From 31f4713809f99b9c23da115b14fd915dc9c6c0ee Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 16:50:26 +0200
Subject: [PATCH 01/19] chore: upgrade wasm-bindgen to the latest version

---
 Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.toml b/Cargo.toml
index b0710ef7..1d626c0a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ crate-type = ["cdylib", "rlib"]
 
 [dependencies]
 worker = { version = "0.8.0", features = ["d1"] }
-wasm-bindgen = { version = "0.2.114", features = ["serde-serialize"] }
+wasm-bindgen = { version = "0.2.121", features = ["serde-serialize"] }
 web-sys = { version = "0.3", features = ["Window", "Request", "RequestInit", "Response", "Headers", "RequestMode"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"

From 76ea834999955c57f9329241721dd2d4f7902785 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 16:52:29 +0200
Subject: [PATCH 02/19] feat: Add custom domains support with Cloudflare for
 SaaS

This commit implements organization-level custom domains with SSL
certificates via Cloudflare for SaaS, including:

Backend:
- Custom domain model and repository
- Cloudflare for SaaS API integration
- Custom domain CRUD API endpoints
- KV dual-write for hostname:short_code mappings
- Redirect handler updates for custom domain resolution
- Scheduled polling for domain status updates
- Admin API for manual domain polling and listing
- Database migration for custom_domains table

Frontend:
- Custom domain management UI
- Admin domains page with manual polling button
- Admin API client updates
- Domains API client
- Admin sidebar navigation updates

Infrastructure:
- Added CF_SAAS_API_TOKEN secret to staging and production workflows
- Added domain polling cron to production

Tier limits enforced at organization level.
---
 .github/workflows/deploy-ephemeral.yml        |   7 +
 README.md                                     |   2 +-
 frontend/src/config/pricing.ts                |   2 +
 frontend/src/lib/api/admin.ts                 |  22 ++
 frontend/src/lib/api/domains.ts               |  55 +++
 frontend/src/routes/admin/+layout.svelte      |  18 +-
 .../src/routes/admin/domains/+page.svelte     | 283 ++++++++++++++++
 .../src/routes/dashboard/org/+page.svelte     | 318 ++++++++++++++++++
 migrations/0030_custom_domains.sql            |  15 +
 src/api/admin/domains.rs                      | 112 ++++++
 src/api/admin/mod.rs                          |   1 +
 src/api/domains/create.rs                     | 186 ++++++++++
 src/api/domains/delete.rs                     |  82 +++++
 src/api/domains/list.rs                       |  34 ++
 src/api/domains/mod.rs                        |  13 +
 src/api/domains/refresh.rs                    | 128 +++++++
 src/api/links/redirect.rs                     |  32 +-
 src/api/mod.rs                                |   1 +
 src/api/router.rs                             |  26 ++
 src/kv/links.rs                               |  41 +++
 src/kv/mod.rs                                 |   2 +
 src/kv/sync.rs                                |  40 +++
 src/models/custom_domain.rs                   |  85 +++++
 src/models/mod.rs                             |   2 +
 src/models/tier.rs                            |  16 +-
 src/repositories/custom_domain_repository.rs  | 222 ++++++++++++
 src/repositories/mod.rs                       |   2 +
 .../downgrade_expired_subscriptions.rs        |  11 +
 src/scheduled/mod.rs                          |   1 +
 src/scheduled/poll_domain_status.rs           | 142 ++++++++
 src/services/link_service.rs                  |  15 +-
 src/utils/cf_saas.rs                          | 240 +++++++++++++
 src/utils/mod.rs                              |   1 +
 33 files changed, 2150 insertions(+), 7 deletions(-)
 create mode 100644 frontend/src/lib/api/domains.ts
 create mode 100644 frontend/src/routes/admin/domains/+page.svelte
 create mode 100644 migrations/0030_custom_domains.sql
 create mode 100644 src/api/admin/domains.rs
 create mode 100644 src/api/domains/create.rs
 create mode 100644 src/api/domains/delete.rs
 create mode 100644 src/api/domains/list.rs
 create mode 100644 src/api/domains/mod.rs
 create mode 100644 src/api/domains/refresh.rs
 create mode 100644 src/kv/sync.rs
 create mode 100644 src/models/custom_domain.rs
 create mode 100644 src/repositories/custom_domain_repository.rs
 create mode 100644 src/scheduled/poll_domain_status.rs
 create mode 100644 src/utils/cf_saas.rs

diff --git a/.github/workflows/deploy-ephemeral.yml b/.github/workflows/deploy-ephemeral.yml
index 72d0a20a..7c5c66d3 100644
--- a/.github/workflows/deploy-ephemeral.yml
+++ b/.github/workflows/deploy-ephemeral.yml
@@ -247,6 +247,8 @@ jobs:
           # Format: array of cron expressions (Cloudflare doesn't support named triggers)
           # - "0 0 * * *" = midnight UTC daily (subscription downgrade)
           # - "0 4 * * *" = 4 AM UTC daily (webhook cleanup)
+          # NOTE: Custom domain polling is done manually via admin panel
+          # in ephemeral/staging due to cron trigger limits.
           [triggers]
           crons = ["0 0 * * *", "0 4 * * *"]
 
@@ -284,6 +286,7 @@ jobs:
           ENABLE_KV_RATE_LIMITING = "false"
           POLAR_ORG_SLUG = "${{ secrets.POLAR_ORG_SLUG }}"
           POLAR_SANDBOX = "true"
+          CF_ZONE_ID = "${{ secrets.CF_ZONE_ID }}"
           EOF
 
       - name: Apply D1 Migrations
@@ -328,6 +331,7 @@ jobs:
           MAILGUN_API_KEY: ${{ secrets.MAILGUN_API_KEY }}
           POLAR_ACCESS_TOKEN: ${{ secrets.POLAR_ACCESS_TOKEN }}
           POLAR_WEBHOOK_SECRET: ${{ secrets.POLAR_WEBHOOK_SECRET }}
+          CF_SAAS_API_TOKEN: ${{ secrets.CF_SAAS_API_TOKEN }}
         run: |
           # Set secrets using wrangler secrets API (not visible in Worker dashboard)
           echo "$GH_CLIENT_SECRET" | wrangler secret put GITHUB_CLIENT_SECRET -c wrangler.ephemeral.toml
@@ -338,6 +342,9 @@ jobs:
             echo "$POLAR_ACCESS_TOKEN" | wrangler secret put POLAR_ACCESS_TOKEN -c wrangler.ephemeral.toml
             echo "$POLAR_WEBHOOK_SECRET" | wrangler secret put POLAR_WEBHOOK_SECRET -c wrangler.ephemeral.toml
           fi
+          if [ -n "$CF_SAAS_API_TOKEN" ]; then
+            echo "$CF_SAAS_API_TOKEN" | wrangler secret put CF_API_TOKEN -c wrangler.ephemeral.toml
+          fi
 
       - name: Deploy to Ephemeral Environment
         env:
diff --git a/README.md b/README.md
index 72f5eb24..d8f32da1 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,7 @@ Never forget that naming things is a hard problem to solve. Nevertheless, I'm gl
 - **Rate Limiting**: Comprehensive IP, user, and session-based rate limiting
 - **Instance Settings**: Configurable admin settings including signup control and default tiers
 - **Email Notifications**: Transactional email via Mailgun for team invitations
+- **Custom Domains**: Pro (1) and Business (3) custom domains per organization with SSL via Cloudflare for SaaS
 
 ## Planned Features
 
@@ -39,7 +40,6 @@ Never forget that naming things is a hard problem to solve. Nevertheless, I'm gl
 - **More OAuth providers**: GitLab and other providers beyond GitHub/Google
 - **QR Codes Generation**: Generate QR codes for links
 - **Bulk link operations**: Import/export and batch management
-- **Custom domains per organization**: Organization-specific branded domains
 
 ## How to try it out
 
diff --git a/frontend/src/config/pricing.ts b/frontend/src/config/pricing.ts
index 4826e01a..69a53af9 100644
--- a/frontend/src/config/pricing.ts
+++ b/frontend/src/config/pricing.ts
@@ -125,6 +125,7 @@ export const createPricingTiers = (
       "Custom short codes",
       "Advanced QR codes (sizes, SVG, org logo)",
       "Redirect type selection (301/307)",
+      "1 custom domain",
       "API access",
       "Email support"
     ],
@@ -190,6 +191,7 @@ export const createPricingTiers = (
       "3-year analytics retention",
       "3 organizations",
       "20 team members",
+      "3 custom domains",
       "Device-based routing",
       "Password protection",
       "API access",
diff --git a/frontend/src/lib/api/admin.ts b/frontend/src/lib/api/admin.ts
index c7c743c6..3777c10d 100644
--- a/frontend/src/lib/api/admin.ts
+++ b/frontend/src/lib/api/admin.ts
@@ -9,6 +9,7 @@ import type {
   User
 } from "$lib/types/api";
 import { apiClient } from "./client";
+import type { CustomDomain } from "./domains";
 
 export interface AdminUsersResponse {
   users: User[];
@@ -18,6 +19,13 @@ export interface AdminUsersResponse {
   org_tiers: Record<string, string>;
 }
 
+export interface PollDomainsResponse {
+  success: boolean;
+  domains_processed: number;
+  status_changes: number;
+  message: string;
+}
+
 export interface UpdateUserRoleRequest {
   role: "admin" | "member";
 }
@@ -654,5 +662,19 @@ export const adminApi = {
       `/api/admin/api-keys/${id}/restore`,
       { method: "POST" }
     );
+  },
+
+  /**
+   * List all custom domains across all orgs (admin only)
+   */
+  async listDomains(): Promise<CustomDomain[]> {
+    return apiClient.get<CustomDomain[]>("/api/admin/domains");
+  },
+
+  /**
+   * Manually poll all pending custom domains (admin only)
+   */
+  async pollDomains(): Promise<PollDomainsResponse> {
+    return apiClient.post<PollDomainsResponse>("/api/admin/domains/poll", {});
   }
 };
diff --git a/frontend/src/lib/api/domains.ts b/frontend/src/lib/api/domains.ts
new file mode 100644
index 00000000..fc794ff6
--- /dev/null
+++ b/frontend/src/lib/api/domains.ts
@@ -0,0 +1,55 @@
+import { apiClient } from "./client";
+
+export interface CustomDomain {
+  id: string;
+  org_id: string;
+  hostname: string;
+  status: "pending" | "active" | "failed";
+  cf_hostname_id: string | null;
+  created_at: number;
+  verified_at: number | null;
+}
+
+export interface DnsInstructions {
+  cname_target: string;
+  txt_name: string | null;
+  txt_value: string | null;
+  needs_cname: boolean;
+  needs_txt: boolean;
+}
+
+export interface CreateDomainResponse {
+  domain: CustomDomain;
+  dns_instructions: DnsInstructions;
+}
+
+export const domainsApi = {
+  async listDomains(orgId: string): Promise<CustomDomain[]> {
+    return apiClient.get<CustomDomain[]>(`/api/orgs/${orgId}/domains`);
+  },
+
+  async addDomain(
+    orgId: string,
+    hostname: string
+  ): Promise<CreateDomainResponse> {
+    return apiClient.post<CreateDomainResponse>(`/api/orgs/${orgId}/domains`, {
+      hostname
+    });
+  },
+
+  async deleteDomain(
+    orgId: string,
+    hostname: string
+  ): Promise<{ deleted: boolean }> {
+    return apiClient.delete<{ deleted: boolean }>(
+      `/api/orgs/${orgId}/domains/${hostname}`
+    );
+  },
+
+  async refreshDomain(orgId: string, hostname: string): Promise<CustomDomain> {
+    return apiClient.post<CustomDomain>(
+      `/api/orgs/${orgId}/domains/${hostname}/refresh`,
+      {}
+    );
+  }
+};
diff --git a/frontend/src/routes/admin/+layout.svelte b/frontend/src/routes/admin/+layout.svelte
index 28791585..9e3fa52b 100644
--- a/frontend/src/routes/admin/+layout.svelte
+++ b/frontend/src/routes/admin/+layout.svelte
@@ -15,7 +15,8 @@
     | "blacklist"
     | "reports"
     | "api-keys"
-    | "settings";
+    | "settings"
+    | "domains";
 
   const { children } = $props();
 
@@ -122,6 +123,13 @@
         <span class="nav-icon">🔗</span>
         <span class="nav-label">Links</span>
       </button>
+      <button
+        class="nav-item {activeModule === 'domains' ? 'active' : ''}"
+        onclick={() => navigateTo("domains")}
+      >
+        <span class="nav-icon">🌐</span>
+        <span class="nav-label">Custom Domains</span>
+      </button>
       <button
         class="nav-item {activeModule === 'blacklist' ? 'active' : ''}"
         onclick={() => navigateTo("blacklist")}
@@ -278,6 +286,14 @@
           <span class="mobile-nav-icon">🔗</span>
           <span>Links</span>
         </a>
+        <a
+          href="/admin/domains"
+          class="mobile-nav-item {activeModule === 'domains' ? 'active' : ''}"
+          onclick={() => (mobileMenuOpen = false)}
+        >
+          <span class="mobile-nav-icon">🌐</span>
+          <span>Custom Domains</span>
+        </a>
         <a
           href="/admin/blacklist"
           class="mobile-nav-item {activeModule === 'blacklist' ? 'active' : ''}"
diff --git a/frontend/src/routes/admin/domains/+page.svelte b/frontend/src/routes/admin/domains/+page.svelte
new file mode 100644
index 00000000..8bbac536
--- /dev/null
+++ b/frontend/src/routes/admin/domains/+page.svelte
@@ -0,0 +1,283 @@
+<script lang="ts">
+  import { adminApi } from "$lib/api/admin";
+  import type { CustomDomain } from "$lib/api/domains";
+  import { onMount } from "svelte";
+
+  let domains = $state<CustomDomain[]>([]);
+  let loading = $state(true);
+  let error = $state("");
+  let polling = $state(false);
+  let pollResult = $state("");
+
+  onMount(async () => {
+    await loadDomains();
+  });
+
+  async function loadDomains() {
+    try {
+      loading = true;
+      error = "";
+      domains = await adminApi.listDomains();
+    } catch (err) {
+      error = "Failed to load custom domains";
+      console.error("Domains load error:", err);
+    } finally {
+      loading = false;
+    }
+  }
+
+  async function handlePollDomains() {
+    try {
+      polling = true;
+      pollResult = "";
+      const result = await adminApi.pollDomains();
+      pollResult = result.message;
+      // Refresh domain list after polling
+      await loadDomains();
+    } catch (err) {
+      pollResult = "Failed to poll domains";
+      console.error("Poll domains error:", err);
+    } finally {
+      polling = false;
+    }
+  }
+
+  function getStatusBadge(status: string): string {
+    switch (status) {
+      case "active":
+        return "status-badge status-active";
+      case "pending":
+        return "status-badge status-pending";
+      case "failed":
+        return "status-badge status-failed";
+      default:
+        return "status-badge";
+    }
+  }
+</script>
+
+<div class="domains-page">
+  <div class="page-header">
+    <h1>Custom Domains</h1>
+    <p class="subtitle">
+      Manage custom domains and poll their verification status
+    </p>
+  </div>
+
+  {#if pollResult}
+    <div class="alert alert-info">
+      {pollResult}
+    </div>
+  {/if}
+
+  <div class="action-bar">
+    <button
+      class="btn btn-primary"
+      onclick={handlePollDomains}
+      disabled={polling}
+    >
+      {#if polling}
+        <span class="spinner"></span>
+        Polling...
+      {:else}
+        🔄 Poll Pending Domains
+      {/if}
+    </button>
+  </div>
+
+  {#if loading}
+    <div class="loading">Loading domains...</div>
+  {:else if error}
+    <div class="alert alert-error">{error}</div>
+  {:else if domains.length === 0}
+    <div class="empty-state">
+      <p>No custom domains have been added yet.</p>
+    </div>
+  {:else}
+    <div class="domains-table-container">
+      <table class="domains-table">
+        <thead>
+          <tr>
+            <th>Hostname</th>
+            <th>Organization</th>
+            <th>Status</th>
+            <th>Created</th>
+          </tr>
+        </thead>
+        <tbody>
+          {#each domains as domain (domain.id)}
+            <tr>
+              <td class="hostname">{domain.hostname}</td>
+              <td>{domain.org_id}</td>
+              <td>
+                <span class={getStatusBadge(domain.status)}>
+                  {domain.status}
+                </span>
+              </td>
+              <td>{new Date(domain.created_at * 1000).toLocaleDateString()}</td>
+            </tr>
+          {/each}
+        </tbody>
+      </table>
+    </div>
+  {/if}
+</div>
+
+<style>
+  .domains-page {
+    padding: 2rem;
+  }
+
+  .page-header {
+    margin-bottom: 2rem;
+  }
+
+  .page-header h1 {
+    font-size: 1.75rem;
+    font-weight: 600;
+    color: #1f2937;
+    margin: 0 0 0.5rem 0;
+  }
+
+  .subtitle {
+    color: #6b7280;
+    margin: 0;
+  }
+
+  .action-bar {
+    margin-bottom: 1.5rem;
+  }
+
+  .btn {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.5rem;
+    padding: 0.625rem 1rem;
+    border-radius: 0.375rem;
+    font-size: 0.875rem;
+    font-weight: 500;
+    border: none;
+    cursor: pointer;
+    transition: all 0.2s;
+  }
+
+  .btn-primary {
+    background: #4f46e5;
+    color: white;
+  }
+
+  .btn-primary:hover:not(:disabled) {
+    background: #4338ca;
+  }
+
+  .btn:disabled {
+    opacity: 0.6;
+    cursor: not-allowed;
+  }
+
+  .spinner {
+    display: inline-block;
+    width: 1rem;
+    height: 1rem;
+    border: 2px solid rgba(255, 255, 255, 0.3);
+    border-top-color: white;
+    border-radius: 50%;
+    animation: spin 0.8s linear infinite;
+  }
+
+  @keyframes spin {
+    to {
+      transform: rotate(360deg);
+    }
+  }
+
+  .alert {
+    padding: 0.75rem 1rem;
+    border-radius: 0.375rem;
+    margin-bottom: 1.5rem;
+    font-size: 0.875rem;
+  }
+
+  .alert-info {
+    background: #eff6ff;
+    color: #1e40af;
+    border: 1px solid #bfdbfe;
+  }
+
+  .alert-error {
+    background: #fef2f2;
+    color: #991b1b;
+    border: 1px solid #fecaca;
+  }
+
+  .loading,
+  .empty-state {
+    text-align: center;
+    padding: 3rem;
+    color: #6b7280;
+  }
+
+  .domains-table-container {
+    overflow-x: auto;
+    border: 1px solid #e5e7eb;
+    border-radius: 0.5rem;
+  }
+
+  .domains-table {
+    width: 100%;
+    border-collapse: collapse;
+    font-size: 0.875rem;
+  }
+
+  .domains-table thead {
+    background: #f9fafb;
+  }
+
+  .domains-table th {
+    padding: 0.75rem 1rem;
+    text-align: left;
+    font-weight: 600;
+    color: #374151;
+    border-bottom: 1px solid #e5e7eb;
+  }
+
+  .domains-table td {
+    padding: 0.75rem 1rem;
+    border-bottom: 1px solid #f3f4f6;
+    color: #4b5563;
+  }
+
+  .domains-table tbody tr:hover {
+    background: #f9fafb;
+  }
+
+  .hostname {
+    font-family: monospace;
+    font-weight: 500;
+    color: #1f2937;
+  }
+
+  .status-badge {
+    display: inline-block;
+    padding: 0.25rem 0.625rem;
+    border-radius: 9999px;
+    font-size: 0.75rem;
+    font-weight: 500;
+    text-transform: capitalize;
+  }
+
+  .status-active {
+    background: #d1fae5;
+    color: #065f46;
+  }
+
+  .status-pending {
+    background: #fef3c7;
+    color: #92400e;
+  }
+
+  .status-failed {
+    background: #fee2e2;
+    color: #991b1b;
+  }
+</style>
diff --git a/frontend/src/routes/dashboard/org/+page.svelte b/frontend/src/routes/dashboard/org/+page.svelte
index 39988bb0..822b8c27 100644
--- a/frontend/src/routes/dashboard/org/+page.svelte
+++ b/frontend/src/routes/dashboard/org/+page.svelte
@@ -2,6 +2,8 @@
   import type { BillingStatus } from "$lib/api/billing";
   import { billingApi } from "$lib/api/billing";
   import { resolveLogoUrl } from "$lib/api/client";
+  import type { CreateDomainResponse, CustomDomain } from "$lib/api/domains";
+  import { domainsApi } from "$lib/api/domains";
   import { tagsApi } from "$lib/api/links";
   import { orgsApi } from "$lib/api/orgs";
   import Avatar from "$lib/components/Avatar.svelte";
@@ -39,6 +41,18 @@
   let actionError = $state("");
   let actionSuccess = $state("");
 
+  // Custom domains
+  let domains = $state<CustomDomain[]>([]);
+  let domainsLoading = $state(false);
+  let domainsError = $state("");
+  let newHostname = $state("");
+  let addingDomain = $state(false);
+  let addDomainError = $state("");
+  let newDomainResult = $state<CreateDomainResponse | null>(null);
+  let deletingDomain = $state<string | null>(null);
+  let refreshingDomain = $state<string | null>(null);
+  let confirmingDomainHostname = $state<string | null>(null);
+
   // Tags management
   let tags = $state<TagWithCount[]>([]);
   let tagsLoading = $state(false);
@@ -62,6 +76,7 @@
       orgDetails = await orgsApi.getOrg(currentOrgId);
       await loadOrgSettings(currentOrgId);
       await loadTags();
+      await loadDomains(currentOrgId);
     } catch (e: unknown) {
       error =
         e instanceof Error ? e.message : "Failed to load organization details.";
@@ -241,6 +256,82 @@
     }
   }
 
+  async function loadDomains(orgId: string) {
+    domainsLoading = true;
+    domainsError = "";
+    try {
+      domains = await domainsApi.listDomains(orgId);
+    } catch (e: unknown) {
+      domainsError = e instanceof Error ? e.message : "Failed to load domains.";
+    } finally {
+      domainsLoading = false;
+    }
+  }
+
+  async function handleAddDomain() {
+    if (!orgDetails || !newHostname.trim()) return;
+    addingDomain = true;
+    addDomainError = "";
+    newDomainResult = null;
+    try {
+      const result = await domainsApi.addDomain(
+        orgDetails.org.id,
+        newHostname.trim()
+      );
+      domains = [...domains, result.domain];
+      newDomainResult = result;
+      newHostname = "";
+    } catch (e: unknown) {
+      addDomainError = e instanceof Error ? e.message : "Failed to add domain.";
+    } finally {
+      addingDomain = false;
+    }
+  }
+
+  async function handleDeleteDomain(hostname: string) {
+    if (!orgDetails) return;
+    confirmingDomainHostname = hostname;
+  }
+
+  async function confirmDeleteDomain() {
+    if (!orgDetails || !confirmingDomainHostname) return;
+    const hostname = confirmingDomainHostname;
+    deletingDomain = hostname;
+    try {
+      await domainsApi.deleteDomain(orgDetails.org.id, hostname);
+      domains = domains.filter((d) => d.hostname !== hostname);
+      if (newDomainResult?.domain.hostname === hostname) newDomainResult = null;
+    } catch (e: unknown) {
+      actionError = e instanceof Error ? e.message : "Failed to remove domain.";
+      setTimeout(() => (actionError = ""), 5000);
+    } finally {
+      deletingDomain = null;
+      confirmingDomainHostname = null;
+    }
+  }
+
+  function closeConfirmDomain() {
+    confirmingDomainHostname = null;
+  }
+
+  async function handleRefreshDomain(hostname: string) {
+    if (!orgDetails) return;
+    refreshingDomain = hostname;
+    try {
+      const updated = await domainsApi.refreshDomain(
+        orgDetails.org.id,
+        hostname
+      );
+      domains = domains.map((d) => (d.hostname === hostname ? updated : d));
+    } catch (e: unknown) {
+      actionError =
+        e instanceof Error ? e.message : "Failed to refresh domain status.";
+      setTimeout(() => (actionError = ""), 5000);
+    } finally {
+      refreshingDomain = null;
+    }
+  }
+
   async function loadTags() {
     tagsLoading = true;
     tagsError = "";
@@ -940,6 +1031,192 @@
         {/if}
       </div>
 
