diff --git a/.env.development b/.env.development
index 7572da564..e82cad44a 100644
--- a/.env.development
+++ b/.env.development
@@ -114,7 +114,7 @@ NEXT_PUBLIC_EXTRA_LONG_POLL_INTERVAL=300000
 
 # containers can't use localhost, so we need to use the container name
 IMGPROXY_URL_DOCKER=http://imgproxy:8080
-MEDIA_URL_DOCKER=http://s3:4566/uploads
+MEDIA_URL_DOCKER=http://aws:4566/uploads
 
 # postgres container stuff
 POSTGRES_PASSWORD=password
@@ -177,6 +177,7 @@ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
+LOCALSTACK_ENDPOINT=http://localhost:4566
 
 # tor proxy
 TOR_PROXY=http://tor:7050/
@@ -190,4 +191,10 @@ CPU_SHARES_IMPORTANT=1024
 CPU_SHARES_MODERATE=512
 CPU_SHARES_LOW=256
 
-NEXT_TELEMETRY_DISABLED=1
\ No newline at end of file
+NEXT_TELEMETRY_DISABLED=1
+
+# DNS resolver for custom domain verification
+DNS_RESOLVER=1.1.1.1
+
+# domain debug logger
+CUSTOM_DOMAIN_LOGGER=false
\ No newline at end of file
diff --git a/.env.production b/.env.production
index 78e66ab81..e0a4a58d6 100644
--- a/.env.production
+++ b/.env.production
@@ -23,3 +23,6 @@ DB_APP_CONNECTION_LIMIT=4
 DB_WORKER_CONNECTION_LIMIT=2
 DB_TRANSACTION_TIMEOUT=10000
 NEXT_TELEMETRY_DISABLED=1
+
+# DNS resolver for custom domain verification
+DNS_RESOLVER=1.1.1.1
\ No newline at end of file
diff --git a/api/acm/index.js b/api/acm/index.js
new file mode 100644
index 000000000..cf76f4160
--- /dev/null
+++ b/api/acm/index.js
@@ -0,0 +1,53 @@
+import AWS from 'aws-sdk'
+
+AWS.config.update({
+  region: 'us-east-1'
+})
+
+const config = {}
+
+export async function requestCertificate (domain) {
+  // for local development, we use the LOCALSTACK_ENDPOINT
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+
+  const acm = new AWS.ACM(config)
+  const params = {
+    DomainName: domain,
+    ValidationMethod: 'DNS',
+    Tags: [
+      {
+        Key: 'ManagedBy',
+        Value: 'stacker.news'
+      }
+    ]
+  }
+
+  const certificate = await acm.requestCertificate(params).promise()
+  return certificate.CertificateArn
+}
+
+export async function describeCertificate (certificateArn) {
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+  const acm = new AWS.ACM(config)
+  const certificate = await acm.describeCertificate({ CertificateArn: certificateArn }).promise()
+  return certificate
+}
+
+export async function getCertificateStatus (certificateArn) {
+  const certificate = await describeCertificate(certificateArn)
+  return certificate.Certificate.Status
+}
+
+export async function deleteCertificate (certificateArn) {
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+  const acm = new AWS.ACM(config)
+  const result = await acm.deleteCertificate({ CertificateArn: certificateArn }).promise()
+  console.log(`delete certificate attempt for ${certificateArn}, result: ${JSON.stringify(result)}`)
+  return result
+}
diff --git a/api/resolvers/branding.js b/api/resolvers/branding.js
new file mode 100644
index 000000000..d48774e45
--- /dev/null
+++ b/api/resolvers/branding.js
@@ -0,0 +1,75 @@
+import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
+import { validateSchema, customBrandingSchema } from '@/lib/validate'
+
+export default {
+  Query: {
+    customBranding: async (parent, { subName }, { models }) => {
+      return models.customBranding.findUnique({ where: { subName } })
+    }
+  },
+  Mutation: {
+    setCustomBranding: async (parent, { subName, branding }, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      const sub = await models.sub.findUnique({ where: { name: subName } })
+      if (!sub) {
+        throw new GqlInputError('sub not found')
+      }
+
+      if (sub.userId !== me.id) {
+        throw new GqlInputError('you do not own this sub')
+      }
+
+      const { title, colors, logoId, faviconId } = branding
+
+      const parsedLogoId = parseInt(logoId)
+      const parsedFaviconId = parseInt(faviconId)
+
+      if (parsedLogoId) {
+        const logo = await models.upload.findUnique({ where: { id: parsedLogoId } })
+        if (!logo) {
+          throw new GqlInputError('logo not found')
+        }
+      }
+
+      if (parsedFaviconId) {
+        const favicon = await models.upload.findUnique({ where: { id: parsedFaviconId } })
+        if (!favicon) {
+          throw new GqlInputError('favicon not found')
+        }
+      }
+
+      if (!validateSchema(customBrandingSchema, {
+        title,
+        primary: colors.primary,
+        secondary: colors.secondary,
+        info: colors.info,
+        success: colors.success,
+        danger: colors.danger,
+        logoId,
+        faviconId
+      })) {
+        throw new GqlInputError('invalid branding')
+      }
+
+      return await models.customBranding.upsert({
+        where: { subName },
+        update: {
+          title: title || subName,
+          colors,
+          ...(parsedLogoId && { logo: { connect: { id: parsedLogoId } } }),
+          ...(parsedFaviconId && { favicon: { connect: { id: parsedFaviconId } } })
+        },
+        create: {
+          title: title || subName,
+          colors,
