scheduled/downgrade_expired_subscriptions.rs
index a6335d94..4c5d9c49 100644
--- a/src/scheduled/downgrade_expired_subscriptions.rs
+++ b/src/scheduled/downgrade_expired_subscriptions.rs
@@ -32,6 +32,17 @@ pub async fn scheduled(event: ScheduledEvent, env: Env, _ctx: ScheduleContext) {
             console_log!("[cron] Starting webhook cleanup job (4 AM UTC)");
             service.cleanup_webhooks(&db).await;
         }
+        "*/15 * * * *" => {
+            console_log!("[cron] Starting domain status poll job (every 15 minutes)");
+            let kv = match env.kv("URL_MAPPINGS") {
+                Ok(kv) => kv,
+                Err(e) => {
+                    console_error!("[cron] Failed to get KV binding: {}", e);
+                    return;
+                }
+            };
+            super::poll_domain_status::run(&db, &kv, &env).await;
+        }
         other => {
             console_warn!("[cron] Unexpected cron expression: {}", other);
         }
diff --git a/src/scheduled/mod.rs b/src/scheduled/mod.rs
index 43503aff..e439d6fb 100644
--- a/src/scheduled/mod.rs
+++ b/src/scheduled/mod.rs
@@ -1,3 +1,4 @@
 //! Scheduled cron job handlers.
 
 pub mod downgrade_expired_subscriptions;
+pub mod poll_domain_status;
diff --git a/src/scheduled/poll_domain_status.rs b/src/scheduled/poll_domain_status.rs
new file mode 100644
index 00000000..08f11e2c
--- /dev/null
+++ b/src/scheduled/poll_domain_status.rs
@@ -0,0 +1,142 @@
+//! Scheduled job: poll Cloudflare for SaaS to update pending domain statuses.
+//!
+//! Runs every 15 minutes and checks all `pending` custom domains against the
+//! Cloudflare API. Domains that become `active` get their KV entries synced.
+
+use crate::models::custom_domain::STATUS_ACTIVE;
+use crate::repositories::CustomDomainRepository;
+use crate::utils::cf_saas;
+use worker::d1::D1Database;
+use worker::kv::KvStore;
+use worker::*;
+
+/// Poll all pending custom domains and update their statuses.
+/// Returns the number of domains processed and the number of status changes.
+pub async fn run(db: &D1Database, kv: &KvStore, env: &Env) -> (usize, usize) {
+    poll_pending_domains(db, kv, env).await
+}
+
+/// Poll all pending custom domains and update their statuses.
+/// Returns (domains_processed, status_changes).
+pub async fn poll_pending_domains(db: &D1Database, kv: &KvStore, env: &Env) -> (usize, usize) {
+    let repo = CustomDomainRepository::new();
+
+    let pending = match repo.get_all_pending(db).await {
+        Ok(p) => p,
+        Err(e) => {
+            console_error!("[domains] Failed to fetch pending domains: {}", e);
+            return (0, 0);
+        }
+    };
+
+    if pending.is_empty() {
+        return (0, 0);
+    }
+
+    console_log!("[domains] Polling {} pending domain(s)", pending.len());
+    let mut changes = 0;
+
+    for domain in &pending {
+        let cf_id = match domain.cf_hostname_id.as_deref() {
+            Some(id) => id,
+            None => {
+                continue;
+            }
+        };
+
+        let cf_result = match cf_saas::get_custom_hostname(env, cf_id).await {
+            Ok(r) => r,
+            Err(e) => {
+                console_error!(
+                    "[domains] CF API error for domain {}: {}",
+                    domain.hostname,
+                    e
+                );
+                continue;
+            }
+        };
+
+        let new_status = match &cf_result {
+            Some(cf) => match cf.status.as_str() {
+                "active" => STATUS_ACTIVE,
+                "pending" | "pending_validation" => "pending",
+                _ => "failed",
+            },
+            None => "pending",
+        };
+
+        if new_status == domain.status.as_str() {
+            continue;
+        }
+
+        let verified_at = if new_status == STATUS_ACTIVE {
+            Some(crate::utils::now_timestamp())
+        } else {
+            None
+        };
+
+        let updated_cf_id = cf_result.as_ref().map(|cf| cf.id.as_str());
+
+        if let Err(e) = repo
+            .update_status(db, &domain.id, new_status, updated_cf_id, verified_at)
+            .await
+        {
+            console_error!(
+                "[domains] Failed to update status for domain {}: {}",
+                domain.hostname,
+                e
+            );
+            continue;
+        }
+
+        console_log!(
+            "[domains] Domain {} status: {} → {}",
+            domain.hostname,
+            domain.status,
+            new_status
+        );
+        changes += 1;
+
+        // If domain just became active, write KV entries for all active org links
+        if new_status == STATUS_ACTIVE
+            && let Err(e) = backfill_kv_for_domain(db, kv, &domain.org_id, &domain.hostname).await
+        {
+            console_error!(
+                "[domains] KV backfill failed for domain {}: {}",
+                domain.hostname,
+                e
+            );
+        }
+    }
+
+    (pending.len(), changes)
+}
+
+/// Write {hostname}:{short_code} KV entries for all active links in an org.
+async fn backfill_kv_for_domain(
+    db: &D1Database,
+    kv: &KvStore,
+    org_id: &str,
+    hostname: &str,
+) -> worker::Result<()> {
+    use crate::models::link::LinkStatus;
+    use crate::repositories::OrgRepository;
+
+    let links = OrgRepository::new().get_links(db, org_id).await?;
+
+    for link in links {
+        if matches!(link.status, LinkStatus::Active) {
+            let resolved_forward = link.forward_query_params.unwrap_or(false);
+            let mapping = link.to_mapping(resolved_forward);
+            super::super::kv::links::store_link_mapping_for_domain(
+                kv,
+                hostname,
+                &link.short_code,
+                &mapping,
+            )
+            .await?;
+        }
+    }
+
+    Ok(())
+}
diff --git a/src/services/link_service.rs b/src/services/link_service.rs
index ea33fdd3..1b8abed4 100644
--- a/src/services/link_service.rs
+++ b/src/services/link_service.rs
@@ -319,9 +319,18 @@ impl LinkService {
                 // Update KV with new mapping
                 let mapping = updated.to_mapping(resolved_forward);
                 crate::kv::store_link_mapping(kv, org_id, &updated.short_code, &mapping).await?;
+                crate::kv::sync_custom_domain_kv(
+                    kv,
+                    db,
+                    org_id,
+                    &updated.short_code,
+                    Some(&mapping),
+                )
+                .await?;
             } else {
                 // Link is not active, ensure it's removed from KV
                 crate::kv::delete_link_mapping(kv, org_id, &updated.short_code).await?;
+                crate::kv::sync_custom_domain_kv(kv, db, org_id, &updated.short_code, None).await?;
             }
         }
 