+      <!-- Custom Domains -->
+      <div class="bg-white rounded-xl border border-gray-200 p-6 mb-6">
+        <div class="flex items-center justify-between mb-1">
+          <h2 class="text-lg font-semibold text-gray-900">Custom Domains</h2>
+          {#if orgDetails.org.tier === "free"}
+            <span
+              class="text-xs bg-orange-100 text-orange-700 px-2 py-1 rounded-full font-medium"
+              >Pro+ feature</span
+            >
+          {/if}
+        </div>
+        <p class="text-sm text-gray-500 mb-4">
+          Point your own domain at your short links (e.g. <code
+            class="bg-gray-100 px-1 rounded">go.example.com</code
+          >).
+        </p>
+
+        {#if orgDetails.org.tier === "free"}
+          <div class="bg-orange-50 border border-orange-200 rounded-lg p-4">
+            <p class="text-sm text-orange-800">
+              Custom domains require a <strong>Pro plan</strong> or higher.
+              <a href="/billing" class="underline font-medium"
+                >Upgrade your plan</a
+              > to add custom domains.
+            </p>
+          </div>
+        {:else}
+          {#if domainsLoading}
+            <div class="flex items-center gap-2 text-sm text-gray-500">
+              <div
+                class="animate-spin w-4 h-4 border-2 border-gray-300 border-t-gray-600 rounded-full"
+              ></div>
+              Loading domains...
+            </div>
+          {:else if domainsError}
+            <div class="text-sm text-red-600 mb-3">{domainsError}</div>
+          {/if}
+
+          {#if domains.length > 0}
+            <ul class="space-y-3 mb-4">
+              {#each domains as domain (domain.id)}
+                <li
+                  class="flex items-center justify-between p-3 bg-gray-50 rounded-lg"
+                >
+                  <div class="flex-1 min-w-0">
+                    <div class="flex items-center gap-2">
+                      <span class="font-mono text-sm text-gray-800 truncate"
+                        >{domain.hostname}</span
+                      >
+                      {#if domain.status === "active"}
+                        <span
+                          class="text-xs bg-green-100 text-green-700 px-2 py-0.5 rounded-full"
+                          >Active</span
+                        >
+                      {:else if domain.status === "pending"}
+                        <span
+                          class="text-xs bg-yellow-100 text-yellow-700 px-2 py-0.5 rounded-full"
+                          >Pending DNS</span
+                        >
+                      {:else}
+                        <span
+                          class="text-xs bg-red-100 text-red-700 px-2 py-0.5 rounded-full"
+                          >Failed</span
+                        >
+                      {/if}
+                    </div>
+                    {#if domain.status === "pending"}
+                      <p class="text-xs text-gray-500 mt-1">
+                        Add the CNAME record, then click Refresh to check
+                        status.
+                      </p>
+                    {/if}
+                  </div>
+                  <div class="flex items-center gap-2 ml-4">
+                    {#if domain.status === "pending"}
+                      <button
+                        onclick={() => handleRefreshDomain(domain.hostname)}
+                        disabled={refreshingDomain === domain.hostname}
+                        class="text-xs text-blue-600 hover:text-blue-800 disabled:opacity-50 transition-colors"
+                      >
+                        {refreshingDomain === domain.hostname
+                          ? "Checking..."
+                          : "Refresh"}
+                      </button>
+                    {/if}
+                    <button
+                      onclick={() => handleDeleteDomain(domain.hostname)}
+                      disabled={deletingDomain === domain.hostname}
+                      class="text-xs text-red-500 hover:text-red-700 disabled:opacity-50 transition-colors"
+                    >
+                      {deletingDomain === domain.hostname
+                        ? "Removing..."
+                        : "Remove"}
+                    </button>
+                  </div>
+                </li>
+              {/each}
+            </ul>
+          {:else if !domainsLoading}
+            <p class="text-sm text-gray-500 mb-4">
+              No custom domains configured yet.
+            </p>
+          {/if}
+
+          <!-- Add domain form -->
+          {#if newDomainResult}
+            <div class="bg-blue-50 border border-blue-200 rounded-lg p-4 mb-4">
+              <h3 class="text-sm font-semibold text-blue-900 mb-2">
+                DNS Setup Required
+              </h3>
+              <p class="text-sm text-blue-800 mb-3">
+                Add the following DNS records at your DNS provider to verify
+                ownership and enable routing:
+              </p>
+              <div class="space-y-2">
+                {#if newDomainResult.dns_instructions.needs_cname}
+                  <div class="bg-white rounded border border-blue-200 p-3">
+                    <div class="text-xs font-medium text-gray-500 mb-1">
+                      CNAME Record
+                    </div>
+                    <div class="font-mono text-xs">
+                      <span class="text-gray-700"
+                        >{newDomainResult.domain.hostname}</span
+                      >
+                      <span class="text-gray-400 mx-2">→</span>
+                      <span class="text-blue-700"
+                        >{newDomainResult.dns_instructions.cname_target}</span
+                      >
+                    </div>
+                  </div>
+                {/if}
+                {#if newDomainResult.dns_instructions.needs_txt && newDomainResult.dns_instructions.txt_name}
+                  <div class="bg-white rounded border border-blue-200 p-3">
+                    <div class="text-xs font-medium text-gray-500 mb-1">
+                      TXT Record (ownership verification)
+                    </div>
+                    <div class="font-mono text-xs">
+                      <span class="text-gray-700"
+                        >{newDomainResult.dns_instructions.txt_name}</span
+                      >
+                      <span class="text-gray-400 mx-2">=</span>
+                      <span class="text-blue-700 break-all"
+                        >{newDomainResult.dns_instructions.txt_value}</span
+                      >
+                    </div>
+                  </div>
+                {/if}
+              </div>
+              <p class="text-xs text-blue-700 mt-3">
+                DNS propagation can take a few minutes. Use the Refresh button
+                to check verification status.
+              </p>
+              <button
+                onclick={() => {
+                  newDomainResult = null;
+                }}
+                class="mt-2 text-xs text-blue-600 hover:text-blue-800 underline"
+                >Dismiss</button
+              >
+            </div>
+          {/if}
+
+          <div class="flex items-center gap-2">
+            <input
+              type="text"
+              bind:value={newHostname}
+              placeholder="go.yourdomain.com"
+              class="flex-1 px-3 py-2 border border-gray-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-orange-300 font-mono"
+              onkeydown={(e) => {
+                if (e.key === "Enter") handleAddDomain();
+              }}
+            />
+            <button
+              onclick={handleAddDomain}
+              disabled={addingDomain || !newHostname.trim()}
+              class="px-4 py-2 bg-orange-500 hover:bg-orange-600 disabled:opacity-50 text-white rounded-lg text-sm font-medium transition-colors"
+            >
+              {addingDomain ? "Adding..." : "Add Domain"}
+            </button>
+          </div>
+          {#if addDomainError}
+            <p class="text-xs text-red-600 mt-2">{addDomainError}</p>
+          {/if}
+        {/if}
+      </div>
+
       <!-- Tags Management -->
       <div class="bg-white rounded-xl border border-gray-200 p-6 mb-6">
         <h2 class="text-lg font-semibold text-gray-900 mb-4">Tags</h2>
@@ -1239,6 +1516,47 @@
   </div>
 {/if}
 
+<!-- Domain Deletion Confirmation Modal -->
+{#if confirmingDomainHostname}
+  <div
+    class="modal-backdrop"
+    role="button"
+    tabindex="0"
+    onclick={closeConfirmDomain}
+    onkeydown={(e) => e.key === "Enter" && closeConfirmDomain()}
+  >
+    <div
+      class="modal"
+      onclick={(e) => e.stopPropagation()}
+      role="dialog"
+      aria-modal="true"
+      tabindex="0"
+      onkeydown={(e) => e.key === "Escape" && closeConfirmDomain()}
+    >
+      <div class="modal-header">
+        <h3>Remove Custom Domain?</h3>
+        <button class="modal-close" onclick={closeConfirmDomain}>&times;</button
+        >
+      </div>
+      <div class="modal-body">
+        <p>
+          Remove custom domain "{confirmingDomainHostname}"? All short links
+          served through this domain will stop working. This action cannot be
+          undone.
+        </p>
+      </div>
+      <div class="modal-footer">
+        <button class="btn btn-secondary" onclick={closeConfirmDomain}>
+          Cancel
+        </button>
+        <button class="btn btn-danger" onclick={confirmDeleteDomain}>
+          Remove
+        </button>
+      </div>
+    </div>
+  </div>
+{/if}
+
 <style>
   /* Modal Styles */
   .modal-backdrop {
diff --git a/migrations/0030_custom_domains.sql b/migrations/0030_custom_domains.sql
new file mode 100644
index 00000000..50a4f7ae
--- /dev/null
+++ b/migrations/0030_custom_domains.sql
@@ -0,0 +1,15 @@
+-- Custom domains for organizations (Pro+ feature)
+-- Allows orgs to use their own domain (e.g. go.mybrand.com) for short links
+-- SSL and domain verification are handled via Cloudflare for SaaS API
+CREATE TABLE custom_domains (
+    id TEXT PRIMARY KEY NOT NULL,
+    org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+    hostname TEXT NOT NULL UNIQUE,
+    status TEXT NOT NULL DEFAULT 'pending',
+    cf_hostname_id TEXT,
+    created_at INTEGER NOT NULL,
+    verified_at INTEGER
+);
+
+CREATE INDEX idx_custom_domains_org ON custom_domains(org_id);
+CREATE INDEX idx_custom_domains_hostname ON custom_domains(hostname);
diff --git a/src/api/admin/domains.rs b/src/api/admin/domains.rs
new file mode 100644
index 00000000..bed1b270
--- /dev/null
+++ b/src/api/admin/domains.rs
@@ -0,0 +1,112 @@
+/// Admin custom domain handlers
+///
+/// GET /api/admin/domains — List all custom domains
+/// POST /api/admin/domains/poll — Manually poll all pending custom domains
+use crate::auth;
+use crate::models::CustomDomain;
+use crate::repositories::CustomDomainRepository;
+use crate::scheduled::poll_domain_status::poll_pending_domains;
+use crate::utils::AppError;
+use utoipa::ToSchema;
+use worker::d1::D1Database;
+use worker::*;
+
+#[utoipa::path(
+    get,
+    path = "/api/admin/domains",
+    tag = "Admin",
+    summary = "List all custom domains",
+    responses(
+        (status = 200, description = "List of custom domains", body = Vec<CustomDomain>),
+        (status = 401, description = "Unauthorized"),
+        (status = 403, description = "Admin required"),
+    ),
+    security(("Bearer" = []), ("session_cookie" = []))
+)]
+pub async fn handle_admin_list_domains(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner_handle_admin_list_domains(req, ctx)
+        .await
+        .unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner_handle_admin_list_domains(
+    req: Request,
+    ctx: RouteContext<()>,
+) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+    auth::require_admin(&user_ctx).map_err(AppError::from)?;
+
+    let db = ctx
+        .env
+        .get_binding::<D1Database>("rushomon")
+        .map_err(|_| AppError::Internal("Database not available".to_string()))?;
+
+    let domains = CustomDomainRepository::new().get_all(&db).await.map_err(|e| {
+        console_log!("{}", serde_json::json!({"event": "admin_list_domains_failed", "error": e.to_string(), "level": "error"}));
+        AppError::Internal("Failed to list custom domains".to_string())
+    })?;
+
+    Ok(Response::from_json(&domains)?)
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/admin/domains/poll",
+    tag = "Admin",
+    summary = "Poll pending custom domains",
+    responses(
+        (status = 200, description = "Polling complete", body = PollDomainsResponse),
+        (status = 401, description = "Unauthorized"),
+        (status = 403, description = "Admin required"),
+    ),
+    security(("Bearer" = []), ("session_cookie" = []))
+)]
+pub async fn handle_admin_poll_domains(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner_handle_admin_poll_domains(req, ctx)
+        .await
+        .unwrap_or_else(|e| e.into_response()))
+}
+
+#[derive(serde::Serialize, ToSchema)]
+struct PollDomainsResponse {
+    success: bool,
+    domains_processed: u64,
+    status_changes: u64,
+    message: String,
+}
+
+async fn inner_handle_admin_poll_domains(
+    req: Request,
+    ctx: RouteContext<()>,
+) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+    auth::require_admin(&user_ctx).map_err(AppError::from)?;
+
+    let db = ctx
+        .env
+        .get_binding::<D1Database>("rushomon")
+        .map_err(|_| AppError::Internal("Database not available".to_string()))?;
+    let kv = ctx
+        .kv("URL_MAPPINGS")
+        .map_err(|e| AppError::Internal(format!("KV store not available: {}", e)))?;
+
+    let (processed, changes) = poll_pending_domains(&db, &kv, &ctx.env).await;
+
+    let message = if processed == 0 {
+        "No pending domains found".to_string()
+    } else if changes == 0 {
+        format!("Polled {} domain(s), no status changes", processed)
+    } else {
+        format!(
+            "Polled {} domain(s), {} status change(s)",
+            processed, changes
+        )
+    };
+
+    Ok(Response::from_json(&PollDomainsResponse {
+        success: true,
+        domains_processed: processed as u64,
+        status_changes: changes as u64,
+        message,
+    })?)
+}
diff --git a/src/api/admin/mod.rs b/src/api/admin/mod.rs
index 80361fee..3a5b8f1d 100644
--- a/src/api/admin/mod.rs
+++ b/src/api/admin/mod.rs
@@ -2,4 +2,5 @@ pub mod api_keys;
 pub mod billing;
 pub mod blacklist;
 pub mod counters;
+pub mod domains;
 pub mod users;
diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
new file mode 100644
index 00000000..eae018ed
--- /dev/null
+++ b/src/api/domains/create.rs
@@ -0,0 +1,186 @@
+/// POST /api/orgs/:id/domains
+/// Add a custom domain to an organization (Pro+ only)
+use crate::auth;
+use crate::models::custom_domain::{CustomDomain, DnsInstructions, STATUS_PENDING};
+use crate::repositories::{BillingRepository, CustomDomainRepository, OrgRepository};
+use crate::services::OrgService;
+use crate::utils::env::get_domain;
+use crate::utils::{AppError, cf_saas};
+use worker::d1::D1Database;
+use worker::*;
+
+pub async fn handle_create_domain(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner(req, ctx).await.unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+
+    let org_id = ctx
+        .param("id")
+        .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
+        .to_string();
+
+    let db = ctx.env.get_binding::<D1Database>("rushomon")?;
+
+    OrgService::new()
+        .require_owner_or_admin(
+            &db,
+            &org_id,
+            &user_ctx.user_id,
+            "Only org owners and admins can manage custom domains",
+        )
+        .await?;
+
+    let body: serde_json::Value = req
+        .json()
+        .await
+        .map_err(|_| AppError::BadRequest("Invalid JSON body".to_string()))?;
+
+    let hostname = body["hostname"]
+        .as_str()
+        .map(|s| s.trim().to_lowercase())
+        .filter(|s| !s.is_empty())
+        .ok_or_else(|| AppError::BadRequest("hostname is required".to_string()))?;
+
+    validate_hostname(&hostname)?;
+
+    let org = OrgRepository::new()
+        .get_by_id(&db, &org_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Organization not found".to_string()))?;
+
+    // Check tier allows custom domains
+    let billing_repo = BillingRepository::new();
+    let billing_account = billing_repo
+        .get_for_org(&db, &org_id)
+        .await?
+        .ok_or_else(|| {
+            AppError::Internal("No billing account found for organization".to_string())
+        })?;
+
+    let tier = crate::models::Tier::from_str_value(&billing_account.tier)
+        .unwrap_or(crate::models::Tier::Free);
+    let limits = tier.limits();
+
+    match limits.max_custom_domains {
+        Some(0) => {
+            return Err(AppError::Forbidden(
+                "Custom domains are not available on the Free plan. Upgrade to Pro or Business."
+                    .to_string(),
+            ));
+        }
+        Some(max) => {
+            let current = CustomDomainRepository::new()
+                .count_non_failed_for_org(&db, &org_id)
+                .await
+                .map_err(AppError::from)?;
+            if current >= max {
+                return Err(AppError::Forbidden(format!(
+                    "Custom domain limit reached ({}/{}). Upgrade your plan to add more domains.",
+                    current, max
+                )));
+            }
+        }
+        None => {}
+    }
+
+    // Check hostname is not already taken (globally)
+    let existing = CustomDomainRepository::new()
+        .get_by_hostname(&db, &hostname)
+        .await
+        .map_err(AppError::from)?;
+    if existing.is_some() {
+        return Err(AppError::BadRequest(format!(
+            "'{}' is already registered as a custom domain.",
+            hostname
+        )));
+    }
+
+    // Register with Cloudflare for SaaS
+    let cf_result = cf_saas::create_custom_hostname(&ctx.env, &hostname)
+        .await
+        .map_err(|e| {
+            AppError::Internal(format!("Failed to register domain with Cloudflare: {}", e))
+        })?;
+
+    let (cf_hostname_id, dns_instructions) = if let Some(cf) = cf_result {
+        let txt_name = cf.ownership_verification.as_ref().map(|v| v.name.clone());
+        let txt_value = cf.ownership_verification.as_ref().map(|v| v.value.clone());
+        let needs_txt = txt_name.is_some();
+        let cname_target = get_domain(&ctx.env);
+        let instructions = DnsInstructions {
+            cname_target,
+            txt_name,
+            txt_value,
+            needs_cname: true,
+            needs_txt,
+        };
+        (Some(cf.id), instructions)
+    } else {
+        // CF for SaaS not configured (dev/test mode) — return stub instructions
+        let cname_target = get_domain(&ctx.env);
+        let instructions = DnsInstructions {
+            cname_target,
+            txt_name: None,
+            txt_value: None,
+            needs_cname: true,
+            needs_txt: false,
+        };
+        (None, instructions)
+    };
+
+    let domain = CustomDomain {
+        id: CustomDomain::generate_id(),
+        org_id: org.id,
+        hostname,
+        status: STATUS_PENDING.to_string(),
+        cf_hostname_id,
+        created_at: crate::utils::now_timestamp(),
+        verified_at: None,
+    };
+
+    CustomDomainRepository::new()
+        .create(&db, &domain)
+        .await
+        .map_err(AppError::from)?;
+
+    Ok(Response::from_json(&serde_json::json!({
+        "domain": domain,
+        "dns_instructions": dns_instructions,
+    }))?)
+}
+
+/// Basic hostname validation: must look like a valid subdomain or domain
+fn validate_hostname(hostname: &str) -> Result<(), AppError> {
+    if hostname.is_empty() || hostname.len() > 253 {
+        return Err(AppError::BadRequest("Invalid hostname length".to_string()));
+    }
+    // Must not start/end with hyphen or dot
+    if hostname.starts_with('-')
+        || hostname.ends_with('-')
+        || hostname.starts_with('.')
+        || hostname.ends_with('.')
+    {
+        return Err(AppError::BadRequest(
+            "Hostname must not start or end with a hyphen or dot".to_string(),
+        ));
+    }
+    // Must contain at least one dot (e.g. go.example.com)
+    if !hostname.contains('.') {
+        return Err(AppError::BadRequest(
+            "Hostname must contain at least one dot (e.g. go.example.com)".to_string(),
+        ));
+    }
+    // Only allow valid hostname characters
+    if !hostname
+        .chars()
+        .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.')
+    {
+        return Err(AppError::BadRequest(
+            "Hostname contains invalid characters. Use only a-z, 0-9, hyphens, and dots."
+                .to_string(),
+        ));
+    }
+    Ok(())
+}
diff --git a/src/api/domains/delete.rs b/src/api/domains/delete.rs
new file mode 100644
index 00000000..e2ac817f
--- /dev/null
+++ b/src/api/domains/delete.rs
@@ -0,0 +1,82 @@
+/// DELETE /api/orgs/:id/domains/:hostname
+/// Remove a custom domain from an organization
+use crate::auth;
+use crate::repositories::CustomDomainRepository;
+use crate::services::OrgService;
+use crate::utils::{AppError, cf_saas};
+use worker::d1::D1Database;
+use worker::*;
+
+pub async fn handle_delete_domain(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner(req, ctx).await.unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+
+    let org_id = ctx
+        .param("id")
+        .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
+        .to_string();
+
+    let hostname = ctx
+        .param("hostname")
+        .ok_or_else(|| AppError::BadRequest("Missing hostname".to_string()))?
+        .to_string();
+
+    let db = ctx.env.get_binding::<D1Database>("rushomon")?;
+
+    OrgService::new()
+        .require_owner_or_admin(
+            &db,
+            &org_id,
+            &user_ctx.user_id,
+            "Only org owners and admins can manage custom domains",
+        )
+        .await?;
+
+    let domain_repo = CustomDomainRepository::new();
+    let domain = domain_repo
+        .get_by_hostname_and_org(&db, &hostname, &org_id)
+        .await
+        .map_err(AppError::from)?
+        .ok_or_else(|| AppError::NotFound("Custom domain not found".to_string()))?;
+
+    // Delete from Cloudflare for SaaS (if registered)
+    if let Some(ref cf_id) = domain.cf_hostname_id {
+        cf_saas::delete_custom_hostname(&ctx.env, cf_id)
+            .await
+            .map_err(|e| {
+                AppError::Internal(format!("Failed to remove domain from Cloudflare: {}", e))
+            })?;
+    }
+
+    // Clean up all KV entries for this hostname
+    let kv = ctx.kv("URL_MAPPINGS")?;
+    let short_codes_result = db
+        .prepare("SELECT short_code FROM links WHERE org_id = ?1 AND status = 'active'")
+        .bind(&[org_id.as_str().into()])
+        .map_err(|e| AppError::Internal(e.to_string()))?
+        .all()
+        .await
+        .map_err(|e| AppError::Internal(e.to_string()))?
+        .results::<serde_json::Value>()
+        .map_err(|e| AppError::Internal(e.to_string()))?;
+
+    for row in &short_codes_result {
+        if let Some(sc) = row["short_code"].as_str() {
+            let key = format!("{}:{}", hostname, sc);
+            let _ = kv.delete(&key).await;
+        }
+    }
+
+    // Delete from D1
+    domain_repo
+        .delete(&db, &domain.id, &org_id)
+        .await
+        .map_err(AppError::from)?;
+
+    Ok(Response::from_json(
+        &serde_json::json!({ "deleted": true }),
+    )?)
+}
diff --git a/src/api/domains/list.rs b/src/api/domains/list.rs
new file mode 100644
index 00000000..256da9cf
--- /dev/null
+++ b/src/api/domains/list.rs
@@ -0,0 +1,34 @@
+/// GET /api/orgs/:id/domains
+/// List all custom domains for an organization
+use crate::auth;
+use crate::repositories::CustomDomainRepository;
+use crate::services::OrgService;
+use crate::utils::AppError;
+use worker::d1::D1Database;
+use worker::*;
+
+pub async fn handle_list_domains(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner(req, ctx).await.unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+
+    let org_id = ctx
+        .param("id")
+        .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
+        .to_string();
+
+    let db = ctx.env.get_binding::<D1Database>("rushomon")?;
+
+    OrgService::new()
+        .require_owner_or_admin(&db, &org_id, &user_ctx.user_id, "Access denied")
+        .await?;
+
+    let domains = CustomDomainRepository::new()
+        .get_by_org(&db, &org_id)
+        .await
+        .map_err(AppError::from)?;
+
+    Ok(Response::from_json(&domains)?)
+}
diff --git a/src/api/domains/mod.rs b/src/api/domains/mod.rs
new file mode 100644
index 00000000..226044c9
--- /dev/null
+++ b/src/api/domains/mod.rs
@@ -0,0 +1,13 @@
+/// Custom domain management API
+///
+/// Endpoints for managing custom domains per organization (Pro+ feature).
+/// SSL certificates are handled via Cloudflare for SaaS.
+pub mod create;
+pub mod delete;
+pub mod list;
+pub mod refresh;
+
+pub use create::handle_create_domain;
+pub use delete::handle_delete_domain;
+pub use list::handle_list_domains;
+pub use refresh::handle_refresh_domain;
diff --git a/src/api/domains/refresh.rs b/src/api/domains/refresh.rs
new file mode 100644
index 00000000..930bf294
--- /dev/null
+++ b/src/api/domains/refresh.rs
@@ -0,0 +1,128 @@
+/// POST /api/orgs/:id/domains/:hostname/refresh
+/// Poll CF for SaaS to update the status of a pending custom domain.
+/// If the domain is now active, also syncs KV entries for all active links in the org.
+use crate::auth;
+use crate::models::custom_domain::STATUS_ACTIVE;
+use crate::repositories::CustomDomainRepository;
+use crate::services::OrgService;
+use crate::utils::{AppError, cf_saas};
+use worker::d1::D1Database;
+use worker::*;
+
+pub async fn handle_refresh_domain(req: Request, ctx: RouteContext<()>) -> Result<Response> {
+    Ok(inner(req, ctx).await.unwrap_or_else(|e| e.into_response()))
+}
+
+async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    let user_ctx = auth::authenticate_request(&req, &ctx).await?;
+
+    let org_id = ctx
+        .param("id")
+        .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
+        .to_string();
+
+    let hostname = ctx
+        .param("hostname")
+        .ok_or_else(|| AppError::BadRequest("Missing hostname".to_string()))?
+        .to_string();
+
+    let db = ctx.env.get_binding::<D1Database>("rushomon")?;
+
+    OrgService::new()
+        .require_owner_or_admin(
+            &db,
+            &org_id,
+            &user_ctx.user_id,
+            "Only org owners and admins can manage custom domains",
+        )
+        .await?;
+
+    let domain_repo = CustomDomainRepository::new();
+    let domain = domain_repo
+        .get_by_hostname_and_org(&db, &hostname, &org_id)
+        .await
+        .map_err(AppError::from)?
+        .ok_or_else(|| AppError::NotFound("Custom domain not found".to_string()))?;
+
+    let cf_hostname_id = domain.cf_hostname_id.as_deref().ok_or_else(|| {
+        AppError::BadRequest(
+            "Domain has no Cloudflare record — it may have been registered without CF for SaaS."
+                .to_string(),
+        )
+    })?;
+
+    let cf_result = cf_saas::get_custom_hostname(&ctx.env, cf_hostname_id)
+        .await
+        .map_err(|e| AppError::Internal(format!("Failed to poll Cloudflare: {}", e)))?;
+
+    let new_status = if let Some(ref cf) = cf_result {
+        match cf.status.as_str() {
+            "active" => STATUS_ACTIVE,
+            "pending" | "pending_validation" => "pending",
+            _ => "failed",
+        }
+    } else {
+        "pending"
+    };
+
+    // Persist updated status
+    domain_repo
+        .update_status(
+            &db,
+            &domain.id,
+            new_status,
+            cf_result.as_ref().map(|cf| cf.id.as_str()),
+            if new_status == STATUS_ACTIVE {
+                Some(crate::utils::now_timestamp())
+            } else {
+                None
+            },
+        )
+        .await
+        .map_err(AppError::from)?;
+
+    // If domain just became active, sync KV for all active org links
+    if new_status == STATUS_ACTIVE {
+        sync_kv_for_domain(&ctx, &db, &org_id, &hostname).await?;
+    }
+
+    let updated = domain_repo
+        .get_by_hostname_and_org(&db, &hostname, &org_id)
+        .await
+        .map_err(AppError::from)?;
+
+    Ok(Response::from_json(&updated)?)
+}
+
+/// Write {hostname}:{short_code} KV entries for all active links in the org.
+async fn sync_kv_for_domain(
+    ctx: &RouteContext<()>,
+    db: &D1Database,
+    org_id: &str,
+    hostname: &str,
+) -> Result<(), AppError> {
+    use crate::repositories::OrgRepository;
+
+    let org_repo = OrgRepository::new();
+    let links = org_repo
+        .get_links(db, org_id)
+        .await
+        .map_err(AppError::from)?;
+
+    let kv = ctx.kv("URL_MAPPINGS")?;
+
+    for link in links {
+        if link.status == crate::models::link::LinkStatus::Active {
+            let resolved_forward = link.forward_query_params.unwrap_or(false);
+            let mapping = link.to_mapping(resolved_forward);
+            let key = format!("{}:{}", hostname, link.short_code);
+            kv.put(&key, &mapping)
+                .map_err(|e| AppError::Internal(e.to_string()))?
+                .execute()
+                .await
+                .map_err(|e| AppError::Internal(e.to_string()))?;
+        }
+    }
+
+    Ok(())
+}
diff --git a/src/api/links/redirect.rs b/src/api/links/redirect.rs
index 160b5f35..3388a10c 100644
--- a/src/api/links/redirect.rs
+++ b/src/api/links/redirect.rs
@@ -9,6 +9,29 @@ use std::pin::Pin;
 use worker::d1::D1Database;
 use worker::*;
 
