White-label sounds like a cosmetic feature: change the logo, update colors, maybe rename the app. In a real SaaS it is much deeper. Once you support custom domains and embedded experiences, white-label touches routing, security boundaries, entitlement checks, and every surface that can be shared externally.
In Fluxo I treated white-label as a platform layer: a tenant-aware resolver that yields a consistent brand and host identity across the app UI, public review links, and embedded review experiences.
Theme and branding model
White-label settings are stored per organization and are optional. They include:
- app name override
- logo URL
- primary color tokens for light and dark
- custom domain
- managed subdomain
- domain status lifecycle
At runtime, a resolver composes effective theme values and exposes them as CSS variables. This is important because it prevents drift: without a single resolver, some pages will be branded and others will quietly fall back to default styling.
Domain-aware tenant resolution
The hard part of white-label is domain routing. Fluxo resolves tenant identity from the request host using two sources:
- direct custom domain match
- managed subdomain match against primary app host
If the host does not match active domain settings, Fluxo falls back to the primary app base URL. That fallback avoids “domain lockout” scenarios when a domain is pending verification, misconfigured, or mid-migration.
Domain verification and provisioning
For custom domains, Fluxo generates deterministic verification instructions:
- TXT record using HMAC token per organization/domain
- CNAME target from environment or primary host
Fluxo can optionally integrate with domain provisioning APIs to check verification and certificate status. The important design decision is representing the domain as a lifecycle with explicit states (pending, issued, failed) and actionable messages, rather than a binary on/off flag.
Billing and entitlement gating
White-label capabilities are tier-gated:
- branding on Team and Enterprise
- custom domains on Enterprise
Fluxo enforces this on write mutations, not only in frontend controls. Entitlements are backend policy, not a UI preference.
Embedded review surfaces
White-label also applies to public review sessions and embedded review experiences. This is where polish and security meet: external stakeholders can interact with branded flows while Fluxo still enforces session permissions, expiry, rate limits, and audit logging.
Why I built it this way
Agencies need client-facing polish without losing operational rigor. This architecture keeps branding flexible while preserving the same governance and security guarantees as first-party UI, because every surface runs through the same tenant-aware resolver and lifecycle model.