@@ -359,6 +368,7 @@ impl LinkService {
 
         // Delete from KV
         crate::kv::delete_link_mapping(kv, org_id, &link.short_code).await?;
+        crate::kv::sync_custom_domain_kv(kv, db, org_id, &link.short_code, None).await?;
 
         Ok(())
     }
@@ -527,10 +537,13 @@ impl LinkService {
             link.forward_query_params.unwrap_or(false)
         };
 
-        // Store in KV
+        // Store in KV (default domain — bare short_code)
         let mapping = link.to_mapping(resolved_forward);
         crate::kv::store_link_mapping(kv, org_id, &link.short_code, &mapping).await?;
 
+        // Dual-write for any active custom domains on this org
+        crate::kv::sync_custom_domain_kv(kv, db, org_id, &link.short_code, Some(&mapping)).await?;
+
         Ok(())
     }
 
@@ -569,6 +582,7 @@ impl LinkService {
                     ios_url: link.ios_url.clone(),
                     android_url: link.android_url.clone(),
                     desktop_url: link.desktop_url.clone(),
+                    custom_domain: link.custom_domain.clone(),
                 };
                 let org_repo = crate::repositories::OrgRepository::new();
                 let resolved_forward = if let Some(forward) = link.forward_query_params {
diff --git a/src/utils/cf_saas.rs b/src/utils/cf_saas.rs
new file mode 100644
index 00000000..02ed8af2
--- /dev/null
+++ b/src/utils/cf_saas.rs
@@ -0,0 +1,252 @@
+/// Cloudflare for SaaS API client
+///
+/// Thin async wrapper around the Cloudflare Custom Hostnames API.
+/// Used to register customer domains so CF can issue SSL certificates
+/// and route traffic through our Worker.
+///
+/// Required env vars:
+///   CF_ZONE_ID   - Cloudflare Zone ID for the rush.mn zone
+///   CF_API_TOKEN - CF API token with ssl_and_certificates:edit permission
+use serde::{Deserialize, Serialize};
+use worker::{Env, Fetch, Headers, Method, Request as WorkerRequest, RequestInit};
+
+const CF_API_BASE: &str = "https://api.cloudflare.com/client/v4";
+
+/// Response from CF API when creating or fetching a custom hostname
+#[derive(Debug, Deserialize)]
+pub struct CfCustomHostnameResult {
+    pub id: String,
+    pub hostname: String,
+    pub status: String,
+    pub ssl: CfSslResult,
+    pub ownership_verification: Option<CfOwnershipVerification>,
+    pub ownership_verification_http: Option<CfOwnershipVerificationHttp>,
+    #[serde(default)]
+    pub custom_origin_server: Option<String>,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct CfSslResult {
+    pub status: String,
+    #[serde(default)]
+    pub validation_records: Option<Vec<CfValidationRecord>>,
+}
+
+/// ACME validation record for SSL certificates
+#[derive(Debug, Deserialize)]
+pub struct CfValidationRecord {
+    pub txt_name: Option<String>,
+    pub txt_value: Option<String>,
+    pub txt_status: Option<String>,
+}
+
+/// TXT-based domain ownership verification (DNS challenge)
+#[derive(Debug, Deserialize)]
+pub struct CfOwnershipVerification {
+    #[serde(rename = "type")]
+    pub verification_type: String,
+    pub name: String,
+    pub value: String,
+}
+
+/// HTTP-based domain ownership verification
+#[derive(Debug, Deserialize)]
+pub struct CfOwnershipVerificationHttp {
+    pub http_url: String,
+    pub http_body: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct CfApiResponse<T> {
+    pub success: bool,
+    pub result: Option<T>,
+    pub errors: Vec<CfApiError>,
+}
+
+#[derive(Debug, Deserialize)]
+struct CfApiError {
+    pub code: u32,
+    pub message: String,
+}
+
+#[derive(Debug, Serialize)]
+struct CreateCustomHostnameBody {
+    hostname: String,
+    ssl: CreateSslConfig,
+}
+
+#[derive(Debug, Serialize)]
+struct CreateSslConfig {
+    method: String,
+    #[serde(rename = "type")]
+    ssl_type: String,
+    settings: SslSettings,
+    bundle_method: String,
+    wildcard: bool,
+}
+
+#[derive(Debug, Serialize)]
+struct SslSettings {
+    min_tls_version: String,
+}
+
+/// Get CF credentials from environment
+fn get_cf_credentials(env: &Env) -> Option<(String, String)> {
+    let zone_id = env.var("CF_ZONE_ID").ok()?.to_string();
+    let api_token = env.secret("CF_API_TOKEN").ok()?.to_string();
+    if zone_id.is_empty() || api_token.is_empty() {
+        return None;
+    }
+    Some((zone_id, api_token))
+}
+
+/// Build CF API authorization headers
+fn build_headers(api_token: &str) -> worker::Result<Headers> {
+    let headers = Headers::new();
+    headers.set("Authorization", &format!("Bearer {}", api_token))?;
+    headers.set("Content-Type", "application/json")?;
+    Ok(headers)
+}
+
+/// Create a custom hostname in CF for SaaS.
+/// Returns the CF hostname record on success, or None if CF credentials are not configured.