+/// Determine if the request is on a custom domain by comparing the request host
+/// to the configured SHORT_DOMAIN. Returns Some(hostname) if it's a custom domain,
+/// or None if it's the default short domain.
+fn get_custom_host(req: &Request, env: &Env) -> Option<String> {
+    let short_domain = env.var("SHORT_DOMAIN").ok().map(|v| v.to_string());
+    let request_host = req
+        .url()
+        .ok()
+        .and_then(|u| u.host_str().map(|h| h.to_string()));
+
+    match (short_domain, request_host) {
+        (Some(sd), Some(rh)) if sd != rh => {
+            // Never treat localhost / loopback addresses as custom domains
+            if rh == "localhost" || rh == "127.0.0.1" || rh.starts_with("localhost:") {
+                None
+            } else {
+                Some(rh)
+            }
+        }
+        _ => None,
+    }
+}
+
 /// Result of a redirect operation, containing the response and optional deferred analytics work.
 pub struct RedirectResult {
     pub response: Response,
@@ -71,7 +94,14 @@ pub async fn handle_redirect(
         });
     }
 
-    let mapping = kv::get_link_mapping(&kv, &short_code).await?;
+    // Determine if request came via a custom domain
+    let custom_host = get_custom_host(&req, &ctx.env);
+
+    let mapping = if let Some(ref hostname) = custom_host {
+        kv::links::get_link_mapping_for_domain(&kv, hostname, &short_code).await?
+    } else {
+        kv::get_link_mapping(&kv, &short_code).await?
+    };
 
     let Some(mapping) = mapping else {
         let url = Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?;
diff --git a/src/api/mod.rs b/src/api/mod.rs
index e93e2f95..e35a420f 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -2,6 +2,7 @@ pub mod admin;
 pub mod analytics;
 pub mod auth;
 pub mod billing;
+pub mod domains;
 pub mod keys;
 pub mod links;
 pub mod orgs;
diff --git a/src/api/router.rs b/src/api/router.rs
index 09f6999b..2d470b64 100644
--- a/src/api/router.rs
+++ b/src/api/router.rs
@@ -234,6 +234,15 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
             "/api/admin/products/save",
             crate::api::billing::products::handle_admin_save_products,
         )
+        // Admin custom domain routes
+        .get_async(
+            "/api/admin/domains",
+            crate::api::admin::domains::handle_admin_list_domains,
+        )
+        .post_async(
+            "/api/admin/domains/poll",
+            crate::api::admin::domains::handle_admin_poll_domains,
+        )
         // Admin API keys routes
         .get_async(
             "/api/admin/api-keys",
@@ -294,6 +303,23 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
             "/api/settings/api-keys/:id",
             crate::api::keys::handle_revoke_api_key,
         )
+        // Custom domain routes (Pro+ feature)
+        .get_async(
+            "/api/orgs/:id/domains",
+            crate::api::domains::handle_list_domains,
+        )
+        .post_async(
+            "/api/orgs/:id/domains",
+            crate::api::domains::handle_create_domain,
+        )
+        .delete_async(
+            "/api/orgs/:id/domains/:hostname",
+            crate::api::domains::handle_delete_domain,
+        )
+        .post_async(
+            "/api/orgs/:id/domains/:hostname/refresh",
+            crate::api::domains::handle_refresh_domain,
+        )
         // Org management routes
         .get_async("/api/orgs", crate::api::orgs::handle_list_user_orgs)
         .post_async("/api/orgs", crate::api::orgs::handle_create_org)
diff --git a/src/kv/links.rs b/src/kv/links.rs
index 6a4be74f..d5fa1950 100644
--- a/src/kv/links.rs
+++ b/src/kv/links.rs
@@ -9,6 +9,47 @@ fn make_key(_org_id: &str, short_code: &str) -> String {
     short_code.to_string()
 }
 
+/// KV key for custom-domain-scoped lookups: {hostname}:{short_code}
+fn make_domain_key(hostname: &str, short_code: &str) -> String {
+    format!("{}:{}", hostname, short_code)
+}
+
+/// Store a link mapping for a specific custom domain
+pub async fn store_link_mapping_for_domain(
+    kv: &KvStore,
+    hostname: &str,
+    short_code: &str,
+    mapping: &LinkMapping,
+) -> Result<()> {
+    let key = make_domain_key(hostname, short_code);
+    kv.put(&key, mapping)?.execute().await?;
+    Ok(())
+}
+
+/// Get a link mapping for a specific custom domain
+pub async fn get_link_mapping_for_domain(
+    kv: &KvStore,
+    hostname: &str,
+    short_code: &str,
+) -> Result<Option<LinkMapping>> {
+    let key = make_domain_key(hostname, short_code);
+    kv.get(&key)
+        .json::<LinkMapping>()
+        .await
+        .map_err(|e| worker::Error::RustError(format!("KV error: {:?}", e)))
+}
+
+/// Delete a link mapping for a specific custom domain
+pub async fn delete_link_mapping_for_domain(
+    kv: &KvStore,
+    hostname: &str,
+    short_code: &str,
+) -> Result<()> {
+    let key = make_domain_key(hostname, short_code);
+    kv.delete(&key).await?;
+    Ok(())
+}
+
 /// Store a link mapping in KV
 pub async fn store_link_mapping(
     kv: &KvStore,
diff --git a/src/kv/mod.rs b/src/kv/mod.rs
index a7b657c4..d072366c 100644
--- a/src/kv/mod.rs
+++ b/src/kv/mod.rs
@@ -1,3 +1,5 @@
 pub mod links;
+pub mod sync;
 
 pub use links::{delete_link_mapping, get_link_mapping, store_link_mapping, update_link_mapping};
+pub use sync::sync_custom_domain_kv;
diff --git a/src/kv/sync.rs b/src/kv/sync.rs
new file mode 100644
index 00000000..671f5315
--- /dev/null
+++ b/src/kv/sync.rs
@@ -0,0 +1,40 @@
+/// KV sync helpers for custom domain dual-write
+///
+/// When a link is created, updated, or deleted, we must also update KV
+/// for every active custom domain on the same org, using the key format:
+///   {hostname}:{short_code}
+use crate::models::LinkMapping;
+use crate::repositories::CustomDomainRepository;
+use worker::Result;
+use worker::d1::D1Database;
+use worker::kv::KvStore;
+
+/// Sync KV entries for all active custom domains on an org for a specific short_code.
+///
+/// - `mapping = Some(m)` → write (or overwrite) the `{hostname}:{short_code}` key
+/// - `mapping = None`    → delete the `{hostname}:{short_code}` key (link deleted/disabled)
+pub async fn sync_custom_domain_kv(
+    kv: &KvStore,
+    db: &D1Database,
+    org_id: &str,
+    short_code: &str,
+    mapping: Option<&LinkMapping>,
+) -> Result<()> {
+    let repo = CustomDomainRepository::new();
+    let active_domains = repo.get_active_for_org(db, org_id).await?;
+
+    for domain in &active_domains {
+        match mapping {
+            Some(m) => {
+                super::links::store_link_mapping_for_domain(kv, &domain.hostname, short_code, m)
+                    .await?;
+            }
+            None => {
+                super::links::delete_link_mapping_for_domain(kv, &domain.hostname, short_code)
+                    .await?;
+            }
+        }
+    }
+
+    Ok(())
+}
diff --git a/src/models/custom_domain.rs b/src/models/custom_domain.rs
new file mode 100644
index 00000000..e37abeee
--- /dev/null
+++ b/src/models/custom_domain.rs
@@ -0,0 +1,85 @@
+use serde::{Deserialize, Serialize};
+use utoipa::ToSchema;
+
+/// Status values for a custom domain
+pub const STATUS_PENDING: &str = "pending";
+pub const STATUS_ACTIVE: &str = "active";
+#[allow(dead_code)]
+pub const STATUS_FAILED: &str = "failed";
+
+/// A custom domain registered to an organization.
+///
+/// SSL certificates and domain verification are managed via Cloudflare for SaaS.
+/// Once a domain is `active`, redirects on that hostname use KV key `{hostname}:{short_code}`.
+#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
+pub struct CustomDomain {
+    #[schema(example = "cd_abc123")]
+    pub id: String,
+    #[schema(example = "org-123456")]
+    pub org_id: String,
+    #[schema(example = "go.mybrand.com")]
+    pub hostname: String,
+    /// "pending" | "active" | "failed"
+    #[schema(example = "pending")]
+    pub status: String,
+    /// Cloudflare for SaaS custom hostname record ID
+    pub cf_hostname_id: Option<String>,
+    #[schema(example = 1609459200)]
+    pub created_at: i64,
+    pub verified_at: Option<i64>,
+}
+
+impl CustomDomain {
+    pub fn generate_id() -> String {
+        format!("cd_{}", crate::utils::generate_short_code_with_length(16))
+    }
+
+    #[allow(dead_code)]
+    pub fn is_active(&self) -> bool {
+        self.status == STATUS_ACTIVE
+    }
+}
+
+/// DNS instructions returned to the user after adding a custom domain
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+pub struct DnsInstructions {
+    /// The CNAME target the user should point their subdomain to
+    #[schema(example = "rush.mn")]
+    pub cname_target: String,
+    /// TXT record name for domain ownership verification (from CF for SaaS)
+    pub txt_name: Option<String>,
+    /// TXT record value for domain ownership verification (from CF for SaaS)
+    pub txt_value: Option<String>,
+    /// Whether the user needs to add a CNAME record
+    pub needs_cname: bool,
+    /// Whether the user needs to add a TXT record (for CF verification)
+    pub needs_txt: bool,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_custom_domain_is_active() {
+        let mut d = CustomDomain {
+            id: "cd_test".to_string(),
+            org_id: "org-1".to_string(),
+            hostname: "go.example.com".to_string(),
+            status: STATUS_PENDING.to_string(),
+            cf_hostname_id: None,
+            created_at: 0,
+            verified_at: None,
+        };
+        assert!(!d.is_active());
+        d.status = STATUS_ACTIVE.to_string();
+        assert!(d.is_active());
+    }
+
+    #[test]
+    fn test_generate_id_prefix() {
+        let id = CustomDomain::generate_id();
+        assert!(id.starts_with("cd_"));
+        assert!(id.len() > 3);
+    }
+}
diff --git a/src/models/mod.rs b/src/models/mod.rs
index 34ca77b9..e020edff 100644
--- a/src/models/mod.rs
+++ b/src/models/mod.rs
@@ -1,5 +1,6 @@
 pub mod analytics;
 pub mod billing_account;
+pub mod custom_domain;
 pub mod link;
 pub mod org_member;
 pub mod organization;
@@ -9,6 +10,7 @@ pub mod user;
 
 pub use analytics::{AnalyticsEvent, LinkAnalyticsResponse, TimeRange};
 pub use billing_account::BillingAccount;
+pub use custom_domain::CustomDomain;
 pub use link::{Link, LinkMapping};
 pub use org_member::{OrgInvitation, OrgMember, OrgMemberWithUser, OrgWithRole};
 pub use organization::Organization;
diff --git a/src/models/tier.rs b/src/models/tier.rs
index a62b43d0..567d5995 100644
--- a/src/models/tier.rs
+++ b/src/models/tier.rs
@@ -34,7 +34,7 @@ impl Tier {
 
     pub fn limits(&self) -> TierLimits {
         match self {
-            // Free: 1 user, 1 org, 15 links/month, 7-day analytics, 5 tags, no API keys
+            // Free: 1 user, 1 org, 15 links/month, 7-day analytics, 5 tags, no API keys, no custom domains
             Tier::Free => TierLimits {
                 max_links_per_month: Some(15),
                 analytics_retention_days: Some(7),
@@ -46,8 +46,9 @@ impl Tier {
                 max_members: Some(1),
                 max_orgs: Some(1),
                 max_tags: Some(5),
+                max_custom_domains: Some(0),
             },
-            // Pro ($9): 1 user, 1 org, 1000 links/month, 1-year analytics, custom codes, 25 tags, API keys
+            // Pro ($9): 1 user, 1 org, 1000 links/month, 1-year analytics, custom codes, 25 tags, API keys, 1 custom domain
             Tier::Pro => TierLimits {
                 max_links_per_month: Some(1000),
                 analytics_retention_days: Some(365),
@@ -59,8 +60,9 @@ impl Tier {
                 max_members: Some(1),
                 max_orgs: Some(1),
                 max_tags: Some(25),
+                max_custom_domains: Some(1),
             },
-            // Business ($29): 20 users, 3 orgs, 10000 links/month, unlimited analytics, unlimited tags, API keys
+            // Business ($29): 20 users, 3 orgs, 10000 links/month, unlimited analytics, unlimited tags, API keys, 3 custom domains
             Tier::Business => TierLimits {
                 max_links_per_month: Some(10000),
                 analytics_retention_days: None,
@@ -72,6 +74,7 @@ impl Tier {
                 max_members: Some(20),
                 max_orgs: Some(3),
                 max_tags: None,
+                max_custom_domains: Some(3),
             },
             // Unlimited (self-hosted): no limits
             Tier::Unlimited => TierLimits {
@@ -85,6 +88,7 @@ impl Tier {
                 max_members: None,
                 max_orgs: None,
                 max_tags: None,
+                max_custom_domains: None,
             },
         }
     }
@@ -120,6 +124,8 @@ pub struct TierLimits {
     pub max_orgs: Option<i64>,
     /// Maximum distinct tag names across all orgs in the billing account. None = unlimited.
     pub max_tags: Option<i64>,
+    /// Maximum custom domains per organization. None = unlimited. Some(0) = not allowed.
+    pub max_custom_domains: Option<u32>,
 }
 
 #[cfg(test)]
@@ -153,6 +159,7 @@ mod tests {
         assert_eq!(limits.max_members, Some(1));
         assert_eq!(limits.max_orgs, Some(1));
         assert_eq!(limits.max_tags, Some(5));
+        assert_eq!(limits.max_custom_domains, Some(0));
     }
 
     #[test]
@@ -165,6 +172,7 @@ mod tests {
         assert_eq!(limits.max_members, Some(1));
         assert_eq!(limits.max_orgs, Some(1));
         assert_eq!(limits.max_tags, Some(25));
+        assert_eq!(limits.max_custom_domains, Some(1));
     }
 
     #[test]
@@ -177,6 +185,7 @@ mod tests {
         assert_eq!(limits.max_members, Some(20));
         assert_eq!(limits.max_orgs, Some(3));
         assert!(limits.max_tags.is_none());
+        assert_eq!(limits.max_custom_domains, Some(3));
     }
 
     #[test]
@@ -189,6 +198,7 @@ mod tests {
         assert!(limits.max_members.is_none());
         assert!(limits.max_orgs.is_none());
         assert!(limits.max_tags.is_none());
+        assert!(limits.max_custom_domains.is_none());
     }
 
     #[test]
diff --git a/src/repositories/custom_domain_repository.rs b/src/repositories/custom_domain_repository.rs
new file mode 100644
index 00000000..d1b2d7e2
--- /dev/null
+++ b/src/repositories/custom_domain_repository.rs
@@ -0,0 +1,222 @@
+use crate::models::CustomDomain;
+use crate::models::custom_domain::{STATUS_ACTIVE, STATUS_PENDING};
+use crate::utils::now_timestamp;
+use wasm_bindgen::JsValue;
+use worker::Result;
+use worker::d1::D1Database;
+
+pub struct CustomDomainRepository;
+
+impl CustomDomainRepository {
+    pub fn new() -> Self {
+        Self
+    }
+
+    /// Insert a new custom domain record (status = pending)
+    pub async fn create(&self, db: &D1Database, domain: &CustomDomain) -> Result<()> {
+        db.prepare(
+            "INSERT INTO custom_domains (id, org_id, hostname, status, cf_hostname_id, created_at, verified_at)
+             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)",
+        )
+        .bind(&[
+            domain.id.as_str().into(),
+            domain.org_id.as_str().into(),
+            domain.hostname.as_str().into(),
+            domain.status.as_str().into(),
+            domain
+                .cf_hostname_id
+                .as_deref()
+                .map(|s| s.into())
+                .unwrap_or(JsValue::NULL),
+            (domain.created_at as f64).into(),
+            domain
+                .verified_at
+                .map(|v| (v as f64).into())
+                .unwrap_or(JsValue::NULL),
+        ])?
+        .run()
+        .await?;
+        Ok(())
+    }
+
+    /// Get all custom domains for an organization
+    pub async fn get_by_org(&self, db: &D1Database, org_id: &str) -> Result<Vec<CustomDomain>> {
+        let results = db
+            .prepare(
+                "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+                 FROM custom_domains
+                 WHERE org_id = ?1
+                 ORDER BY created_at ASC",
+            )
+            .bind(&[org_id.into()])?
+            .all()
+            .await?;
+
+        results.results::<CustomDomain>()
+    }
+
+    /// Get a custom domain by hostname (used during redirect to resolve org)
+    pub async fn get_by_hostname(
+        &self,
+        db: &D1Database,
+        hostname: &str,
+    ) -> Result<Option<CustomDomain>> {
+        db.prepare(
+            "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+             FROM custom_domains
+             WHERE hostname = ?1",
+        )
+        .bind(&[hostname.into()])?
+        .first::<CustomDomain>(None)
+        .await
+    }
+
+    /// Get a custom domain by ID (must belong to org for authorization)
+    #[allow(dead_code)]
+    pub async fn get_by_id_and_org(
+        &self,
+        db: &D1Database,
+        id: &str,
+        org_id: &str,
+    ) -> Result<Option<CustomDomain>> {
+        db.prepare(
+            "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+             FROM custom_domains
+             WHERE id = ?1 AND org_id = ?2",
+        )
+        .bind(&[id.into(), org_id.into()])?
+        .first::<CustomDomain>(None)
+        .await
+    }
+
+    /// Get a custom domain by hostname that belongs to a specific org
+    pub async fn get_by_hostname_and_org(
+        &self,
+        db: &D1Database,
+        hostname: &str,
+        org_id: &str,
+    ) -> Result<Option<CustomDomain>> {
+        db.prepare(
+            "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+             FROM custom_domains
+             WHERE hostname = ?1 AND org_id = ?2",
+        )
+        .bind(&[hostname.into(), org_id.into()])?
+        .first::<CustomDomain>(None)
+        .await
+    }
+
+    /// Count custom domains for an org (all statuses, excluding failed)
+    pub async fn count_non_failed_for_org(&self, db: &D1Database, org_id: &str) -> Result<u32> {
+        let result = db
+            .prepare(
+                "SELECT COUNT(*) as count FROM custom_domains
+                 WHERE org_id = ?1 AND status != 'failed'",
+            )
+            .bind(&[org_id.into()])?
+            .first::<serde_json::Value>(None)
+            .await?;
+
+        Ok(result.and_then(|v| v["count"].as_f64()).unwrap_or(0.0) as u32)
+    }
+
+    /// Get all active custom domains for an org (used for KV dual-write)
+    pub async fn get_active_for_org(
+        &self,
+        db: &D1Database,
+        org_id: &str,
+    ) -> Result<Vec<CustomDomain>> {
+        let results = db
+            .prepare(
+                "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+                 FROM custom_domains
+                 WHERE org_id = ?1 AND status = 'active'",
+            )
+            .bind(&[org_id.into()])?
+            .all()
+            .await?;
+
+        results.results::<CustomDomain>()
+    }
+
+    /// Update domain status and optionally set cf_hostname_id and verified_at
+    pub async fn update_status(
+        &self,
+        db: &D1Database,
+        id: &str,
+        status: &str,
+        cf_hostname_id: Option<&str>,
+        verified_at: Option<i64>,
+    ) -> Result<()> {
+        db.prepare(
+            "UPDATE custom_domains
+             SET status = ?1, cf_hostname_id = COALESCE(?2, cf_hostname_id), verified_at = ?3
+             WHERE id = ?4",
+        )
+        .bind(&[
+            status.into(),
+            cf_hostname_id.map(|s| s.into()).unwrap_or(JsValue::NULL),
+            verified_at
+                .map(|v| (v as f64).into())
+                .unwrap_or(JsValue::NULL),
+            id.into(),
+        ])?
+        .run()
+        .await?;
+        Ok(())
+    }
+
+    /// Delete a custom domain record
+    pub async fn delete(&self, db: &D1Database, id: &str, org_id: &str) -> Result<()> {
+        db.prepare("DELETE FROM custom_domains WHERE id = ?1 AND org_id = ?2")
+            .bind(&[id.into(), org_id.into()])?
+            .run()
+            .await?;
+        Ok(())
+    }
+
+    /// Get all custom domains across all orgs (admin only)
+    pub async fn get_all(&self, db: &D1Database) -> Result<Vec<CustomDomain>> {
+        let results = db
+            .prepare(
+                "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+                 FROM custom_domains
+                 ORDER BY created_at ASC",
+            )
+            .bind(&[])?
+            .all()
+            .await?;
+
+        results.results::<CustomDomain>()
+    }
+
+    /// Get all pending custom domains across all orgs (used by scheduled status poller)
+    pub async fn get_all_pending(&self, db: &D1Database) -> Result<Vec<CustomDomain>> {
+        let results = db
+            .prepare(
+                "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+                 FROM custom_domains
+                 WHERE status = 'pending'
+                 ORDER BY created_at ASC",
+            )
+            .bind(&[])?
+            .all()
+            .await?;
+
+        results.results::<CustomDomain>()
+    }
+
+    /// Activate a domain: set status=active, verified_at=now, and update cf_hostname_id
+    #[allow(dead_code)]
+    pub async fn activate(&self, db: &D1Database, id: &str, cf_hostname_id: &str) -> Result<()> {
+        let now = now_timestamp();
+        self.update_status(db, id, STATUS_ACTIVE, Some(cf_hostname_id), Some(now))
+            .await
+    }
+
+    /// Mark a domain as pending (reset after failed)
+    #[allow(dead_code)]
+    pub async fn set_pending(&self, db: &D1Database, id: &str) -> Result<()> {
+        self.update_status(db, id, STATUS_PENDING, None, None).await
+    }
+}
diff --git a/src/repositories/mod.rs b/src/repositories/mod.rs
index a8a06b27..17056b4e 100644
--- a/src/repositories/mod.rs
+++ b/src/repositories/mod.rs
@@ -18,6 +18,7 @@ pub mod analytics_repository;
 pub mod api_key_repository;
 pub mod billing_repository;
 pub mod blacklist_repository;
+pub mod custom_domain_repository;
 pub mod link_repository;
 pub mod org_repository;
 pub mod product_repository;
@@ -29,6 +30,7 @@ pub use analytics_repository::AnalyticsRepository;
 pub use api_key_repository::ApiKeyRepository;
 pub use billing_repository::BillingRepository;
 pub use blacklist_repository::BlacklistRepository;
+pub use custom_domain_repository::CustomDomainRepository;
 pub use link_repository::LinkRepository;
 pub use org_repository::OrgRepository;
 pub use product_repository::ProductRepository;
diff --git a/src/scheduled/downgrade_expired_subscriptions.rs b/src/scheduled/downgrade_expired_subscriptions.rs
index a6335d94..4c5d9c49 100644
--- a/src/scheduled/downgrade_expired_subscriptions.rs
+++ b/src/scheduled/downgrade_expired_subscriptions.rs
@@ -32,6 +32,17 @@ pub async fn scheduled(event: ScheduledEvent, env: Env, _ctx: ScheduleContext) {
             console_log!("[cron] Starting webhook cleanup job (4 AM UTC)");
             service.cleanup_webhooks(&db).await;
         }
+        "*/15 * * * *" => {
+            console_log!("[cron] Starting domain status poll job (every 15 minutes)");
+            let kv = match env.kv("URL_MAPPINGS") {
+                Ok(kv) => kv,
+                Err(e) => {
+                    console_error!("[cron] Failed to get KV binding: {}", e);
+                    return;
+                }
+            };
+            super::poll_domain_status::run(&db, &kv, &env).await;
+        }
         other => {
             console_warn!("[cron] Unexpected cron expression: {}", other);
         }
diff --git a/src/scheduled/mod.rs b/src/scheduled/mod.rs
index 43503aff..e439d6fb 100644
--- a/src/scheduled/mod.rs
+++ b/src/scheduled/mod.rs
@@ -1,3 +1,4 @@
 //! Scheduled cron job handlers.
 
 pub mod downgrade_expired_subscriptions;
+pub mod poll_domain_status;
diff --git a/src/scheduled/poll_domain_status.rs b/src/scheduled/poll_domain_status.rs
new file mode 100644
index 00000000..08f11e2c
--- /dev/null
+++ b/src/scheduled/poll_domain_status.rs
@@ -0,0 +1,142 @@
+//! Scheduled job: poll Cloudflare for SaaS to update pending domain statuses.
+//!
+//! Runs every 15 minutes and checks all `pending` custom domains against the
+//! Cloudflare API. Domains that become `active` get their KV entries synced.
+
+use crate::models::custom_domain::STATUS_ACTIVE;
+use crate::repositories::CustomDomainRepository;
+use crate::utils::cf_saas;
+use worker::d1::D1Database;
+use worker::kv::KvStore;
+use worker::*;
+
+/// Poll all pending custom domains and update their statuses.
+/// Returns the number of domains processed and the number of status changes.
+pub async fn run(db: &D1Database, kv: &KvStore, env: &Env) -> (usize, usize) {
+    poll_pending_domains(db, kv, env).await
+}
+
+/// Poll all pending custom domains and update their statuses.
+/// Returns (domains_processed, status_changes).
+pub async fn poll_pending_domains(db: &D1Database, kv: &KvStore, env: &Env) -> (usize, usize) {
+    let repo = CustomDomainRepository::new();
+
+    let pending = match repo.get_all_pending(db).await {
+        Ok(p) => p,
+        Err(e) => {
+            console_error!("[domains] Failed to fetch pending domains: {}", e);
+            return (0, 0);
+        }
+    };
+
+    if pending.is_empty() {
+        return (0, 0);
+    }
+
+    console_log!("[domains] Polling {} pending domain(s)", pending.len());
+    let mut changes = 0;
+
+    for domain in &pending {
+        let cf_id = match domain.cf_hostname_id.as_deref() {
+            Some(id) => id,
+            None => {
+                continue;
+            }
+        };
+
+        let cf_result = match cf_saas::get_custom_hostname(env, cf_id).await {
+            Ok(r) => r,
+            Err(e) => {
+                console_error!(
+                    "[domains] CF API error for domain {}: {}",
+                    domain.hostname,
+                    e
+                );
+                continue;
+            }
+        };
+
+        let new_status = match &cf_result {
+            Some(cf) => match cf.status.as_str() {
+                "active" => STATUS_ACTIVE,
+                "pending" | "pending_validation" => "pending",
+                _ => "failed",
+            },
+            None => "pending",
+        };
+
+        if new_status == domain.status.as_str() {
+            continue;
+        }
+
+        let verified_at = if new_status == STATUS_ACTIVE {
+            Some(crate::utils::now_timestamp())
+        } else {
+            None
+        };
+
+        let updated_cf_id = cf_result.as_ref().map(|cf| cf.id.as_str());
+
+        if let Err(e) = repo
+            .update_status(db, &domain.id, new_status, updated_cf_id, verified_at)
+            .await
+        {
+            console_error!(
+                "[domains] Failed to update status for domain {}: {}",
+                domain.hostname,
+                e
+            );
+            continue;
+        }
+
+        console_log!(
+            "[domains] Domain {} status: {} → {}",
+            domain.hostname,
+            domain.status,
+            new_status
+        );
+        changes += 1;
+
+        // If domain just became active, write KV entries for all active org links
+        if new_status == STATUS_ACTIVE
+            && let Err(e) = backfill_kv_for_domain(db, kv, &domain.org_id, &domain.hostname).await
+        {
+            console_error!(
+                "[domains] KV backfill failed for domain {}: {}",
+                domain.hostname,
+                e
+            );
+        }
+    }
+
+    (pending.len(), changes)
+}
+
+/// Write {hostname}:{short_code} KV entries for all active links in an org.
+async fn backfill_kv_for_domain(
+    db: &D1Database,
+    kv: &KvStore,
+    org_id: &str,
+    hostname: &str,
+) -> worker::Result<()> {
+    use crate::models::link::LinkStatus;
+    use crate::repositories::OrgRepository;
+
+    let links = OrgRepository::new().get_links(db, org_id).await?;
+
+    for link in links {
+        if matches!(link.status, LinkStatus::Active) {
+            let resolved_forward = link.forward_query_params.unwrap_or(false);
+            let mapping = link.to_mapping(resolved_forward);
+            super::super::kv::links::store_link_mapping_for_domain(
+                kv,
+                hostname,
+                &link.short_code,
+                &mapping,
+            )
+            .await?;
+        }
+    }
+
+    Ok(())
+}
diff --git a/src/services/link_service.rs b/src/services/link_service.rs
index ea33fdd3..808e57b8 100644
--- a/src/services/link_service.rs
+++ b/src/services/link_service.rs
@@ -319,9 +319,18 @@ impl LinkService {
                 // Update KV with new mapping
                 let mapping = updated.to_mapping(resolved_forward);
                 crate::kv::store_link_mapping(kv, org_id, &updated.short_code, &mapping).await?;
+                crate::kv::sync_custom_domain_kv(
+                    kv,
+                    db,
+                    org_id,
+                    &updated.short_code,
+                    Some(&mapping),
+                )
+                .await?;
             } else {
                 // Link is not active, ensure it's removed from KV
                 crate::kv::delete_link_mapping(kv, org_id, &updated.short_code).await?;
+                crate::kv::sync_custom_domain_kv(kv, db, org_id, &updated.short_code, None).await?;
             }
         }
 
@@ -359,6 +368,7 @@ impl LinkService {
 
         // Delete from KV
         crate::kv::delete_link_mapping(kv, org_id, &link.short_code).await?;
+        crate::kv::sync_custom_domain_kv(kv, db, org_id, &link.short_code, None).await?;
 
         Ok(())
     }
@@ -527,10 +537,13 @@ impl LinkService {
             link.forward_query_params.unwrap_or(false)
         };
 
-        // Store in KV
+        // Store in KV (default domain — bare short_code)
         let mapping = link.to_mapping(resolved_forward);
         crate::kv::store_link_mapping(kv, org_id, &link.short_code, &mapping).await?;
 
+        // Dual-write for any active custom domains on this org
+        crate::kv::sync_custom_domain_kv(kv, db, org_id, &link.short_code, Some(&mapping)).await?;
+
         Ok(())
     }
 
diff --git a/src/utils/cf_saas.rs b/src/utils/cf_saas.rs
new file mode 100644
index 00000000..85a07940
--- /dev/null
+++ b/src/utils/cf_saas.rs
@@ -0,0 +1,240 @@
+/// Cloudflare for SaaS API client
+///
+/// Thin async wrapper around the Cloudflare Custom Hostnames API.
+/// Used to register customer domains so CF can issue SSL certificates
+/// and route traffic through our Worker.
+///
+/// Required env vars:
+///   CF_ZONE_ID   - Cloudflare Zone ID for the rush.mn zone
+///   CF_API_TOKEN - CF API token with ssl_and_certificates:edit permission
+use serde::{Deserialize, Serialize};
+use worker::{Env, Fetch, Headers, Method, Request as WorkerRequest, RequestInit};
+
+const CF_API_BASE: &str = "https://api.cloudflare.com/client/v4";
+
+/// Response from CF API when creating or fetching a custom hostname
+#[derive(Debug, Deserialize)]
+pub struct CfCustomHostnameResult {
+    pub id: String,
+    pub hostname: String,
+    pub status: String,
+    pub ssl: CfSslResult,
+    pub ownership_verification: Option<CfOwnershipVerification>,
+    pub ownership_verification_http: Option<CfOwnershipVerificationHttp>,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct CfSslResult {
+    pub status: String,
+}
+
+/// TXT-based domain ownership verification (DNS challenge)
+#[derive(Debug, Deserialize)]
+pub struct CfOwnershipVerification {
+    #[serde(rename = "type")]
+    pub verification_type: String,
+    pub name: String,
+    pub value: String,
+}
+
+/// HTTP-based domain ownership verification
+#[derive(Debug, Deserialize)]
+pub struct CfOwnershipVerificationHttp {
+    pub http_url: String,
+    pub http_body: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct CfApiResponse<T> {
+    pub success: bool,
+    pub result: Option<T>,
+    pub errors: Vec<CfApiError>,
+}
+
+#[derive(Debug, Deserialize)]
+struct CfApiError {
+    pub code: u32,
+    pub message: String,
+}
+
+#[derive(Debug, Serialize)]
+struct CreateCustomHostnameBody {
+    hostname: String,
+    ssl: CreateSslConfig,
+}
+
+#[derive(Debug, Serialize)]
+struct CreateSslConfig {
+    method: String,
+    #[serde(rename = "type")]
+    ssl_type: String,
+    settings: SslSettings,
+    bundle_method: String,
+    wildcard: bool,
+}
+
+#[derive(Debug, Serialize)]
+struct SslSettings {
+    min_tls_version: String,
+}
+
+/// Get CF credentials from environment
+fn get_cf_credentials(env: &Env) -> Option<(String, String)> {
+    let zone_id = env.var("CF_ZONE_ID").ok()?.to_string();
+    let api_token = env.secret("CF_API_TOKEN").ok()?.to_string();
+    if zone_id.is_empty() || api_token.is_empty() {
+        return None;
+    }
+    Some((zone_id, api_token))
+}
+
+/// Build CF API authorization headers
+fn build_headers(api_token: &str) -> worker::Result<Headers> {
+    let headers = Headers::new();
+    headers.set("Authorization", &format!("Bearer {}", api_token))?;
+    headers.set("Content-Type", "application/json")?;
+    Ok(headers)
+}
+
+/// Create a custom hostname in CF for SaaS.
+/// Returns the CF hostname record on success, or None if CF credentials are not configured.
+pub async fn create_custom_hostname(
+    env: &Env,
+    hostname: &str,
+) -> worker::Result<Option<CfCustomHostnameResult>> {
+    let Some((zone_id, api_token)) = get_cf_credentials(env) else {
+        return Ok(None);
+    };
+
+    let url = format!("{}/zones/{}/custom_hostnames", CF_API_BASE, zone_id);
+
+    let body = CreateCustomHostnameBody {
+        hostname: hostname.to_string(),
+        ssl: CreateSslConfig {
+            method: "txt".to_string(),
+            ssl_type: "dv".to_string(),
+            settings: SslSettings {
+                min_tls_version: "1.2".to_string(),
+            },
+            bundle_method: "ubiquitous".to_string(),
+            wildcard: false,
+        },
+    };
+
+    let body_str = serde_json::to_string(&body)
+        .map_err(|e| worker::Error::RustError(format!("Failed to serialize CF request: {}", e)))?;
+
+    let headers = build_headers(&api_token)?;
+    let mut init = RequestInit::new();
+    init.with_method(Method::Post)
+        .with_headers(headers)
+        .with_body(Some(body_str.into()));
+
+    let request = WorkerRequest::new_with_init(&url, &init)?;
+    let mut resp = Fetch::Request(request).send().await?;
+
+    let text = resp.text().await?;
+    let parsed: CfApiResponse<CfCustomHostnameResult> =
+        serde_json::from_str(&text).map_err(|e| {
+            worker::Error::RustError(format!(
+                "Failed to parse CF response: {} — body: {}",
+                e, text
+            ))
+        })?;
+
+    if !parsed.success {
+        let errors: Vec<String> = parsed
+            .errors
+            .iter()
+            .map(|e| format!("[{}] {}", e.code, e.message))
+            .collect();
+        return Err(worker::Error::RustError(format!(
+            "CF API error: {}",
+            errors.join(", ")
+        )));
+    }
+
+    Ok(parsed.result)
+}
+
+/// Fetch the current status of a custom hostname from CF.
+/// Returns None if CF credentials are not configured.
+pub async fn get_custom_hostname(
+    env: &Env,
+    cf_hostname_id: &str,
+) -> worker::Result<Option<CfCustomHostnameResult>> {
+    let Some((zone_id, api_token)) = get_cf_credentials(env) else {
+        return Ok(None);
+    };
+
+    let url = format!(
+        "{}/zones/{}/custom_hostnames/{}",
+        CF_API_BASE, zone_id, cf_hostname_id
+    );
+
+    let headers = build_headers(&api_token)?;
+    let mut init = RequestInit::new();
+    init.with_method(Method::Get).with_headers(headers);
+
+    let request = WorkerRequest::new_with_init(&url, &init)?;
+    let mut resp = Fetch::Request(request).send().await?;
+
+    let text = resp.text().await?;
+    let parsed: CfApiResponse<CfCustomHostnameResult> =
+        serde_json::from_str(&text).map_err(|e| {
+            worker::Error::RustError(format!(
+                "Failed to parse CF response: {} — body: {}",
+                e, text
+            ))
+        })?;
+
+    if !parsed.success {
+        let errors: Vec<String> = parsed
+            .errors
+            .iter()
+            .map(|e| format!("[{}] {}", e.code, e.message))
+            .collect();
+        return Err(worker::Error::RustError(format!(
+            "CF API error: {}",
+            errors.join(", ")
+        )));
+    }
+
+    Ok(parsed.result)
+}
+
+/// Delete a custom hostname from CF for SaaS.
+/// Returns Ok(()) whether or not CF credentials are configured (no-op if unconfigured).
+pub async fn delete_custom_hostname(env: &Env, cf_hostname_id: &str) -> worker::Result<()> {
+    let Some((zone_id, api_token)) = get_cf_credentials(env) else {
+        return Ok(());
+    };
+
+    let url = format!(
+        "{}/zones/{}/custom_hostnames/{}",
+        CF_API_BASE, zone_id, cf_hostname_id
+    );
+
+    let headers = build_headers(&api_token)?;
+    let mut init = RequestInit::new();
+    init.with_method(Method::Delete).with_headers(headers);
+
+    let request = WorkerRequest::new_with_init(&url, &init)?;
+    let mut resp = Fetch::Request(request).send().await?;
+
+    let status = resp.status_code();
+    if status != 200 && status != 204 {
+        let text = resp.text().await.unwrap_or_default();
+        return Err(worker::Error::RustError(format!(
+            "CF delete hostname failed ({}): {}",
+            status, text
+        )));
+    }
+
+    Ok(())
+}
+
+/// Check if CF for SaaS is configured (both env vars present)
+pub fn is_cf_saas_configured(env: &Env) -> bool {
+    get_cf_credentials(env).is_some()
+}
diff --git a/src/utils/mod.rs b/src/utils/mod.rs
index d66e3521..34f5a244 100644
--- a/src/utils/mod.rs
+++ b/src/utils/mod.rs
@@ -1,3 +1,4 @@
+pub mod cf_saas;
 pub mod crypto;
 pub mod device;
 pub mod email;

From b19c7c859f97622c5a5b2c4588a256ef6f3b79b5 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 18:32:54 +0200
Subject: [PATCH 03/19] feat: use a dedicated fallback domain

Add the support for a custom fallback domain so that we're not limited
to using the existing one, and allow the use of a sub-domain such as
`redirect.my-domain.com` if preferred.
---
 .github/workflows/deploy-ephemeral.yml |  1 +
 docs/SELF_HOSTING.md                   | 13 +++++++++++++
 src/api/domains/create.rs              |  6 +++---
 src/utils/env.rs                       |  8 ++++++++
 wrangler.example.toml                  |  1 +
 5 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy-ephemeral.yml b/.github/workflows/deploy-ephemeral.yml
index 7c5c66d3..05c90570 100644
--- a/.github/workflows/deploy-ephemeral.yml
+++ b/.github/workflows/deploy-ephemeral.yml
@@ -280,6 +280,7 @@ jobs:
           MAILGUN_BASE_URL = "${{ secrets.MAILGUN_BASE_URL }}"
           MAILGUN_FROM = "${{ secrets.MAILGUN_FROM }}"
           DOMAIN = "rushomon-pr-${{ env.PR_NUMBER }}.${{ env.WORKERS_DOMAIN }}"
+          FALLBACK_DOMAIN = "rushomon-pr-${{ env.PR_NUMBER }}.${{ env.WORKERS_DOMAIN }}"
           FRONTEND_URL = "https://rushomon-pr-${{ env.PR_NUMBER }}.${{ env.WORKERS_DOMAIN }}"
           ALLOWED_ORIGINS = "http://localhost:5173,http://localhost:5174,https://rushomon-pr-${{ env.PR_NUMBER }}.${{ env.WORKERS_DOMAIN }}"
           EPHEMERAL_ORIGIN_PATTERN = "https://rushomon-pr-{}.${{ env.WORKERS_DOMAIN }}"
diff --git a/docs/SELF_HOSTING.md b/docs/SELF_HOSTING.md
index 08483458..94e88b86 100644
--- a/docs/SELF_HOSTING.md
+++ b/docs/SELF_HOSTING.md
@@ -478,6 +478,7 @@ GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token"
 GOOGLE_USER_URL = "https://openidconnect.googleapis.com/v1/userinfo"
 