+pub async fn create_custom_hostname(
+    env: &Env,
+    hostname: &str,
+) -> worker::Result<Option<CfCustomHostnameResult>> {
+    let Some((zone_id, api_token)) = get_cf_credentials(env) else {
+        return Ok(None);
+    };
+
+    let url = format!("{}/zones/{}/custom_hostnames", CF_API_BASE, zone_id);
+
+    let body = CreateCustomHostnameBody {
+        hostname: hostname.to_string(),
+        ssl: CreateSslConfig {
+            method: "txt".to_string(),
+            ssl_type: "dv".to_string(),
+            settings: SslSettings {
+                min_tls_version: "1.2".to_string(),
+            },
+            bundle_method: "ubiquitous".to_string(),
+            wildcard: false,
+        },
+    };
+
+    let body_str = serde_json::to_string(&body)
+        .map_err(|e| worker::Error::RustError(format!("Failed to serialize CF request: {}", e)))?;
+
+    let headers = build_headers(&api_token)?;
+    let mut init = RequestInit::new();
+    init.with_method(Method::Post)
+        .with_headers(headers)
+        .with_body(Some(body_str.into()));
+
+    let request = WorkerRequest::new_with_init(&url, &init)?;
+    let mut resp = Fetch::Request(request).send().await?;
+
+    let text = resp.text().await?;
+    let parsed: CfApiResponse<CfCustomHostnameResult> =
+        serde_json::from_str(&text).map_err(|e| {
+            worker::Error::RustError(format!(
+                "Failed to parse CF response: {} — body: {}",
+                e, text
+            ))
+        })?;
+
+    if !parsed.success {
+        let errors: Vec<String> = parsed
+            .errors
+            .iter()
+            .map(|e| format!("[{}] {}", e.code, e.message))
+            .collect();
+        return Err(worker::Error::RustError(format!(
+            "CF API error: {}",
+            errors.join(", ")
+        )));
+    }
+
+    Ok(parsed.result)
+}
+
+/// Fetch the current status of a custom hostname from CF.
+/// Returns None if CF credentials are not configured.
+pub async fn get_custom_hostname(
+    env: &Env,
+    cf_hostname_id: &str,
+) -> worker::Result<Option<CfCustomHostnameResult>> {
+    let Some((zone_id, api_token)) = get_cf_credentials(env) else {
+        return Ok(None);
+    };
+
+    let url = format!(
+        "{}/zones/{}/custom_hostnames/{}",
+        CF_API_BASE, zone_id, cf_hostname_id
+    );
+
+    let headers = build_headers(&api_token)?;
+    let mut init = RequestInit::new();
+    init.with_method(Method::Get).with_headers(headers);
+
+    let request = WorkerRequest::new_with_init(&url, &init)?;
+    let mut resp = Fetch::Request(request).send().await?;
+
+    let text = resp.text().await?;
+    let parsed: CfApiResponse<CfCustomHostnameResult> =
+        serde_json::from_str(&text).map_err(|e| {
+            worker::Error::RustError(format!(
+                "Failed to parse CF response: {} — body: {}",
+                e, text
+            ))
+        })?;
+
+    if !parsed.success {
+        let errors: Vec<String> = parsed
+            .errors
+            .iter()
+            .map(|e| format!("[{}] {}", e.code, e.message))
+            .collect();
+        return Err(worker::Error::RustError(format!(
+            "CF API error: {}",
+            errors.join(", ")
+        )));
+    }
+
+    Ok(parsed.result)
+}
+
+/// Delete a custom hostname from CF for SaaS.
+/// Returns Ok(()) whether or not CF credentials are configured (no-op if unconfigured).
+pub async fn delete_custom_hostname(env: &Env, cf_hostname_id: &str) -> worker::Result<()> {
+    let Some((zone_id, api_token)) = get_cf_credentials(env) else {
+        return Ok(());
+    };
+
+    let url = format!(
+        "{}/zones/{}/custom_hostnames/{}",
+        CF_API_BASE, zone_id, cf_hostname_id
+    );
+
+    let headers = build_headers(&api_token)?;
+    let mut init = RequestInit::new();
+    init.with_method(Method::Delete).with_headers(headers);
+
+    let request = WorkerRequest::new_with_init(&url, &init)?;
+    let mut resp = Fetch::Request(request).send().await?;
+
+    let status = resp.status_code();
+    if status != 200 && status != 204 {
+        let text = resp.text().await.unwrap_or_default();
+        return Err(worker::Error::RustError(format!(
+            "CF delete hostname failed ({}): {}",
+            status, text
+        )));
+    }
+
+    Ok(())
+}
+
+/// Check if CF for SaaS is configured (both env vars present)
+pub fn is_cf_saas_configured(env: &Env) -> bool {
+    get_cf_credentials(env).is_some()
+}
diff --git a/src/utils/env.rs b/src/utils/env.rs
index 8c3de4f8..e1495812 100644
--- a/src/utils/env.rs
+++ b/src/utils/env.rs
@@ -15,6 +15,14 @@ pub fn get_domain(env: &Env) -> String {
         .unwrap_or_else(|_| "localhost:8787".to_string())
 }
 
+/// Get the fallback domain for custom domain CNAMEs
+/// Falls back to DOMAIN if not configured
+pub fn get_fallback_domain(env: &Env) -> String {
+    env.var("FALLBACK_DOMAIN")
+        .map(|v| v.to_string())
+        .unwrap_or_else(|_| get_domain(env))
+}
+
 /// Determine the scheme (http/https) based on domain
 pub fn get_scheme(env: &Env) -> String {
     let domain = get_domain(env);
diff --git a/src/utils/mod.rs b/src/utils/mod.rs
index d66e3521..608fd047 100644
--- a/src/utils/mod.rs
+++ b/src/utils/mod.rs
@@ -1,3 +1,4 @@
+pub mod cf_saas;
 pub mod crypto;
 pub mod device;
 pub mod email;
@@ -13,7 +14,7 @@ pub mod url_normalization;
 pub mod validation;
 
 pub use crypto::{secure_compare, verify_polar_webhook_signature};
-pub use env::get_frontend_url;
+pub use env::{get_fallback_domain, get_frontend_url};
 pub use errors::AppError;
 pub use http::{get_client_ip, hash_ip};
 pub use query_params::QueryParams;
diff --git a/wrangler.example.toml b/wrangler.example.toml
index 6611c28b..3b70d4b8 100644
--- a/wrangler.example.toml
+++ b/wrangler.example.toml
@@ -59,6 +59,7 @@ GOOGLE_AUTHORIZE_URL = "https://accounts.google.com/o/oauth2/v2/auth"
 GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token"
 GOOGLE_USER_URL = "https://openidconnect.googleapis.com/v1/userinfo"
 DOMAIN = "yourdomain.com"
+FALLBACK_DOMAIN = "redirect.yourdomain.com"
 FRONTEND_URL = "http://localhost:5173"
 # KV-based rate limiting is disabled by default in favor of Cloudflare rate limiting rules
 # Set to "true" to re-enable KV-based rate limiting for specific use cases