 DOMAIN = "api.myapp.com"  # Where OAuth callbacks go (your API domain)
+FALLBACK_DOMAIN = "redirect.myapp.com"  # CNAME target for custom domains (optional, defaults to DOMAIN)
 FRONTEND_URL = "https://myapp.com"  # Main web interface URL
 ALLOWED_ORIGINS = "https://myapp.com,https://api.myapp.com"  # CORS allowed origins
 # KV-based rate limiting is disabled by default in favor of Cloudflare rate limiting rules
@@ -497,6 +498,7 @@ Replace the placeholder values:
 - `YOUR_GITHUB_CLIENT_ID` — from Step 3a (omit key entirely to disable GitHub login)
 - `YOUR_GOOGLE_CLIENT_ID` — from Step 3b (omit key entirely to disable Google login)
 - `api.myapp.com` — your API domain/subdomain (must match OAuth callback URL)
+- `redirect.myapp.com` — optional fallback domain for custom domain CNAMEs (defaults to DOMAIN if not set)
 - `myapp.com` — your main web domain
 - Adjust `ALLOWED_ORIGINS` to match your domain setup
 - Set Mailgun values to match your [Mailgun account](https://www.mailgun.com/) configuration (see Step 3c)
@@ -543,6 +545,14 @@ wrangler secret put JWT_SECRET -c wrangler.toml
 
 # Mailgun API key (from Step 3c) — required for team invitation emails
 wrangler secret put MAILGUN_API_KEY -c wrangler.toml
+
+# Cloudflare for SaaS (optional — required for custom domains)
+# Get your Zone ID from Cloudflare Dashboard → Select zone → Overview → Zone ID
+wrangler secret put CF_ZONE_ID -c wrangler.toml
+
+# Get API token from Cloudflare Dashboard → My Profile → API Tokens → Create Token
+# Required permissions: Zone - SSL and Certificates - Edit
+wrangler secret put CF_API_TOKEN -c wrangler.toml
 ```
 
 **Security Requirements**:
@@ -910,6 +920,7 @@ As an admin, you can:
 | `GITHUB_TOKEN_URL` | GitHub OAuth token endpoint | `https://github.com/login/oauth/access_token` |
 | `GITHUB_USER_URL` | GitHub user API endpoint | `https://api.github.com/user` |
 | `DOMAIN` | Domain where OAuth callbacks go (no protocol) | `api.myapp.com` |
+| `FALLBACK_DOMAIN` | CNAME target for custom domains (optional, defaults to DOMAIN) | `redirect.myapp.com` |
 | `FRONTEND_URL` | Main web interface URL (with protocol) | `https://myapp.com` |
 | `ALLOWED_ORIGINS` | Comma-separated CORS origins | `https://myapp.com,https://api.myapp.com` |
 | `ENABLE_KV_RATE_LIMITING` | Enable KV-based rate limiting (default: false) | `false` |
@@ -925,6 +936,8 @@ As an admin, you can:
 | `GOOGLE_CLIENT_SECRET` | Google OAuth App client secret (if enabled) |
 | `JWT_SECRET` | JWT signing key (32+ random characters) |
 | `MAILGUN_API_KEY` | Mailgun API key (team invitations) |
+| `CF_ZONE_ID` | Cloudflare Zone ID for custom domains (Cloudflare for SaaS) |
+| `CF_API_TOKEN` | Cloudflare API token with SSL/Certificates Edit permission (custom domains) |
 
 ### Frontend Build-Time Variables
 
diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
index eae018ed..bf61fa76 100644
--- a/src/api/domains/create.rs
+++ b/src/api/domains/create.rs
@@ -4,7 +4,7 @@ use crate::auth;
 use crate::models::custom_domain::{CustomDomain, DnsInstructions, STATUS_PENDING};
 use crate::repositories::{BillingRepository, CustomDomainRepository, OrgRepository};
 use crate::services::OrgService;
-use crate::utils::env::get_domain;
+use crate::utils::env::get_fallback_domain;
 use crate::utils::{AppError, cf_saas};
 use worker::d1::D1Database;
 use worker::*;
@@ -108,7 +108,7 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         let txt_name = cf.ownership_verification.as_ref().map(|v| v.name.clone());
         let txt_value = cf.ownership_verification.as_ref().map(|v| v.value.clone());
         let needs_txt = txt_name.is_some();
-        let cname_target = get_domain(&ctx.env);
+        let cname_target = get_fallback_domain(&ctx.env);
         let instructions = DnsInstructions {
             cname_target,
             txt_name,
@@ -119,7 +119,7 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         (Some(cf.id), instructions)
     } else {
         // CF for SaaS not configured (dev/test mode) — return stub instructions
-        let cname_target = get_domain(&ctx.env);
+        let cname_target = get_fallback_domain(&ctx.env);
         let instructions = DnsInstructions {
             cname_target,
             txt_name: None,
diff --git a/src/utils/env.rs b/src/utils/env.rs
index 8c3de4f8..e1495812 100644
--- a/src/utils/env.rs
+++ b/src/utils/env.rs
@@ -15,6 +15,14 @@ pub fn get_domain(env: &Env) -> String {
         .unwrap_or_else(|_| "localhost:8787".to_string())
 }
 
+/// Get the fallback domain for custom domain CNAMEs
+/// Falls back to DOMAIN if not configured
+pub fn get_fallback_domain(env: &Env) -> String {
+    env.var("FALLBACK_DOMAIN")
+        .map(|v| v.to_string())
+        .unwrap_or_else(|_| get_domain(env))
+}
+
 /// Determine the scheme (http/https) based on domain
 pub fn get_scheme(env: &Env) -> String {
     let domain = get_domain(env);
diff --git a/wrangler.example.toml b/wrangler.example.toml
index 6611c28b..3b70d4b8 100644
--- a/wrangler.example.toml
+++ b/wrangler.example.toml
@@ -59,6 +59,7 @@ GOOGLE_AUTHORIZE_URL = "https://accounts.google.com/o/oauth2/v2/auth"
 GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token"
 GOOGLE_USER_URL = "https://openidconnect.googleapis.com/v1/userinfo"
 DOMAIN = "yourdomain.com"
+FALLBACK_DOMAIN = "redirect.yourdomain.com"
 FRONTEND_URL = "http://localhost:5173"
 # KV-based rate limiting is disabled by default in favor of Cloudflare rate limiting rules
 # Set to "true" to re-enable KV-based rate limiting for specific use cases

From 55758a0cd2626ae4bb3c9940965f8277e00df288 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 18:47:41 +0200
Subject: [PATCH 04/19] debug: add logging to custom domain creation

---
 src/api/domains/create.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
index bf61fa76..5b07264a 100644
--- a/src/api/domains/create.rs
+++ b/src/api/domains/create.rs
@@ -14,6 +14,7 @@ pub async fn handle_create_domain(req: Request, ctx: RouteContext<()>) -> Result
 }
 
 async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
+    console_log!("[domains] Starting domain creation");
     let user_ctx = auth::authenticate_request(&req, &ctx).await?;
 
     let org_id = ctx
@@ -21,6 +22,7 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
         .to_string();
 
+    console_log!("[domains] Org ID: {}", org_id);
     let db = ctx.env.get_binding::<D1Database>("rushomon")?;
 
     OrgService::new()
@@ -43,6 +45,7 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         .filter(|s| !s.is_empty())
         .ok_or_else(|| AppError::BadRequest("hostname is required".to_string()))?;
 
+    console_log!("[domains] Hostname: {}", hostname);
     validate_hostname(&hostname)?;
 
     let org = OrgRepository::new()
@@ -98,9 +101,11 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
     }
 
     // Register with Cloudflare for SaaS
+    console_log!("[domains] Calling Cloudflare for SaaS API");
     let cf_result = cf_saas::create_custom_hostname(&ctx.env, &hostname)
         .await
         .map_err(|e| {
+            console_error!("[domains] CF API error: {}", e);
             AppError::Internal(format!("Failed to register domain with Cloudflare: {}", e))
         })?;
 

From 52461be536c7a1729128349922a55991bb773aec Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 18:55:39 +0200
Subject: [PATCH 05/19] fix: handle CF for SaaS quota error gracefully

Cloudflare for SaaS is an Enterprise-only feature. When quota is not allocated,
fall back to dev/test mode instead of failing with 500 error.

- Add quota error detection (error 1404 or 'quota' in message)
- Return stub DNS instructions when CF for SaaS unavailable
- Update documentation to clarify Enterprise plan requirement
---
 docs/SELF_HOSTING.md      |  7 +++++--
 src/api/domains/create.rs | 26 ++++++++++++++++----------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/docs/SELF_HOSTING.md b/docs/SELF_HOSTING.md
index 94e88b86..b1f45cab 100644
--- a/docs/SELF_HOSTING.md
+++ b/docs/SELF_HOSTING.md
@@ -547,6 +547,9 @@ wrangler secret put JWT_SECRET -c wrangler.toml
 wrangler secret put MAILGUN_API_KEY -c wrangler.toml
 
 # Cloudflare for SaaS (optional — required for custom domains)
+# IMPORTANT: Cloudflare for SaaS is an Enterprise-only feature
+# Requires quota allocation from Cloudflare - not available on Free/Pro/Business plans
+# Contact Cloudflare sales or use Enterprise preview: https://developers.cloudflare.com/billing/understand/preview-services/
 # Get your Zone ID from Cloudflare Dashboard → Select zone → Overview → Zone ID
 wrangler secret put CF_ZONE_ID -c wrangler.toml
 
@@ -936,8 +939,8 @@ As an admin, you can:
 | `GOOGLE_CLIENT_SECRET` | Google OAuth App client secret (if enabled) |
 | `JWT_SECRET` | JWT signing key (32+ random characters) |
 | `MAILGUN_API_KEY` | Mailgun API key (team invitations) |
-| `CF_ZONE_ID` | Cloudflare Zone ID for custom domains (Cloudflare for SaaS) |
-| `CF_API_TOKEN` | Cloudflare API token with SSL/Certificates Edit permission (custom domains) |
+| `CF_ZONE_ID` | Cloudflare Zone ID for custom domains (Cloudflare for SaaS - Enterprise only) |
+| `CF_API_TOKEN` | Cloudflare API token with SSL/Certificates Edit permission (custom domains - Enterprise only) |
 
 ### Frontend Build-Time Variables
 
diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
index 5b07264a..a012532d 100644
--- a/src/api/domains/create.rs
+++ b/src/api/domains/create.rs
@@ -14,7 +14,6 @@ pub async fn handle_create_domain(req: Request, ctx: RouteContext<()>) -> Result
 }
 
 async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppError> {
-    console_log!("[domains] Starting domain creation");
     let user_ctx = auth::authenticate_request(&req, &ctx).await?;
 
     let org_id = ctx
@@ -22,7 +21,6 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         .ok_or_else(|| AppError::BadRequest("Missing org id".to_string()))?
         .to_string();
 
-    console_log!("[domains] Org ID: {}", org_id);
     let db = ctx.env.get_binding::<D1Database>("rushomon")?;
 
     OrgService::new()
@@ -45,7 +43,6 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         .filter(|s| !s.is_empty())
         .ok_or_else(|| AppError::BadRequest("hostname is required".to_string()))?;
 
-    console_log!("[domains] Hostname: {}", hostname);
     validate_hostname(&hostname)?;
 
     let org = OrgRepository::new()
@@ -101,13 +98,22 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
     }
 
     // Register with Cloudflare for SaaS
-    console_log!("[domains] Calling Cloudflare for SaaS API");
-    let cf_result = cf_saas::create_custom_hostname(&ctx.env, &hostname)
-        .await
-        .map_err(|e| {
-            console_error!("[domains] CF API error: {}", e);
-            AppError::Internal(format!("Failed to register domain with Cloudflare: {}", e))
-        })?;
+    let cf_result = match cf_saas::create_custom_hostname(&ctx.env, &hostname).await {
+        Ok(result) => result,
+        Err(e) => {
+            // Check if it's a quota error (Enterprise-only feature)
+            let error_msg = e.to_string();
+            if error_msg.contains("quota") || error_msg.contains("1404") {
+                // CF for SaaS not available - fall back to dev/test mode
+                None
+            } else {
+                return Err(AppError::Internal(format!(
+                    "Failed to register domain with Cloudflare: {}",
+                    e
+                )));
+            }
+        }
+    };
 
     let (cf_hostname_id, dns_instructions) = if let Some(cf) = cf_result {
         let txt_name = cf.ownership_verification.as_ref().map(|v| v.name.clone());

From c26b86c812617766e6044479e8d1d5b0f37738ec Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 21:14:06 +0200
Subject: [PATCH 06/19] fix: use ACME validation records for Cloudflare for
 SaaS TXT verification

Cloudflare for SaaS now returns ACME validation records in ssl.validation_records
instead of ownership_verification. This fixes the TXT record mismatch where
the dashboard showed _cf-custom-hostname but Cloudflare expected _acme-challenge.

- Add validation_records field to CfSslResult
- Update domain creation to check both validation_records and ownership_verification
- Prioritize ACME validation records if available
---
 src/api/domains/create.rs | 19 +++++++++++++++++--
 src/utils/cf_saas.rs      | 12 ++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
index a012532d..14fadaa9 100644
--- a/src/api/domains/create.rs
+++ b/src/api/domains/create.rs
@@ -116,8 +116,23 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
     };
 
     let (cf_hostname_id, dns_instructions) = if let Some(cf) = cf_result {
-        let txt_name = cf.ownership_verification.as_ref().map(|v| v.name.clone());
-        let txt_value = cf.ownership_verification.as_ref().map(|v| v.value.clone());
+        // Cloudflare for SaaS may return TXT records in two places:
+        // 1. ownership_verification - for domain ownership (older method)
+        // 2. ssl.validation_records - for ACME SSL challenges (newer method)
+        let (txt_name, txt_value) = if let Some(records) = cf.ssl.validation_records {
+            // Use ACME validation records if available
+            if let Some(record) = records.first() {
+                (record.txt_name.clone(), record.txt_value.clone())
+            } else {
+                (None, None)
+            }
+        } else {
+            // Fall back to ownership_verification (older method)
+            (
+                cf.ownership_verification.as_ref().map(|v| v.name.clone()),
+                cf.ownership_verification.as_ref().map(|v| v.value.clone()),
+            )
+        };
         let needs_txt = txt_name.is_some();
         let cname_target = get_fallback_domain(&ctx.env);
         let instructions = DnsInstructions {
diff --git a/src/utils/cf_saas.rs b/src/utils/cf_saas.rs
index 85a07940..02ed8af2 100644
--- a/src/utils/cf_saas.rs
+++ b/src/utils/cf_saas.rs
@@ -21,11 +21,23 @@ pub struct CfCustomHostnameResult {
     pub ssl: CfSslResult,
     pub ownership_verification: Option<CfOwnershipVerification>,
     pub ownership_verification_http: Option<CfOwnershipVerificationHttp>,
+    #[serde(default)]
+    pub custom_origin_server: Option<String>,
 }
 
 #[derive(Debug, Deserialize)]
 pub struct CfSslResult {
     pub status: String,
+    #[serde(default)]
+    pub validation_records: Option<Vec<CfValidationRecord>>,
+}
+
+/// ACME validation record for SSL certificates
+#[derive(Debug, Deserialize)]
+pub struct CfValidationRecord {
+    pub txt_name: Option<String>,
+    pub txt_value: Option<String>,
+    pub txt_status: Option<String>,
 }
 
 /// TXT-based domain ownership verification (DNS challenge)

From bc09ad59d31bfdb91eecf8e861b6caa676cf8e83 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 21:23:26 +0200
Subject: [PATCH 07/19] fix: support both ownership and SSL validation TXT
 records for custom domains

Cloudflare for SaaS requires TWO different TXT verification methods:
1. Domain ownership verification (_cf-custom-hostname.*) - validates hostname ownership
2. SSL certificate validation (_acme-challenge.*) - validates for certificate issuance

Both are required for production traffic. The previous implementation only showed
one TXT record, causing verification failures when Cloudflare expected the other type.

This ensures users see all required TXT records with clear labels indicating
which is for domain ownership vs SSL certificate validation.
---
 frontend/src/lib/api/domains.ts               |  9 +++-
 .../src/routes/dashboard/org/+page.svelte     | 33 +++++++-----
 src/api/domains/create.rs                     | 52 +++++++++++--------
 src/models/custom_domain.rs                   | 29 +++++++++--
 4 files changed, 80 insertions(+), 43 deletions(-)

diff --git a/frontend/src/lib/api/domains.ts b/frontend/src/lib/api/domains.ts
index fc794ff6..ce264451 100644
--- a/frontend/src/lib/api/domains.ts
+++ b/frontend/src/lib/api/domains.ts
@@ -12,12 +12,17 @@ export interface CustomDomain {
 
 export interface DnsInstructions {
   cname_target: string;
-  txt_name: string | null;
-  txt_value: string | null;
+  txt_records: TxtRecord[];
   needs_cname: boolean;
   needs_txt: boolean;
 }
 
+export interface TxtRecord {
+  name: string;
+  value: string;
+  purpose: "ownership" | "ssl_validation";
+}
+
 export interface CreateDomainResponse {
   domain: CustomDomain;
   dns_instructions: DnsInstructions;
diff --git a/frontend/src/routes/dashboard/org/+page.svelte b/frontend/src/routes/dashboard/org/+page.svelte
index 822b8c27..4ab83ba1 100644
--- a/frontend/src/routes/dashboard/org/+page.svelte
+++ b/frontend/src/routes/dashboard/org/+page.svelte
@@ -1162,21 +1162,26 @@
                     </div>
                   </div>
                 {/if}
-                {#if newDomainResult.dns_instructions.needs_txt && newDomainResult.dns_instructions.txt_name}
-                  <div class="bg-white rounded border border-blue-200 p-3">
-                    <div class="text-xs font-medium text-gray-500 mb-1">
-                      TXT Record (ownership verification)
-                    </div>
-                    <div class="font-mono text-xs">
-                      <span class="text-gray-700"
-                        >{newDomainResult.dns_instructions.txt_name}</span
-                      >
-                      <span class="text-gray-400 mx-2">=</span>
-                      <span class="text-blue-700 break-all"
-                        >{newDomainResult.dns_instructions.txt_value}</span
-                      >
+                {#if newDomainResult.dns_instructions.needs_txt && newDomainResult.dns_instructions.txt_records.length > 0}
+                  {#each newDomainResult.dns_instructions.txt_records as record (record.name)}
+                    <div
+                      class="bg-white rounded border border-blue-200 p-3 mb-2 last:mb-0"
+                    >
+                      <div class="text-xs font-medium text-gray-500 mb-1">
+                        TXT Record
+                        {record.purpose === "ownership"
+                          ? " (domain ownership verification)"
+                          : " (SSL certificate validation)"}
+                      </div>
+                      <div class="font-mono text-xs">
+                        <span class="text-gray-700">{record.name}</span>
+                        <span class="text-gray-400 mx-2">=</span>
+                        <span class="text-blue-700 break-all"
+                          >{record.value}</span
+                        >
+                      </div>
                     </div>
-                  </div>
+                  {/each}
                 {/if}
               </div>
               <p class="text-xs text-blue-700 mt-3">
diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
index 14fadaa9..9654270a 100644
--- a/src/api/domains/create.rs
+++ b/src/api/domains/create.rs
@@ -1,7 +1,9 @@
 /// POST /api/orgs/:id/domains
 /// Add a custom domain to an organization (Pro+ only)
 use crate::auth;
-use crate::models::custom_domain::{CustomDomain, DnsInstructions, STATUS_PENDING};
+use crate::models::custom_domain::{
+    CustomDomain, DnsInstructions, STATUS_PENDING, TxtRecord, TxtRecordPurpose,
+};
 use crate::repositories::{BillingRepository, CustomDomainRepository, OrgRepository};
 use crate::services::OrgService;
 use crate::utils::env::get_fallback_domain;
@@ -116,29 +118,36 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
     };
 
     let (cf_hostname_id, dns_instructions) = if let Some(cf) = cf_result {
-        // Cloudflare for SaaS may return TXT records in two places:
-        // 1. ownership_verification - for domain ownership (older method)
-        // 2. ssl.validation_records - for ACME SSL challenges (newer method)
-        let (txt_name, txt_value) = if let Some(records) = cf.ssl.validation_records {
-            // Use ACME validation records if available
-            if let Some(record) = records.first() {
-                (record.txt_name.clone(), record.txt_value.clone())
-            } else {
-                (None, None)
+        // Collect all TXT records needed for verification
+        let mut txt_records: Vec<TxtRecord> = Vec::new();
+
+        // Add ownership verification TXT record (if present)
+        if let Some(ownership) = cf.ownership_verification {
+            txt_records.push(TxtRecord {
+                name: ownership.name,
+                value: ownership.value,
+                purpose: TxtRecordPurpose::Ownership,
+            });
+        }
+
+        // Add SSL validation TXT records from validation_records (if present)
+        if let Some(records) = cf.ssl.validation_records {
+            for record in records {
+                if let (Some(name), Some(value)) = (record.txt_name, record.txt_value) {
+                    txt_records.push(TxtRecord {
+                        name,
+                        value,
+                        purpose: TxtRecordPurpose::SslValidation,
+                    });
+                }
             }
-        } else {
-            // Fall back to ownership_verification (older method)
-            (
-                cf.ownership_verification.as_ref().map(|v| v.name.clone()),
-                cf.ownership_verification.as_ref().map(|v| v.value.clone()),
-            )
-        };
-        let needs_txt = txt_name.is_some();
+        }
+
+        let needs_txt = !txt_records.is_empty();
         let cname_target = get_fallback_domain(&ctx.env);
         let instructions = DnsInstructions {
             cname_target,
-            txt_name,
-            txt_value,
+            txt_records,
             needs_cname: true,
             needs_txt,
         };
@@ -148,8 +157,7 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         let cname_target = get_fallback_domain(&ctx.env);
         let instructions = DnsInstructions {
             cname_target,
-            txt_name: None,
-            txt_value: None,
+            txt_records: vec![],
             needs_cname: true,
             needs_txt: false,
         };
diff --git a/src/models/custom_domain.rs b/src/models/custom_domain.rs
index e37abeee..7dca476c 100644
--- a/src/models/custom_domain.rs
+++ b/src/models/custom_domain.rs
@@ -46,16 +46,35 @@ pub struct DnsInstructions {
     /// The CNAME target the user should point their subdomain to
     #[schema(example = "rush.mn")]
     pub cname_target: String,
-    /// TXT record name for domain ownership verification (from CF for SaaS)
-    pub txt_name: Option<String>,
-    /// TXT record value for domain ownership verification (from CF for SaaS)
-    pub txt_value: Option<String>,
+    /// TXT records for verification (may include both ownership and SSL validation)
+    pub txt_records: Vec<TxtRecord>,
     /// Whether the user needs to add a CNAME record
     pub needs_cname: bool,
-    /// Whether the user needs to add a TXT record (for CF verification)
+    /// Whether the user needs to add TXT records (for CF verification)
     pub needs_txt: bool,
 }
 
+/// A single TXT record for domain verification
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+pub struct TxtRecord {
+    /// The DNS record name (e.g., "_cf-custom-hostname.go.example.com" or "_acme-challenge.go.example.com")
+    pub name: String,
+    /// The DNS record value
+    pub value: String,
+    /// The purpose of this TXT record
+    pub purpose: TxtRecordPurpose,
+}
+
+/// The purpose of a TXT record
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+#[serde(rename_all = "snake_case")]
+pub enum TxtRecordPurpose {
+    /// Domain ownership verification (hostname validation)
+    Ownership,
+    /// SSL certificate validation (DCV for certificate issuance)
+    SslValidation,
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

From 6176d5ff3a5db34dec7a6212d3661248a7839cac Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 21:30:40 +0200
Subject: [PATCH 08/19] fix: fetch SSL validation records after custom hostname
 creation

SSL validation records (_acme-challenge.*) are only returned when the
certificate is in pending_validation state. The initial CREATE response
may not include them - they appear after Cloudflare starts the certificate
issuance process.

Added a follow-up GET call after creating the custom hostname to fetch
the full hostname details, which includes the validation_records when
the SSL status becomes pending_validation.
---
 src/api/domains/create.rs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
index 9654270a..fecfc2c5 100644
--- a/src/api/domains/create.rs
+++ b/src/api/domains/create.rs
@@ -117,6 +117,19 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         }
     };
 
+    // If CF registration succeeded, fetch the hostname details to get validation_records
+    // SSL validation records are only returned when certificate is in pending_validation state
+    let cf_result = if let Some(cf) = cf_result {
+        // Fetch the hostname details to get the validation_records
+        match cf_saas::get_custom_hostname(&ctx.env, &cf.id).await {
+            Ok(Some(details)) => Some(details),
+            Ok(None) => Some(cf), // Fallback to original if GET fails
+            Err(_) => Some(cf),   // Fallback to original if GET fails
+        }
+    } else {
+        None
+    };
+
     let (cf_hostname_id, dns_instructions) = if let Some(cf) = cf_result {
         // Collect all TXT records needed for verification
         let mut txt_records: Vec<TxtRecord> = Vec::new();

From 1e424b44c12bdbe730387739b71e919f35c68d5f Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 21:41:03 +0200
Subject: [PATCH 09/19] fix: fix refresh flow to return SSL validation TXT
 records

The SSL validation records (_acme-challenge.*) from Cloudflare are
returned by the GET endpoint, not just on creation. For non-wildcard
hostnames, CF uses HTTP validation automatically once the CNAME is set,
but falls back to TXT if that fails (showing "Pending Validation (TXT)").
---
 frontend/src/lib/api/domains.ts               | 13 +++--
 .../src/routes/dashboard/org/+page.svelte     | 13 +++--
 src/api/domains/refresh.rs                    | 48 ++++++++++++++++++-
 3 files changed, 65 insertions(+), 9 deletions(-)

diff --git a/frontend/src/lib/api/domains.ts b/frontend/src/lib/api/domains.ts
index ce264451..98edb4a4 100644
--- a/frontend/src/lib/api/domains.ts
+++ b/frontend/src/lib/api/domains.ts
@@ -23,11 +23,13 @@ export interface TxtRecord {
   purpose: "ownership" | "ssl_validation";
 }
 
-export interface CreateDomainResponse {
+export interface DomainWithInstructions {
   domain: CustomDomain;
-  dns_instructions: DnsInstructions;
+  dns_instructions: DnsInstructions | null;
 }
 
+export type CreateDomainResponse = DomainWithInstructions;
+
 export const domainsApi = {
   async listDomains(orgId: string): Promise<CustomDomain[]> {
     return apiClient.get<CustomDomain[]>(`/api/orgs/${orgId}/domains`);
@@ -51,8 +53,11 @@ export const domainsApi = {
     );
   },
 
-  async refreshDomain(orgId: string, hostname: string): Promise<CustomDomain> {
-    return apiClient.post<CustomDomain>(
+  async refreshDomain(
+    orgId: string,
+    hostname: string
+  ): Promise<DomainWithInstructions> {
+    return apiClient.post<DomainWithInstructions>(
       `/api/orgs/${orgId}/domains/${hostname}/refresh`,
       {}
     );
diff --git a/frontend/src/routes/dashboard/org/+page.svelte b/frontend/src/routes/dashboard/org/+page.svelte
index 4ab83ba1..7d2efb4e 100644
--- a/frontend/src/routes/dashboard/org/+page.svelte
+++ b/frontend/src/routes/dashboard/org/+page.svelte
@@ -318,11 +318,18 @@
     if (!orgDetails) return;
     refreshingDomain = hostname;
     try {
-      const updated = await domainsApi.refreshDomain(
+      const result = await domainsApi.refreshDomain(
         orgDetails.org.id,
         hostname
       );
-      domains = domains.map((d) => (d.hostname === hostname ? updated : d));
+      domains = domains.map((d) =>
+        d.hostname === hostname ? result.domain : d
+      );
+      // If refresh returned SSL validation records and domain is still pending,
+      // show them in the DNS instructions panel
+      if (result.dns_instructions?.needs_txt) {
+        newDomainResult = result;
+      }
     } catch (e: unknown) {
       actionError =
         e instanceof Error ? e.message : "Failed to refresh domain status.";
@@ -1136,7 +1143,7 @@
           {/if}
 
           <!-- Add domain form -->
-          {#if newDomainResult}
+          {#if newDomainResult && newDomainResult.dns_instructions}
             <div class="bg-blue-50 border border-blue-200 rounded-lg p-4 mb-4">
               <h3 class="text-sm font-semibold text-blue-900 mb-2">
                 DNS Setup Required
diff --git a/src/api/domains/refresh.rs b/src/api/domains/refresh.rs
index 930bf294..e3d654dd 100644
--- a/src/api/domains/refresh.rs
+++ b/src/api/domains/refresh.rs
@@ -2,9 +2,10 @@
 /// Poll CF for SaaS to update the status of a pending custom domain.
 /// If the domain is now active, also syncs KV entries for all active links in the org.
 use crate::auth;
-use crate::models::custom_domain::STATUS_ACTIVE;
+use crate::models::custom_domain::{DnsInstructions, STATUS_ACTIVE, TxtRecord, TxtRecordPurpose};
 use crate::repositories::CustomDomainRepository;
 use crate::services::OrgService;
+use crate::utils::env::get_fallback_domain;
 use crate::utils::{AppError, cf_saas};
 use worker::d1::D1Database;
 use worker::*;
@@ -91,7 +92,50 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
         .await
         .map_err(AppError::from)?;
 
-    Ok(Response::from_json(&updated)?)
+    // Build dns_instructions with current SSL validation records (if still pending)
+    let dns_instructions = if new_status != STATUS_ACTIVE {
+        let mut txt_records: Vec<TxtRecord> = Vec::new();
+
+        if let Some(ref cf) = cf_result {
+            // Add ownership TXT (always present)
+            if let Some(ref ownership) = cf.ownership_verification {
+                txt_records.push(TxtRecord {
+                    name: ownership.name.clone(),
+                    value: ownership.value.clone(),
+                    purpose: TxtRecordPurpose::Ownership,
+                });
+            }
+            // Add SSL validation TXT records if certificate is pending
+            if let Some(ref records) = cf.ssl.validation_records {
+                for record in records {
+                    if let (Some(name), Some(value)) =
+                        (record.txt_name.clone(), record.txt_value.clone())
+                    {
+                        txt_records.push(TxtRecord {
+                            name,
+                            value,
+                            purpose: TxtRecordPurpose::SslValidation,
+                        });
+                    }
+                }
+            }
+        }
+
+        let needs_txt = !txt_records.is_empty();
+        Some(DnsInstructions {
+            cname_target: get_fallback_domain(&ctx.env),
+            txt_records,
+            needs_cname: true,
+            needs_txt,
+        })
+    } else {
+        None
+    };
+
+    Ok(Response::from_json(&serde_json::json!({
+        "domain": updated,
+        "dns_instructions": dns_instructions,
+    }))?)
 }
 
 /// Write {hostname}:{short_code} KV entries for all active links in the org.

From 37b787d09b4175d5f041120fdee36ecfa23cc8ac Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 22:00:38 +0200
Subject: [PATCH 10/19] fix: return SSL validation TXT records on refresh when
 cert is pending

The refresh endpoint was only returning dns_instructions when the
hostname status was not active. But the hostname can be "active" while
the SSL certificate is still "Pending Validation (TXT)" - this is the
common case after CNAME validation succeeds but before SSL completes.

Now when a user clicks Refresh:
- If SSL certificate is still pending (even if hostname is active)
- The response includes both _cf-custom-hostname and _acme-challenge records
- The frontend displays all required TXT records
---
 src/api/domains/create.rs  | 13 -------------
 src/api/domains/refresh.rs | 12 ++++++++++--
 2 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
index fecfc2c5..9654270a 100644
--- a/src/api/domains/create.rs
+++ b/src/api/domains/create.rs
@@ -117,19 +117,6 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         }
     };
 
-    // If CF registration succeeded, fetch the hostname details to get validation_records
-    // SSL validation records are only returned when certificate is in pending_validation state
-    let cf_result = if let Some(cf) = cf_result {
-        // Fetch the hostname details to get the validation_records
-        match cf_saas::get_custom_hostname(&ctx.env, &cf.id).await {
-            Ok(Some(details)) => Some(details),
-            Ok(None) => Some(cf), // Fallback to original if GET fails
-            Err(_) => Some(cf),   // Fallback to original if GET fails
-        }
-    } else {
-        None
-    };
-
     let (cf_hostname_id, dns_instructions) = if let Some(cf) = cf_result {
         // Collect all TXT records needed for verification
         let mut txt_records: Vec<TxtRecord> = Vec::new();
diff --git a/src/api/domains/refresh.rs b/src/api/domains/refresh.rs
index e3d654dd..266ec7a0 100644
--- a/src/api/domains/refresh.rs
+++ b/src/api/domains/refresh.rs
@@ -92,8 +92,16 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
         .await
         .map_err(AppError::from)?;
 
-    // Build dns_instructions with current SSL validation records (if still pending)
-    let dns_instructions = if new_status != STATUS_ACTIVE {
+    // Build dns_instructions with current SSL validation records
+    // Return them if SSL certificate is still pending validation (even if hostname is active)
+    let ssl_pending = cf_result.as_ref().map_or(false, |cf| {
+        matches!(
+            cf.ssl.status.as_str(),
+            "pending_validation" | "pending" | "initializing"
+        )
+    });
+
+    let dns_instructions = if ssl_pending {
         let mut txt_records: Vec<TxtRecord> = Vec::new();
 
         if let Some(ref cf) = cf_result {

From d07aacd40e7a7c4b631af36a025fa5c21d4e1a42 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 22:03:50 +0200
Subject: [PATCH 11/19] fix clippy errors

---
 src/api/domains/refresh.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/domains/refresh.rs b/src/api/domains/refresh.rs
index 266ec7a0..3caed4b5 100644
--- a/src/api/domains/refresh.rs
+++ b/src/api/domains/refresh.rs
@@ -94,7 +94,7 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
 
     // Build dns_instructions with current SSL validation records
     // Return them if SSL certificate is still pending validation (even if hostname is active)
-    let ssl_pending = cf_result.as_ref().map_or(false, |cf| {
+    let ssl_pending = cf_result.as_ref().is_some_and(|cf| {
         matches!(
             cf.ssl.status.as_str(),
             "pending_validation" | "pending" | "initializing"

From 08502678f2ad1b32c49d8bfaf9fadd1391b8c7da Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Fri, 15 May 2026 22:13:28 +0200
Subject: [PATCH 12/19] feat: Track SSL certificate status separately

Changes:
- Added ssl_status field to CustomDomain model with SSL_STATUS_* constants
- Added database migration 0031_ssl_status.sql for ssl_status column
- Updated CustomDomainRepository to include ssl_status in all queries
- Added update_ssl_status() method to persist SSL status from Cloudflare
- Updated refresh endpoint to persist ssl_status from Cloudflare API
- Updated frontend CustomDomain type to include ssl_status
- Updated frontend to auto-fetch DNS instructions on page load if SSL is pending
- Show Refresh button for active domains (not just pending)

Now when a user reloads the page:
- If any domain has ssl_status === "pending", the DNS instructions panel
  automatically shows with the SSL validation TXT records
- Users can click Refresh on active domains to re-check SSL status
---
 frontend/src/lib/api/domains.ts               |  1 +
 .../src/routes/dashboard/org/+page.svelte     | 17 +++++++++-
 migrations/0031_ssl_status.sql                |  4 +++
 src/api/domains/create.rs                     |  3 +-
 src/api/domains/refresh.rs                    | 22 ++++++++++++-
 src/models/custom_domain.rs                   | 10 ++++++
 src/repositories/custom_domain_repository.rs  | 33 ++++++++++++++-----
 7 files changed, 78 insertions(+), 12 deletions(-)
 create mode 100644 migrations/0031_ssl_status.sql

diff --git a/frontend/src/lib/api/domains.ts b/frontend/src/lib/api/domains.ts
index 98edb4a4..25d69403 100644
--- a/frontend/src/lib/api/domains.ts
+++ b/frontend/src/lib/api/domains.ts
@@ -6,6 +6,7 @@ export interface CustomDomain {
   hostname: string;
   status: "pending" | "active" | "failed";
   cf_hostname_id: string | null;
+  ssl_status: "pending" | "active" | "failed";
   created_at: number;
   verified_at: number | null;
 }
diff --git a/frontend/src/routes/dashboard/org/+page.svelte b/frontend/src/routes/dashboard/org/+page.svelte
index 7d2efb4e..2158505a 100644
--- a/frontend/src/routes/dashboard/org/+page.svelte
+++ b/frontend/src/routes/dashboard/org/+page.svelte
@@ -261,6 +261,21 @@
     domainsError = "";
     try {
       domains = await domainsApi.listDomains(orgId);
+      // Check if any domain has pending SSL status and fetch DNS instructions
+      const pendingSslDomain = domains.find((d) => d.ssl_status === "pending");
+      if (pendingSslDomain) {
+        try {
+          const result = await domainsApi.refreshDomain(
+            orgId,
+            pendingSslDomain.hostname
+          );
+          if (result.dns_instructions?.needs_txt) {
+            newDomainResult = result;
+          }
+        } catch {
+          // Non-critical - if refresh fails, we'll just not show DNS instructions
+        }
+      }
     } catch (e: unknown) {
       domainsError = e instanceof Error ? e.message : "Failed to load domains.";
     } finally {
@@ -1112,7 +1127,7 @@
                     {/if}
                   </div>
                   <div class="flex items-center gap-2 ml-4">
-                    {#if domain.status === "pending"}
+                    {#if domain.status === "pending" || domain.status === "active"}
                       <button
                         onclick={() => handleRefreshDomain(domain.hostname)}
                         disabled={refreshingDomain === domain.hostname}
diff --git a/migrations/0031_ssl_status.sql b/migrations/0031_ssl_status.sql
new file mode 100644
index 00000000..c86cb9f2
--- /dev/null
+++ b/migrations/0031_ssl_status.sql
@@ -0,0 +1,4 @@
+-- Add SSL certificate status tracking to custom_domains
+-- This allows us to track SSL certificate status separately from hostname status
+-- Hostname can be "active" (CNAME verified) while SSL cert is still "pending"
+ALTER TABLE custom_domains ADD COLUMN ssl_status TEXT NOT NULL DEFAULT 'pending';
diff --git a/src/api/domains/create.rs b/src/api/domains/create.rs
index 9654270a..06bc07c2 100644
--- a/src/api/domains/create.rs
+++ b/src/api/domains/create.rs
@@ -2,7 +2,7 @@
 /// Add a custom domain to an organization (Pro+ only)
 use crate::auth;
 use crate::models::custom_domain::{
-    CustomDomain, DnsInstructions, STATUS_PENDING, TxtRecord, TxtRecordPurpose,
+    CustomDomain, DnsInstructions, SSL_STATUS_PENDING, STATUS_PENDING, TxtRecord, TxtRecordPurpose,
 };
 use crate::repositories::{BillingRepository, CustomDomainRepository, OrgRepository};
 use crate::services::OrgService;
@@ -170,6 +170,7 @@ async fn inner(mut req: Request, ctx: RouteContext<()>) -> Result<Response, AppE
         hostname,
         status: STATUS_PENDING.to_string(),
         cf_hostname_id,
+        ssl_status: SSL_STATUS_PENDING.to_string(),
         created_at: crate::utils::now_timestamp(),
         verified_at: None,
     };
diff --git a/src/api/domains/refresh.rs b/src/api/domains/refresh.rs
index 3caed4b5..dc5fc4da 100644
--- a/src/api/domains/refresh.rs
+++ b/src/api/domains/refresh.rs
@@ -2,7 +2,10 @@
 /// Poll CF for SaaS to update the status of a pending custom domain.
 /// If the domain is now active, also syncs KV entries for all active links in the org.
 use crate::auth;
-use crate::models::custom_domain::{DnsInstructions, STATUS_ACTIVE, TxtRecord, TxtRecordPurpose};
+use crate::models::custom_domain::{
+    DnsInstructions, SSL_STATUS_ACTIVE, SSL_STATUS_FAILED, SSL_STATUS_PENDING, STATUS_ACTIVE,
+    TxtRecord, TxtRecordPurpose,
+};
 use crate::repositories::CustomDomainRepository;
 use crate::services::OrgService;
 use crate::utils::env::get_fallback_domain;
@@ -66,6 +69,17 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
         "pending"
     };
 
+    // Determine SSL status from Cloudflare response
+    let new_ssl_status = if let Some(ref cf) = cf_result {
+        match cf.ssl.status.as_str() {
+            "active" => SSL_STATUS_ACTIVE,
+            "pending_validation" | "pending" | "initializing" => SSL_STATUS_PENDING,
+            _ => SSL_STATUS_FAILED,
+        }
+    } else {
+        SSL_STATUS_PENDING
+    };
+
     // Persist updated status
     domain_repo
         .update_status(
@@ -82,6 +96,12 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
         .await
         .map_err(AppError::from)?;
 
+    // Persist SSL status
+    domain_repo
+        .update_ssl_status(&db, &domain.id, new_ssl_status)
+        .await
+        .map_err(AppError::from)?;
+
     // If domain just became active, sync KV for all active org links
     if new_status == STATUS_ACTIVE {
         sync_kv_for_domain(&ctx, &db, &org_id, &hostname).await?;
diff --git a/src/models/custom_domain.rs b/src/models/custom_domain.rs
index 7dca476c..97234777 100644
--- a/src/models/custom_domain.rs
+++ b/src/models/custom_domain.rs
@@ -7,6 +7,12 @@ pub const STATUS_ACTIVE: &str = "active";
 #[allow(dead_code)]
 pub const STATUS_FAILED: &str = "failed";
 
+/// SSL certificate status values
+pub const SSL_STATUS_PENDING: &str = "pending";
+pub const SSL_STATUS_ACTIVE: &str = "active";
+#[allow(dead_code)]
+pub const SSL_STATUS_FAILED: &str = "failed";
+
 /// A custom domain registered to an organization.
 ///
 /// SSL certificates and domain verification are managed via Cloudflare for SaaS.
@@ -24,6 +30,9 @@ pub struct CustomDomain {
     pub status: String,
     /// Cloudflare for SaaS custom hostname record ID
     pub cf_hostname_id: Option<String>,
+    /// SSL certificate status ("pending" | "active" | "failed")
+    #[schema(example = "pending")]
+    pub ssl_status: String,
     #[schema(example = 1609459200)]
     pub created_at: i64,
     pub verified_at: Option<i64>,
@@ -87,6 +96,7 @@ mod tests {
             hostname: "go.example.com".to_string(),
             status: STATUS_PENDING.to_string(),
             cf_hostname_id: None,
+            ssl_status: SSL_STATUS_PENDING.to_string(),
             created_at: 0,
             verified_at: None,
         };
diff --git a/src/repositories/custom_domain_repository.rs b/src/repositories/custom_domain_repository.rs
index d1b2d7e2..a379df4f 100644
--- a/src/repositories/custom_domain_repository.rs
+++ b/src/repositories/custom_domain_repository.rs
@@ -15,8 +15,8 @@ impl CustomDomainRepository {
     /// Insert a new custom domain record (status = pending)
     pub async fn create(&self, db: &D1Database, domain: &CustomDomain) -> Result<()> {
         db.prepare(
-            "INSERT INTO custom_domains (id, org_id, hostname, status, cf_hostname_id, created_at, verified_at)
-             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)",
+            "INSERT INTO custom_domains (id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at)
+             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8)",
         )
         .bind(&[
             domain.id.as_str().into(),
@@ -28,6 +28,7 @@ impl CustomDomainRepository {
                 .as_deref()
                 .map(|s| s.into())
                 .unwrap_or(JsValue::NULL),
+            domain.ssl_status.as_str().into(),
             (domain.created_at as f64).into(),
             domain
                 .verified_at
@@ -43,7 +44,7 @@ impl CustomDomainRepository {
     pub async fn get_by_org(&self, db: &D1Database, org_id: &str) -> Result<Vec<CustomDomain>> {
         let results = db
             .prepare(
-                "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+                "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
                  FROM custom_domains
                  WHERE org_id = ?1
                  ORDER BY created_at ASC",
@@ -62,7 +63,7 @@ impl CustomDomainRepository {
         hostname: &str,
     ) -> Result<Option<CustomDomain>> {
         db.prepare(
-            "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+            "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
              FROM custom_domains
              WHERE hostname = ?1",
         )
@@ -80,7 +81,7 @@ impl CustomDomainRepository {
         org_id: &str,
     ) -> Result<Option<CustomDomain>> {
         db.prepare(
-            "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+            "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
              FROM custom_domains
              WHERE id = ?1 AND org_id = ?2",
         )
@@ -97,7 +98,7 @@ impl CustomDomainRepository {
         org_id: &str,
     ) -> Result<Option<CustomDomain>> {
         db.prepare(
-            "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+            "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
              FROM custom_domains
              WHERE hostname = ?1 AND org_id = ?2",
         )
@@ -128,7 +129,7 @@ impl CustomDomainRepository {
     ) -> Result<Vec<CustomDomain>> {
         let results = db
             .prepare(
-                "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+                "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
                  FROM custom_domains
                  WHERE org_id = ?1 AND status = 'active'",
             )
@@ -166,6 +167,20 @@ impl CustomDomainRepository {
         Ok(())
     }
 
+    /// Update SSL certificate status (separate from hostname status)
+    pub async fn update_ssl_status(
+        &self,
+        db: &D1Database,
+        id: &str,
+        ssl_status: &str,
+    ) -> Result<()> {
+        db.prepare("UPDATE custom_domains SET ssl_status = ?1 WHERE id = ?2")
+            .bind(&[ssl_status.into(), id.into()])?
+            .run()
+            .await?;
+        Ok(())
+    }
+
     /// Delete a custom domain record
     pub async fn delete(&self, db: &D1Database, id: &str, org_id: &str) -> Result<()> {
         db.prepare("DELETE FROM custom_domains WHERE id = ?1 AND org_id = ?2")
@@ -179,7 +194,7 @@ impl CustomDomainRepository {
     pub async fn get_all(&self, db: &D1Database) -> Result<Vec<CustomDomain>> {
         let results = db
             .prepare(
-                "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+                "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
                  FROM custom_domains
                  ORDER BY created_at ASC",
             )
@@ -194,7 +209,7 @@ impl CustomDomainRepository {
     pub async fn get_all_pending(&self, db: &D1Database) -> Result<Vec<CustomDomain>> {
         let results = db
             .prepare(
-                "SELECT id, org_id, hostname, status, cf_hostname_id, created_at, verified_at
+                "SELECT id, org_id, hostname, status, cf_hostname_id, ssl_status, created_at, verified_at
                  FROM custom_domains
                  WHERE status = 'pending'
                  ORDER BY created_at ASC",

From 02c3e3d3de67c4a4111094e62d33ddffb8a30104 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Sat, 16 May 2026 12:03:39 +0200
Subject: [PATCH 13/19] fix: iterate on the correct index

---
 frontend/src/routes/dashboard/org/+page.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/routes/dashboard/org/+page.svelte b/frontend/src/routes/dashboard/org/+page.svelte
index 2158505a..3324a105 100644
--- a/frontend/src/routes/dashboard/org/+page.svelte
+++ b/frontend/src/routes/dashboard/org/+page.svelte
@@ -1185,7 +1185,7 @@
                   </div>
                 {/if}
                 {#if newDomainResult.dns_instructions.needs_txt && newDomainResult.dns_instructions.txt_records.length > 0}
-                  {#each newDomainResult.dns_instructions.txt_records as record (record.name)}
+                  {#each newDomainResult.dns_instructions.txt_records as record, index (index)}
                     <div
                       class="bg-white rounded border border-blue-200 p-3 mb-2 last:mb-0"
                     >

From f5b2dc66848566122a5b3baff273b41c16d5edda Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Sat, 16 May 2026 12:46:58 +0200
Subject: [PATCH 14/19] fix: Fix custom domain verification flow and DNS
 instructions display

- Show "Pending Certificate" status when CNAME verified but SSL pending
- Only show CNAME instructions when hostname is not active yet
- Separate ownership TXT (hostname pending) from SSL TXT (SSL pending)
- Add copy-to-clipboard buttons for DNS record values with visual feedback
- Auto-clear DNS instructions when SSL certificate becomes active
---
 .../src/routes/dashboard/org/+page.svelte     | 137 +++++++++++++++---
 src/api/domains/refresh.rs                    |  13 +-
 2 files changed, 125 insertions(+), 25 deletions(-)

diff --git a/frontend/src/routes/dashboard/org/+page.svelte b/frontend/src/routes/dashboard/org/+page.svelte
index 3324a105..33b2f6aa 100644
--- a/frontend/src/routes/dashboard/org/+page.svelte
+++ b/frontend/src/routes/dashboard/org/+page.svelte
@@ -49,8 +49,26 @@
   let addingDomain = $state(false);
   let addDomainError = $state("");
   let newDomainResult = $state<CreateDomainResponse | null>(null);
-  let deletingDomain = $state<string | null>(null);
   let refreshingDomain = $state<string | null>(null);
+  let deletingDomain = $state<string | null>(null);
+
+  // Copy to clipboard feedback
+  let copiedValue = $state<string | null>(null);
+  let copyTimeout: ReturnType<typeof setTimeout> | null = null;
+
+  async function copyToClipboard(value: string) {
+    try {
+      await navigator.clipboard.writeText(value);
+      copiedValue = value;
+      if (copyTimeout) clearTimeout(copyTimeout);
+      copyTimeout = setTimeout(() => {
+        copiedValue = null;
+      }, 2000);
+    } catch {
+      // Fallback for browsers that don't support clipboard API
+      console.error("Failed to copy to clipboard");
+    }
+  }
   let confirmingDomainHostname = $state<string | null>(null);
 
   // Tags management
@@ -271,10 +289,20 @@
           );
           if (result.dns_instructions?.needs_txt) {
             newDomainResult = result;
+          } else {
+            // Clear DNS instructions if SSL is now active
+            if (
+              newDomainResult?.domain.hostname === pendingSslDomain.hostname
+            ) {
+              newDomainResult = null;
+            }
           }
         } catch {
           // Non-critical - if refresh fails, we'll just not show DNS instructions
         }
+      } else {
+        // If no domains have pending SSL, clear any stale DNS instructions
+        newDomainResult = null;
       }
     } catch (e: unknown) {
       domainsError = e instanceof Error ? e.message : "Failed to load domains.";
@@ -1102,7 +1130,12 @@
                       <span class="font-mono text-sm text-gray-800 truncate"
                         >{domain.hostname}</span
                       >
-                      {#if domain.status === "active"}
+                      {#if domain.status === "active" && domain.ssl_status === "pending"}
+                        <span
+                          class="text-xs bg-blue-100 text-blue-700 px-2 py-0.5 rounded-full"
+                          >Pending Certificate</span
+                        >
+                      {:else if domain.status === "active"}
                         <span
                           class="text-xs bg-green-100 text-green-700 px-2 py-0.5 rounded-full"
                           >Active</span
@@ -1169,38 +1202,102 @@
               </p>
               <div class="space-y-2">
                 {#if newDomainResult.dns_instructions.needs_cname}
-                  <div class="bg-white rounded border border-blue-200 p-3">
-                    <div class="text-xs font-medium text-gray-500 mb-1">
+                  <div class="bg-white rounded border border-blue-200 p-4">
+                    <div class="text-xs font-medium text-gray-500 mb-3">
                       CNAME Record
                     </div>
-                    <div class="font-mono text-xs">
-                      <span class="text-gray-700"
-                        >{newDomainResult.domain.hostname}</span
-                      >
-                      <span class="text-gray-400 mx-2">→</span>
-                      <span class="text-blue-700"
-                        >{newDomainResult.dns_instructions.cname_target}</span
-                      >
+                    <div class="space-y-2">
+                      <div>
+                        <div class="text-xs text-gray-400 mb-1">Name</div>
+                        <div class="flex items-center gap-2">
+                          <span
+                            class="font-mono text-sm text-gray-700 bg-gray-50 px-2 py-1 rounded"
+                            >{newDomainResult.domain.hostname}</span
+                          >
+                          <button
+                            onclick={() =>
+                              copyToClipboard(newDomainResult!.domain.hostname)}
+                            class="text-xs text-blue-600 hover:text-blue-800 underline"
+                            title="Copy"
+                          >
+                            {copiedValue === newDomainResult!.domain.hostname
+                              ? "Copied!"
+                              : "Copy"}
+                          </button>
+                        </div>
+                      </div>
+                      <div>
+                        <div class="text-xs text-gray-400 mb-1">Target</div>
+                        <div class="flex items-center gap-2">
+                          <span
+                            class="font-mono text-sm text-blue-700 bg-blue-50 px-2 py-1 rounded"
+                            >{newDomainResult.dns_instructions
+                              .cname_target}</span
+                          >
+                          <button
+                            onclick={() =>
+                              copyToClipboard(
+                                newDomainResult!.dns_instructions!.cname_target
+                              )}
+                            class="text-xs text-blue-600 hover:text-blue-800 underline"
+                            title="Copy"
+                          >
+                            {copiedValue ===
+                            newDomainResult!.dns_instructions!.cname_target
+                              ? "Copied!"
+                              : "Copy"}
+                          </button>
+                        </div>
+                      </div>
                     </div>
                   </div>
                 {/if}
                 {#if newDomainResult.dns_instructions.needs_txt && newDomainResult.dns_instructions.txt_records.length > 0}
                   {#each newDomainResult.dns_instructions.txt_records as record, index (index)}
                     <div
-                      class="bg-white rounded border border-blue-200 p-3 mb-2 last:mb-0"
+                      class="bg-white rounded border border-blue-200 p-4 mb-2 last:mb-0"
                     >
-                      <div class="text-xs font-medium text-gray-500 mb-1">
+                      <div class="text-xs font-medium text-gray-500 mb-3">
                         TXT Record
                         {record.purpose === "ownership"
                           ? " (domain ownership verification)"
                           : " (SSL certificate validation)"}
                       </div>
-                      <div class="font-mono text-xs">
-                        <span class="text-gray-700">{record.name}</span>
-                        <span class="text-gray-400 mx-2">=</span>
-                        <span class="text-blue-700 break-all"
-                          >{record.value}</span
-                        >
+                      <div class="space-y-2">
+                        <div>
+                          <div class="text-xs text-gray-400 mb-1">Name</div>
+                          <div class="flex items-center gap-2">
+                            <span
+                              class="font-mono text-sm text-gray-700 bg-gray-50 px-2 py-1 rounded"
+                              >{record.name}</span
+                            >
+                            <button
+                              onclick={() => copyToClipboard(record.name)}
+                              class="text-xs text-blue-600 hover:text-blue-800 underline"
+                              title="Copy"
+                            >
+                              {copiedValue === record.name ? "Copied!" : "Copy"}
+                            </button>
+                          </div>
+                        </div>
+                        <div>
+                          <div class="text-xs text-gray-400 mb-1">Value</div>
+                          <div class="flex items-start gap-2">
+                            <span
+                              class="font-mono text-sm text-blue-700 bg-blue-50 px-2 py-1 rounded break-all flex-1"
+                              >{record.value}</span
+                            >
+                            <button
+                              onclick={() => copyToClipboard(record.value)}
+                              class="text-xs text-blue-600 hover:text-blue-800 underline"
+                              title="Copy"
+                            >
+                              {copiedValue === record.value
+                                ? "Copied!"
+                                : "Copy"}
+                            </button>
+                          </div>
+                        </div>
                       </div>
                     </div>
                   {/each}
diff --git a/src/api/domains/refresh.rs b/src/api/domains/refresh.rs
index dc5fc4da..fa05bcfe 100644
--- a/src/api/domains/refresh.rs
+++ b/src/api/domains/refresh.rs
@@ -121,12 +121,15 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
         )
     });
 
-    let dns_instructions = if ssl_pending {
+    // Check if CNAME is still needed (hostname is not active yet)
+    let cname_needed = cf_result.as_ref().is_some_and(|cf| cf.status != "active");
+
+    let dns_instructions = if ssl_pending || cname_needed {
         let mut txt_records: Vec<TxtRecord> = Vec::new();
 
         if let Some(ref cf) = cf_result {
-            // Add ownership TXT (always present)
-            if let Some(ref ownership) = cf.ownership_verification {
+            // Add ownership TXT (always present while hostname is pending)
+            if cname_needed && let Some(ref ownership) = cf.ownership_verification {
                 txt_records.push(TxtRecord {
                     name: ownership.name.clone(),
                     value: ownership.value.clone(),
@@ -134,7 +137,7 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
                 });
             }
             // Add SSL validation TXT records if certificate is pending
-            if let Some(ref records) = cf.ssl.validation_records {
+            if ssl_pending && let Some(ref records) = cf.ssl.validation_records {
                 for record in records {
                     if let (Some(name), Some(value)) =
                         (record.txt_name.clone(), record.txt_value.clone())
@@ -153,7 +156,7 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
         Some(DnsInstructions {
             cname_target: get_fallback_domain(&ctx.env),
             txt_records,
-            needs_cname: true,
+            needs_cname: cname_needed,
             needs_txt,
         })
     } else {

From 547a451c7cdab1550ee847cde62d6822851e3588 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Sat, 16 May 2026 15:55:01 +0200
Subject: [PATCH 15/19] fix: correctly handle custom domain routing for
 Cloudflare for SaaS

- redirect.rs: when a short code is not found, expired, or inactive,
  redirect to /404 on the custom domain (e.g. go2.piffio.org/404)
  instead of the frontend URL (e.g. rushomon.workers.dev/404)

- router.rs: skip the root 301 redirect when the request host matches
  the FALLBACK_DOMAIN env var, preventing Cloudflare for SaaS from
  receiving a redirect loop that causes a 522 error
---
 src/api/links/redirect.rs | 14 ++++++++------
 src/api/router.rs         | 14 +++++++++++++-
 src/utils/mod.rs          |  2 +-
 3 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/api/links/redirect.rs b/src/api/links/redirect.rs
index 3388a10c..e0b151e2 100644
--- a/src/api/links/redirect.rs
+++ b/src/api/links/redirect.rs
@@ -103,18 +103,21 @@ pub async fn handle_redirect(
         kv::get_link_mapping(&kv, &short_code).await?
     };
 
+    let not_found_url = match &custom_host {
+        Some(hostname) => Url::parse(&format!("https://{}/404", hostname))?,
+        None => Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?,
+    };
+
     let Some(mapping) = mapping else {
-        let url = Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?;
         return Ok(RedirectResult {
-            response: Response::redirect_with_status(url, 302)?,
+            response: Response::redirect_with_status(not_found_url, 302)?,
             analytics_future: None,
         });
     };
 
     if !matches!(mapping.status, LinkStatus::Active) {
-        let url = Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?;
         return Ok(RedirectResult {
-            response: Response::redirect_with_status(url, 302)?,
+            response: Response::redirect_with_status(not_found_url, 302)?,
             analytics_future: None,
         });
     }
@@ -122,9 +125,8 @@ pub async fn handle_redirect(
     if let Some(expires_at) = mapping.expires_at {
         let now = now_timestamp();
         if now > expires_at {
-            let url = Url::parse(&format!("{}/404", get_frontend_url(&ctx.env)))?;
             return Ok(RedirectResult {
-                response: Response::redirect_with_status(url, 302)?,
+                response: Response::redirect_with_status(not_found_url, 302)?,
                 analytics_future: None,
             });
         }
diff --git a/src/api/router.rs b/src/api/router.rs
index 2d470b64..e7e94f90 100644
--- a/src/api/router.rs
+++ b/src/api/router.rs
@@ -400,7 +400,19 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
         // Title fetch route (public, can be called by anyone)
         .post_async("/api/fetch-title", crate::api::title_fetch::fetch_title)
         // Root redirect: redirect to frontend (e.g., rush.mn/ → rushomon.cc/)
-        .get_async("/", |_req, ctx| async move {
+        // Skip redirect if request comes via the fallback domain (used for Cloudflare for SaaS
+        // custom hostname routing) — the fallback domain is internal infrastructure and should
+        // not redirect, otherwise Cloudflare for SaaS will see a 301 and fail with a 522 error.
+        .get_async("/", |req, ctx| async move {
+            let fallback_domain = crate::utils::get_fallback_domain(&ctx.env);
+            let request_host = req
+                .url()
+                .ok()
+                .and_then(|u| u.host_str().map(|h| h.to_string()))
+                .unwrap_or_default();
+            if request_host == fallback_domain {
+                return Response::error("Not found", 404);
+            }
             let url = Url::parse(&crate::utils::get_frontend_url(&ctx.env))?;
             Response::redirect_with_status(url, 301)
         })
diff --git a/src/utils/mod.rs b/src/utils/mod.rs
index 34f5a244..608fd047 100644
--- a/src/utils/mod.rs
+++ b/src/utils/mod.rs
@@ -14,7 +14,7 @@ pub mod url_normalization;
 pub mod validation;
 
 pub use crypto::{secure_compare, verify_polar_webhook_signature};
-pub use env::get_frontend_url;
+pub use env::{get_fallback_domain, get_frontend_url};
 pub use errors::AppError;
 pub use http::{get_client_ip, hash_ip};
 pub use query_params::QueryParams;

From 254ccce67d47eac82146f91084b48b17536f21d5 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Sat, 16 May 2026 16:02:43 +0200
Subject: [PATCH 16/19] fix: prevent infinite redirect loop on custom domain
 404

Reserve /404 globally on all domains (not just frontend) to prevent
infinite redirect loops when a custom domain receives a 404 redirect
for a non-existent short code.
---
 src/api/router.rs | 29 +++++++++++------------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/src/api/router.rs b/src/api/router.rs
index e7e94f90..bbb88273 100644
--- a/src/api/router.rs
+++ b/src/api/router.rs
@@ -25,23 +25,20 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
                 .to_string();
 
             // Skip API routes and known frontend routes on the frontend domain.
-            // Frontend routes (dashboard, auth, settings, admin, 404) must not be
+            // Frontend routes (dashboard, auth, settings, admin) must not be
             // treated as short codes — they should fall through to the SPA fallback.
-            // Without this, /404 would redirect to /404 in an infinite loop.
+            // The /404 path is reserved globally on all domains to prevent infinite
+            // redirect loops when a short code is not found.
             if code.starts_with("api") {
                 return Response::error("Not found", 404);
             }
+            if code == "404" {
+                return Response::error("Not found", 404);
+            }
             if is_frontend_domain
                 && matches!(
                     code.as_str(),
-                    "dashboard"
-                        | "auth"
-                        | "settings"
-                        | "admin"
-                        | "404"
-                        | "login"
-                        | "billing"
-                        | "pricing"
+                    "dashboard" | "auth" | "settings" | "admin" | "login" | "billing" | "pricing"
                 )
             {
                 return Response::error("Not found", 404);
@@ -62,17 +59,13 @@ pub async fn run(req: Request, env: Env, is_frontend_domain: bool) -> Result<Res
             if code.starts_with("api") {
                 return Response::error("Not found", 404);
             }
+            if code == "404" {
+                return Response::error("Not found", 404);
+            }
             if is_frontend_domain
                 && matches!(
                     code.as_str(),
-                    "dashboard"
-                        | "auth"
-                        | "settings"
-                        | "admin"
-                        | "404"
-                        | "login"
-                        | "billing"
-                        | "pricing"
+                    "dashboard" | "auth" | "settings" | "admin" | "login" | "billing" | "pricing"
                 )
             {
                 return Response::error("Not found", 404);

From 6aa3cf859697cb3c296c69a1eaee38f48708b5d9 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Sat, 16 May 2026 17:02:41 +0200
Subject: [PATCH 17/19] Add custom domain support to links

- Add custom_domain column to links table and models
- Validate domain is active for org during link creation
- Domain is immutable after creation (like short_code)
- Add domain selector to link creation modal
- Display correct short URL using custom domain across all views
- Update TopLinkCount analytics model with custom_domain
---
 frontend/src/lib/components/LinkCard.svelte   |  6 +-
 frontend/src/lib/components/LinkModal.svelte  | 60 ++++++++++++++++++-
 .../lib/components/OrgLinkSlideOver.svelte    |  6 +-
 frontend/src/lib/types/api.ts                 |  3 +
 frontend/src/routes/dashboard/+page.svelte    | 27 +++++++++
 .../dashboard/links/[short_code]/+page.svelte |  6 +-
 migrations/0032_link_custom_domain.sql        |  5 ++
 src/api/links/create.rs                       | 21 +++++++
 src/api/links/import.rs                       |  1 +
 src/models/analytics.rs                       |  3 +
 src/models/link.rs                            | 17 ++++++
 src/repositories/analytics_repository.rs      |  4 +-
 src/repositories/link_repository.rs           | 22 ++++---
 src/services/link_service.rs                  |  1 +
 14 files changed, 168 insertions(+), 14 deletions(-)
 create mode 100644 migrations/0032_link_custom_domain.sql

diff --git a/frontend/src/lib/components/LinkCard.svelte b/frontend/src/lib/components/LinkCard.svelte
index 753d093d..44d5b217 100644
--- a/frontend/src/lib/components/LinkCard.svelte
+++ b/frontend/src/lib/components/LinkCard.svelte
@@ -54,7 +54,11 @@
     PUBLIC_VITE_SHORT_LINK_BASE_URL ||
     PUBLIC_VITE_API_BASE_URL ||
     "http://localhost:8787";
-  const shortUrl = $derived(`${SHORT_LINK_BASE}/${link.short_code}`);
+  const shortUrl = $derived(
+    link.custom_domain
+      ? `https://${link.custom_domain}/${link.short_code}`
+      : `${SHORT_LINK_BASE}/${link.short_code}`
+  );
 
   let showDeleteConfirm = $state(false);
   let copySuccess = $state(false);
diff --git a/frontend/src/lib/components/LinkModal.svelte b/frontend/src/lib/components/LinkModal.svelte
index f5528559..bbec5a5d 100644
--- a/frontend/src/lib/components/LinkModal.svelte
+++ b/frontend/src/lib/components/LinkModal.svelte
@@ -1,4 +1,5 @@
 <script lang="ts">
+  import type { CustomDomain } from "$lib/api/domains";
   import { linksApi, tagsApi } from "$lib/api/links";
   import TagInput from "$lib/components/TagInput.svelte";
   import type {
@@ -17,12 +18,14 @@
     link?: Link | null;
     isOpen?: boolean;
     usage?: UsageResponse | null;
+    activeDomains?: CustomDomain[];
   }
 
   let {
     link = null,
     isOpen = $bindable(false),
-    usage = null
+    usage = null,
+    activeDomains = []
   }: Props = $props();
 
   const dispatch = createEventDispatcher<{ saved: Link }>();
@@ -71,6 +74,9 @@
   let androidUrl = $state("");
   let desktopUrl = $state("");
 
+  // Domain selection: default is the first active custom domain (if any), else "" (default domain)
+  let selectedDomain = $state("");
+
   const hasUtmParams = $derived(
     !!(
       utmSource.trim() ||
@@ -162,6 +168,8 @@
     androidUrl = "";
     desktopUrl = "";
     showDeviceRouting = false;
+    selectedDomain =
+      activeDomains.length === 1 ? activeDomains[0].hostname : "";
     populatedLinkId = null;
   }
 
@@ -214,6 +222,14 @@
     }
   });
 
+  // When activeDomains loads (or changes), set the default selected domain for create mode
+  $effect(() => {
+    if (!isEditMode && activeDomains) {
+      selectedDomain =
+        activeDomains.length === 1 ? activeDomains[0].hostname : "";
+    }
+  });
+
   function handleClose() {
     if (!loading) {
       isOpen = false;
@@ -310,6 +326,9 @@
         if (shortCode) {
           linkData.short_code = shortCode;
         }
+        if (selectedDomain) {
+          linkData.custom_domain = selectedDomain;
+        }
         savedLink = await linksApi.create(linkData);
       }
 
@@ -450,6 +469,45 @@
           />
         </div>
 
+        <!-- Domain Selection -->
+        {#if activeDomains.length > 0 || (isEditMode && link?.custom_domain)}
+          <div>
+            <label
+              for="link-domain"
+              class="block text-sm font-medium text-gray-700 mb-2"
+            >
+              Domain
+            </label>
+            {#if isEditMode}
+              <div class="flex items-center gap-2">
+                <span
+                  class="inline-flex items-center px-3 py-2 rounded-lg text-sm bg-gray-100 text-gray-700 border border-gray-300 font-mono"
+                >
+                  {link?.custom_domain ?? "Default domain"}
+                </span>
+                <span class="text-xs text-gray-500"
+                  >Domain cannot be changed after creation</span
+                >
+              </div>
+            {:else}
+              <select
+                id="link-domain"
+                bind:value={selectedDomain}
+                disabled={loading}
+                class="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-orange-500 focus:border-transparent disabled:bg-gray-100 disabled:cursor-not-allowed"
+              >
+                <option value="">Default domain</option>
+                {#each activeDomains as domain (domain.id)}
+                  <option value={domain.hostname}>{domain.hostname}</option>
+                {/each}
+              </select>
+              <p class="text-xs text-gray-500 mt-1">
+                Domain is locked after creation
+              </p>
+            {/if}
+          </div>
+        {/if}
+
         <!-- Short Code -->
         <div>
           <label
diff --git a/frontend/src/lib/components/OrgLinkSlideOver.svelte b/frontend/src/lib/components/OrgLinkSlideOver.svelte
index 0a2ffc03..bd560016 100644
--- a/frontend/src/lib/components/OrgLinkSlideOver.svelte
+++ b/frontend/src/lib/components/OrgLinkSlideOver.svelte
@@ -51,7 +51,11 @@
     PUBLIC_VITE_API_BASE_URL ||
     "http://localhost:8787";
 
-  const shortUrl = $derived(`${SHORT_LINK_BASE}/${link.short_code}`);
+  const shortUrl = $derived(
+    link.custom_domain
+      ? `https://${link.custom_domain}/${link.short_code}`
+      : `${SHORT_LINK_BASE}/${link.short_code}`
+  );
 
   let analytics = $state<LinkAnalyticsResponse | null>(null);
   let loading = $state(true);
diff --git a/frontend/src/lib/types/api.ts b/frontend/src/lib/types/api.ts
index e9b8f69a..d2ae6d19 100644
--- a/frontend/src/lib/types/api.ts
+++ b/frontend/src/lib/types/api.ts
@@ -45,6 +45,7 @@ export interface Link {
   ios_url?: string | null;
   android_url?: string | null;
   desktop_url?: string | null;
+  custom_domain?: string | null;
 }
 
 export interface TagWithCount {
@@ -64,6 +65,7 @@ export interface CreateLinkRequest {
   ios_url?: string;
   android_url?: string;
   desktop_url?: string;
+  custom_domain?: string;
 }
 
 export interface UpdateLinkRequest {
@@ -151,6 +153,7 @@ export interface TopLinkCount {
   short_code: string;
   title: string | null;
   count: number;
+  custom_domain?: string | null;
 }
 
 export interface OrgAnalyticsResponse {
diff --git a/frontend/src/routes/dashboard/+page.svelte b/frontend/src/routes/dashboard/+page.svelte
index 87cba02d..bdbb1864 100644
--- a/frontend/src/routes/dashboard/+page.svelte
+++ b/frontend/src/routes/dashboard/+page.svelte
@@ -1,5 +1,7 @@
 <script lang="ts">
   import { goto, invalidate } from "$app/navigation";
+  import type { CustomDomain } from "$lib/api/domains";
+  import { domainsApi } from "$lib/api/domains";
   import { linksApi, tagsApi } from "$lib/api/links";
   import LinkList from "$lib/components/LinkList.svelte";
   import LinkModal from "$lib/components/LinkModal.svelte";
@@ -60,6 +62,7 @@
   let isExporting = $state(false);
   let deletingLinkId = $state<string | null>(null);
   let recentlySavedLinkId = $state<string | null>(null);
+  let activeDomains = $state<CustomDomain[]>([]);
 
   let highlightTimer: ReturnType<typeof setTimeout>;
 
@@ -93,6 +96,15 @@
     } catch {
       // Non-critical
     }
+    // Load active custom domains for domain selector in LinkModal
+    if (orgId) {
+      try {
+        const all = await domainsApi.listDomains(orgId);
+        activeDomains = all.filter((d) => d.status === "active");
+      } catch {
+        // Non-critical — domain selector just won't appear
+      }
+    }
   });
 
   // Initialize links, pagination, and stats from data (runs on mount and when data changes)
@@ -121,6 +133,20 @@
     selectedTags = data.initialTags || [];
   });
 
+  // Re-fetch active domains when orgId is available (it's loaded from data effect above)
+  $effect(() => {
+    if (orgId) {
+      domainsApi
+        .listDomains(orgId)
+        .then((all) => {
+          activeDomains = all.filter((d) => d.status === "active");
+        })
+        .catch(() => {
+          // Non-critical
+        });
+    }
+  });
+
   const linksUsagePercent = $derived(
     usage?.limits.max_links_per_month
       ? Math.min(
@@ -680,6 +706,7 @@
         link={editingLink}
         bind:isOpen={isModalOpen}
         {usage}
+        {activeDomains}
         on:saved={handleLinkSaved}
       />
 
diff --git a/frontend/src/routes/dashboard/links/[short_code]/+page.svelte b/frontend/src/routes/dashboard/links/[short_code]/+page.svelte
index 96c42e55..f90c06a8 100644
--- a/frontend/src/routes/dashboard/links/[short_code]/+page.svelte
+++ b/frontend/src/routes/dashboard/links/[short_code]/+page.svelte
@@ -71,7 +71,11 @@
   const analytics = $derived(data.analytics);
   const days = $derived(data.days ?? 7);
   const shortUrl = $derived(
-    link ? `${SHORT_LINK_BASE}/${link.short_code}` : ""
+    link
+      ? link.custom_domain
+        ? `https://${link.custom_domain}/${link.short_code}`
+        : `${SHORT_LINK_BASE}/${link.short_code}`
+      : ""
   );
 
   // Reset loading state when data loads
diff --git a/migrations/0032_link_custom_domain.sql b/migrations/0032_link_custom_domain.sql
new file mode 100644
index 00000000..6da82293
--- /dev/null
+++ b/migrations/0032_link_custom_domain.sql
@@ -0,0 +1,5 @@
+-- Track which custom domain a link was created under.
+-- NULL means the link uses the default short domain.
+-- Immutable after creation (same as short_code) — changing domain would
+-- orphan all previously shared links since the KV key is {hostname}:{short_code}.
+ALTER TABLE links ADD COLUMN custom_domain TEXT;
diff --git a/src/api/links/create.rs b/src/api/links/create.rs
index 389fcbdd..0b276fd2 100644
--- a/src/api/links/create.rs
+++ b/src/api/links/create.rs
@@ -2,6 +2,7 @@ use crate::auth;
 use crate::kv;
 use crate::middleware::{RateLimitConfig, RateLimiter, is_kv_rate_limiting_enabled};
 use crate::models::link::{CreateLinkRequest, Link, LinkStatus};
+use crate::repositories::CustomDomainRepository;
 use crate::services::LinkService;
 use crate::utils::validate_and_normalize_tags;
 use crate::utils::{generate_short_code, now_timestamp, validate_short_code, validate_url};
@@ -98,6 +99,7 @@ pub async fn handle_create_link(mut req: Request, ctx: RouteContext<()>) -> Resu
         "ios_url",
         "android_url",
         "desktop_url",
+        "custom_domain",
     ];
     if let Some(obj) = raw_body.as_object() {
         for field_name in obj.keys() {
@@ -182,6 +184,24 @@ pub async fn handle_create_link(mut req: Request, ctx: RouteContext<()>) -> Resu
         );
     }
 
+    // Validate custom_domain if provided: it must be an active domain on this org.
+    let custom_domain: Option<String> = if let Some(ref hostname) = body.custom_domain {
+        let repo = CustomDomainRepository::new();
+        let active_domains = repo.get_active_for_org(&db, org_id).await.map_err(|e| {
+            worker::Error::RustError(format!("Failed to query custom domains: {:?}", e))
+        })?;
+        let found = active_domains.iter().any(|d| &d.hostname == hostname);
+        if !found {
+            return Response::error(
+                "The specified custom domain is not an active domain for your organization.",
+                400,
+            );
+        }
+        Some(hostname.clone())
+    } else {
+        None
+    };
+
     let kv = ctx.kv("URL_MAPPINGS")?;
 
     let short_code = if let Some(custom_code) = body.short_code {
@@ -258,6 +278,7 @@ pub async fn handle_create_link(mut req: Request, ctx: RouteContext<()>) -> Resu
         ios_url: body.ios_url,
         android_url: body.android_url,
         desktop_url: body.desktop_url,
+        custom_domain,
     };
 
     let link_service = LinkService::new();
diff --git a/src/api/links/import.rs b/src/api/links/import.rs
index e6d67d1d..b21f0627 100644
--- a/src/api/links/import.rs
+++ b/src/api/links/import.rs
@@ -287,6 +287,7 @@ pub async fn handle_import_links(mut req: Request, ctx: RouteContext<()>) -> Res
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         links_to_import.push(link);
diff --git a/src/models/analytics.rs b/src/models/analytics.rs
index 31ca28f6..2bb808d9 100644
--- a/src/models/analytics.rs
+++ b/src/models/analytics.rs
@@ -543,6 +543,9 @@ pub struct TopLinkCount {
     pub title: Option<String>,
     #[schema(example = 50)]
     pub count: i64,
+    /// Custom domain this link belongs to, if any.
+    #[schema(example = "go.mybrand.com")]
+    pub custom_domain: Option<String>,
 }
 
 #[derive(Debug, Serialize, ToSchema)]
diff --git a/src/models/link.rs b/src/models/link.rs
index 8f991a66..c7c1198b 100644
--- a/src/models/link.rs
+++ b/src/models/link.rs
@@ -116,6 +116,10 @@ pub struct Link {
     /// Redirects desktop users (Windows, macOS, Linux) to this URL instead of the default.
     #[schema(example = "https://example.com/desktop-app")]
     pub desktop_url: Option<String>,
+    /// Custom domain this link was created under (immutable after creation).
+    /// None means the link uses the default short domain.
+    #[schema(example = "go.mybrand.com")]
+    pub custom_domain: Option<String>,
 }
 
 impl<'de> Deserialize<'de> for Link {
@@ -142,6 +146,7 @@ impl<'de> Deserialize<'de> for Link {
             ios_url: Option<String>,           // Device routing URL
             android_url: Option<String>,       // Device routing URL
             desktop_url: Option<String>,       // Device routing URL
+            custom_domain: Option<String>,     // Custom domain this link belongs to
         }
 
         let helper = LinkHelper::deserialize(deserializer)?;
@@ -182,6 +187,7 @@ impl<'de> Deserialize<'de> for Link {
             ios_url: helper.ios_url,
             android_url: helper.android_url,
             desktop_url: helper.desktop_url,
+            custom_domain: helper.custom_domain,
         })
     }
 }
@@ -252,6 +258,10 @@ pub struct CreateLinkRequest {
     /// Desktop-specific destination URL (Business tier feature).
     #[schema(example = "https://example.com/desktop-app")]
     pub desktop_url: Option<String>,
+    /// Custom domain to associate this link with (must be an active domain on the org).
+    /// Immutable after creation. None = use default short domain.
+    #[schema(example = "go.mybrand.com")]
+    pub custom_domain: Option<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize, ToSchema)]
@@ -353,6 +363,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
         assert!(!link.is_expired());
     }
@@ -384,6 +395,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
         assert!(!link.is_expired());
     }
@@ -411,6 +423,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
         assert!(link.is_expired());
     }
@@ -436,6 +449,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         let mapping = link.to_mapping(false);
@@ -468,6 +482,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         let mapping = link.to_mapping(false);
@@ -536,6 +551,7 @@ mod tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         let mapping = link.to_mapping(true);
@@ -613,6 +629,7 @@ mod redirect_type_tests {
             ios_url: None,
             android_url: None,
             desktop_url: None,
+            custom_domain: None,
         };
 
         let json = serde_json::to_string(&link).unwrap();
diff --git a/src/repositories/analytics_repository.rs b/src/repositories/analytics_repository.rs
index 917edc7d..6214636c 100644
--- a/src/repositories/analytics_repository.rs
+++ b/src/repositories/analytics_repository.rs
@@ -312,7 +312,7 @@ impl AnalyticsRepository {
         limit: i64,
     ) -> Result<Vec<TopLinkCount>> {
         let stmt = db.prepare(
-            "SELECT ae.link_id, l.short_code, l.title, COUNT(*) as count
+            "SELECT ae.link_id, l.short_code, l.title, l.custom_domain, COUNT(*) as count
              FROM analytics_events ae
              JOIN links l ON ae.link_id = l.id
              WHERE ae.org_id = ?1 AND ae.timestamp >= ?2 AND ae.timestamp <= ?3
@@ -338,12 +338,14 @@ impl AnalyticsRepository {
                 let link_id = row["link_id"].as_str()?.to_string();
                 let short_code = row["short_code"].as_str()?.to_string();
                 let title = row["title"].as_str().map(|s| s.to_string());
+                let custom_domain = row["custom_domain"].as_str().map(|s| s.to_string());
                 let count = row["count"].as_f64()? as i64;
                 Some(TopLinkCount {
                     link_id,
                     short_code,
                     title,
                     count,
+                    custom_domain,
                 })
             })
             .collect();
diff --git a/src/repositories/link_repository.rs b/src/repositories/link_repository.rs
index 3fad3812..445767ca 100644
--- a/src/repositories/link_repository.rs
+++ b/src/repositories/link_repository.rs
@@ -90,8 +90,8 @@ impl LinkRepository {
         let utm_json = link.utm_params.as_ref().and_then(|u| u.to_json_string());
 
         let stmt = db.prepare(
-            "INSERT INTO links (id, org_id, short_code, destination_url, title, created_by, created_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url)
-             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16)"
+            "INSERT INTO links (id, org_id, short_code, destination_url, title, created_by, created_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain)
+             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17)"
         );
 
         stmt.bind(&[
@@ -127,6 +127,10 @@ impl LinkRepository {
                 .clone()
                 .map(|s| s.into())
                 .unwrap_or(JsValue::NULL),
+            link.custom_domain
+                .clone()
+                .map(|s| s.into())
+                .unwrap_or(JsValue::NULL),
         ])?
         .run()
         .await?;
@@ -142,7 +146,7 @@ impl LinkRepository {
         org_id: &str,
     ) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE id = ?1
              AND org_id = ?2
@@ -156,7 +160,7 @@ impl LinkRepository {
     /// Get a link by ID without org check — active only (public redirects)
     pub async fn get_by_id_no_auth(&self, db: &D1Database, link_id: &str) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE id = ?1
              AND status = 'active'"
@@ -171,7 +175,7 @@ impl LinkRepository {
         link_id: &str,
     ) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE id = ?1"
         );
@@ -186,7 +190,7 @@ impl LinkRepository {
         org_id: &str,
     ) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE short_code = ?1
              AND org_id = ?2
@@ -204,7 +208,7 @@ impl LinkRepository {
         short_code: &str,
     ) -> Result<Option<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE short_code = ?1
              AND status = 'active'"
@@ -226,7 +230,7 @@ impl LinkRepository {
         tags_filter: Option<&[String]>,
     ) -> Result<Vec<Link>> {
         let mut query = String::from(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE org_id = ?1"
         );
@@ -668,7 +672,7 @@ impl LinkRepository {
     /// Get all active/disabled links for an org (for CSV/JSON export)
     pub async fn get_all_for_export(&self, db: &D1Database, org_id: &str) -> Result<Vec<Link>> {
         let stmt = db.prepare(
-            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url
+            "SELECT id, org_id, short_code, destination_url, title, created_by, created_at, updated_at, expires_at, status, click_count, utm_params, forward_query_params, redirect_type, ios_url, android_url, desktop_url, custom_domain
              FROM links
              WHERE org_id = ?1
              AND status IN ('active', 'disabled')
diff --git a/src/services/link_service.rs b/src/services/link_service.rs
index 808e57b8..1b8abed4 100644
--- a/src/services/link_service.rs
+++ b/src/services/link_service.rs
@@ -582,6 +582,7 @@ impl LinkService {
                     ios_url: link.ios_url.clone(),
                     android_url: link.android_url.clone(),
                     desktop_url: link.desktop_url.clone(),
+                    custom_domain: link.custom_domain.clone(),
                 };
                 let org_repo = crate::repositories::OrgRepository::new();
                 let resolved_forward = if let Some(forward) = link.forward_query_params {

From 8ab31b91edd34599bae5da5315f31b3579e275d5 Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Sat, 16 May 2026 17:07:57 +0200
Subject: [PATCH 18/19] doc: Update OpenAPI spec

---
 docs/openapi/main.json | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/docs/openapi/main.json b/docs/openapi/main.json
index 5ae40c82..03927cdd 100644
--- a/docs/openapi/main.json
+++ b/docs/openapi/main.json
@@ -3503,6 +3503,14 @@
             ],
             "description": "Desktop-specific destination URL (Business tier feature).",
             "example": "https://example.com/desktop-app"
+          },
+          "custom_domain": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Custom domain to associate this link with (must be an active domain on the org).\nImmutable after creation. None = use default short domain.",
+            "example": "go.mybrand.com"
           }
         },
         "additionalProperties": false
@@ -3652,6 +3660,14 @@
             ],
             "description": "Desktop-specific destination URL (Business tier feature).\nRedirects desktop users (Windows, macOS, Linux) to this URL instead of the default.",
             "example": "https://example.com/desktop-app"
+          },
+          "custom_domain": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Custom domain this link was created under (immutable after creation).\nNone means the link uses the default short domain.",
+            "example": "go.mybrand.com"
           }
         }
       },
@@ -4143,6 +4159,14 @@
             "type": "integer",
             "format": "int64",
             "example": 50
+          },
+          "custom_domain": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Custom domain this link belongs to, if any.",
+            "example": "go.mybrand.com"
           }
         }
       },

From ce943b7395b6c3a5c3732d4c99e77bf273c001af Mon Sep 17 00:00:00 2001
From: Sergio Visinoni <piffio@piffio.org>
Date: Sat, 16 May 2026 17:19:58 +0200
Subject: [PATCH 19/19] Add tier-based custom domain quota enforcement

- Add max_custom_domains to backend usage response
- Add max_custom_domains to frontend UsageResponse type
- Disable domain add input when tier limit reached
- Show upgrade CTAs with consistent amber styling
- Free tier: always disabled, upgrade to Pro
- Pro tier (1 domain): disabled at 1 domain, upgrade to Business
---
 frontend/src/lib/types/api.ts                 |  1 +
 .../src/routes/dashboard/org/+page.svelte     | 83 ++++++++++++++-----
 src/api/analytics/usage.rs                    |  1 +
 3 files changed, 66 insertions(+), 19 deletions(-)

diff --git a/frontend/src/lib/types/api.ts b/frontend/src/lib/types/api.ts
index d2ae6d19..66a9ce03 100644
--- a/frontend/src/lib/types/api.ts
+++ b/frontend/src/lib/types/api.ts
@@ -178,6 +178,7 @@ export interface UsageResponse {
     allow_query_forwarding: boolean;
     allow_device_routing: boolean;
     max_tags: number | null;
+    max_custom_domains: number | null;
   };
   usage: {
     links_created_this_month: number;
diff --git a/frontend/src/routes/dashboard/org/+page.svelte b/frontend/src/routes/dashboard/org/+page.svelte
index 33b2f6aa..638e6b0b 100644
--- a/frontend/src/routes/dashboard/org/+page.svelte
+++ b/frontend/src/routes/dashboard/org/+page.svelte
@@ -6,6 +6,7 @@
   import { domainsApi } from "$lib/api/domains";
   import { tagsApi } from "$lib/api/links";
   import { orgsApi } from "$lib/api/orgs";
+  import { usageApi } from "$lib/api/usage";
   import Avatar from "$lib/components/Avatar.svelte";
   import LoadingButton from "$lib/components/LoadingButton.svelte";
   import type {
@@ -14,7 +15,8 @@
     OrgMember,
     OrgSettings,
     OrgWithRole,
-    TagWithCount
+    TagWithCount,
+    UsageResponse
   } from "$lib/types/api";
   import type { PageData } from "./$types";
 
@@ -24,6 +26,7 @@
   let loading = $state(true);
   let error = $state("");
   let billingStatus = $state<BillingStatus | null>(null);
+  let usage = $state<UsageResponse | null>(null);
 
   // Rename org
   let editingName = $state(false);
@@ -95,6 +98,7 @@
       await loadOrgSettings(currentOrgId);
       await loadTags();
       await loadDomains(currentOrgId);
+      usage = await usageApi.getUsage();
     } catch (e: unknown) {
       error =
         e instanceof Error ? e.message : "Failed to load organization details.";
@@ -261,6 +265,28 @@
     ["business", "unlimited"].includes(orgDetails?.org.tier ?? "")
   );
 
+  // Custom domain quota check
+  const maxCustomDomains = $derived(usage?.limits.max_custom_domains);
+  const activeDomainCount = $derived(
+    domains.filter((d) => d.status === "active").length
+  );
+  const domainQuotaReached = $derived(
+    usage !== null &&
+      maxCustomDomains !== null &&
+      maxCustomDomains !== undefined &&
+      maxCustomDomains > 0 &&
+      activeDomainCount >= maxCustomDomains
+  );
+  const domainFeatureLocked = $derived(
+    usage !== null && maxCustomDomains === 0
+  );
+  const domainUpgradeTarget = $derived(() => {
+    const tier = orgDetails?.org.tier ?? "free";
+    if (tier === "free") return "Pro";
+    if (tier === "pro") return "Business";
+    return null;
+  });
+
   // Org settings: forward_query_params
   let orgSettings = $state<OrgSettings | null>(null);
   let settingsError = $state("");
@@ -1087,7 +1113,7 @@
           <h2 class="text-lg font-semibold text-gray-900">Custom Domains</h2>
           {#if orgDetails.org.tier === "free"}
             <span
-              class="text-xs bg-orange-100 text-orange-700 px-2 py-1 rounded-full font-medium"
+              class="text-xs bg-amber-100 text-amber-700 px-2 py-1 rounded-full font-medium"
               >Pro+ feature</span
             >
           {/if}
@@ -1317,24 +1343,43 @@
             </div>
           {/if}
 
-          <div class="flex items-center gap-2">
-            <input
-              type="text"
-              bind:value={newHostname}
-              placeholder="go.yourdomain.com"
-              class="flex-1 px-3 py-2 border border-gray-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-orange-300 font-mono"
-              onkeydown={(e) => {
-                if (e.key === "Enter") handleAddDomain();
-              }}
-            />
-            <button
-              onclick={handleAddDomain}
-              disabled={addingDomain || !newHostname.trim()}
-              class="px-4 py-2 bg-orange-500 hover:bg-orange-600 disabled:opacity-50 text-white rounded-lg text-sm font-medium transition-colors"
+          {#if domainFeatureLocked || domainQuotaReached}
+            <div
+              class="bg-amber-50 border border-amber-200 rounded-lg p-3 mt-2 text-sm text-amber-800"
             >
-              {addingDomain ? "Adding..." : "Add Domain"}
-            </button>
-          </div>
+              {#if domainFeatureLocked}
+                Custom domains require the <strong>Pro plan</strong> or higher.
+                <a href="/billing" class="underline font-medium"
+                  >Upgrade your plan</a
+                >
+              {:else}
+                You've reached your custom domain limit ({activeDomainCount}/
+                {maxCustomDomains}). Upgrade to
+                <strong>{domainUpgradeTarget()}</strong>
+                to add more domains.
+                <a href="/billing" class="underline font-medium">Upgrade</a>
+              {/if}
+            </div>
+          {:else}
+            <div class="flex items-center gap-2">
+              <input
+                type="text"
+                bind:value={newHostname}
+                placeholder="go.yourdomain.com"
+                class="flex-1 px-3 py-2 border border-gray-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-orange-300 font-mono"
+                onkeydown={(e) => {
+                  if (e.key === "Enter") handleAddDomain();
+                }}
+              />
+              <button
+                onclick={handleAddDomain}
+                disabled={addingDomain || !newHostname.trim()}
+                class="px-4 py-2 bg-orange-500 hover:bg-orange-600 disabled:opacity-50 text-white rounded-lg text-sm font-medium transition-colors"
+              >
+                {addingDomain ? "Adding..." : "Add Domain"}
+              </button>
+            </div>
+          {/if}
           {#if addDomainError}
             <p class="text-xs text-red-600 mt-2">{addDomainError}</p>
           {/if}
diff --git a/src/api/analytics/usage.rs b/src/api/analytics/usage.rs
index b9f60476..75a35812 100644
--- a/src/api/analytics/usage.rs
+++ b/src/api/analytics/usage.rs
@@ -44,6 +44,7 @@ async fn inner(req: Request, ctx: RouteContext<()>) -> Result<Response, AppError
             "allow_query_forwarding": usage_info.limits.allow_query_forwarding,
             "allow_device_routing": usage_info.limits.allow_device_routing,
             "max_tags": usage_info.limits.max_tags,
+            "max_custom_domains": usage_info.limits.max_custom_domains,
         },
         "usage": {
             "links_created_this_month": usage_info.links_created_this_month,