+          ...(parsedLogoId && { logo: { connect: { id: parsedLogoId } } }),
+          ...(parsedFaviconId && { favicon: { connect: { id: parsedFaviconId } } }),
+          sub: { connect: { name: subName } }
+        }
+      })
+    }
+  }
+}
diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
new file mode 100644
index 000000000..2cb466edc
--- /dev/null
+++ b/api/resolvers/domain.js
@@ -0,0 +1,105 @@
+import { validateSchema, customDomainSchema } from '@/lib/validate'
+import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
+import { randomBytes } from 'node:crypto'
+import { getDomainMappingsCache } from '@/lib/domains'
+
+export default {
+  Query: {
+    customDomain: async (parent, { subName }, { models }) => {
+      return models.customDomain.findUnique({ where: { subName } })
+    },
+    domainMapping: async (parent, { domain }, { models }) => {
+      const domainMappings = await getDomainMappingsCache()
+      return domainMappings?.[domain]
+    }
+  },
+  Mutation: {
+    setCustomDomain: async (parent, { subName, domain }, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      const sub = await models.sub.findUnique({ where: { name: subName } })
+      if (!sub) {
+        throw new GqlInputError('sub not found')
+      }
+
+      if (sub.userId !== me.id) {
+        throw new GqlInputError('you do not own this sub')
+      }
+
+      domain = domain.trim() // protect against trailing spaces
+      if (domain && !validateSchema(customDomainSchema, { domain })) {
+        throw new GqlInputError('invalid domain format')
+      }
+
+      const existing = await models.customDomain.findUnique({ where: { subName } })
+
+      if (domain) {
+        if (existing && existing.domain === domain && existing.status !== 'HOLD') {
+          throw new GqlInputError('domain already set')
+        }
+
+        const initializeDomain = {
+          domain,
+          createdAt: new Date(),
+          status: 'PENDING',
+          verification: {
+            dns: {
+              state: 'PENDING',
+              cname: 'stacker.news',
+              // generate a random txt record only if it's a new domain
+              txt: existing?.domain === domain && existing.verification.dns.txt
+                ? existing.verification.dns.txt
+                : randomBytes(32).toString('base64')
+            },
+            ssl: {
+              state: 'WAITING',
+              arn: null,
+              cname: null,
+              value: null
+            }
+          }
+        }
+
+        const updatedDomain = await models.customDomain.upsert({
+          where: { subName },
+          update: {
+            ...initializeDomain
+          },
+          create: {
+            ...initializeDomain,
+            sub: {
+              connect: { name: subName }
+            }
+          }
+        })
+
+        // schedule domain verification in 30 seconds
+        await models.$executeRaw`
+        INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
+        VALUES ('domainVerification',
+                jsonb_build_object('domainId', ${updatedDomain.id}::INTEGER),
+                3,
+                30,
+                now() + interval '30 seconds',
+                now() + interval '2 days')`
+
+        return updatedDomain
+      } else {
+        try {
+          // delete any existing domain verification jobs
+          await models.$queryRaw`
+          DELETE FROM pgboss.job
+          WHERE name = 'domainVerification'
+                AND data->>'domainId' = ${existing.id}::TEXT`
+
+          return await models.customDomain.delete({ where: { subName } })
+        } catch (error) {
+          console.error(error)
+          throw new GqlInputError('failed to delete domain')
+        }
+      }
+    }
+  }
+}
diff --git a/api/resolvers/index.js b/api/resolvers/index.js
index eccfaf1d0..e3a11dc36 100644
--- a/api/resolvers/index.js
+++ b/api/resolvers/index.js
@@ -20,6 +20,8 @@ import { GraphQLScalarType, Kind } from 'graphql'
 import { createIntScalar } from 'graphql-scalar'
 import paidAction from './paidAction'
 import vault from './vault'
+import domain from './domain'
+import branding from './branding'
 
 const date = new GraphQLScalarType({
   name: 'Date',
@@ -56,4 +58,4 @@ const limit = createIntScalar({
 
 export default [user, item, message, wallet, lnurl, notifications, invite, sub,
   upload, search, growth, rewards, referrals, price, admin, blockHeight, chainFee,
-  { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
+  domain, branding, { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
diff --git a/api/resolvers/sub.js b/api/resolvers/sub.js
index 320670b66..09918be98 100644
--- a/api/resolvers/sub.js
+++ b/api/resolvers/sub.js
@@ -310,6 +310,12 @@ export default {
 
       return sub.SubSubscription?.length > 0
     },
+    customDomain: async (sub, args, { models }) => {
+      return models.customDomain.findUnique({ where: { subName: sub.name } })
+    },
+    customBranding: async (sub, args, { models }) => {
+      return models.customBranding.findUnique({ where: { subName: sub.name } })
+    },
     createdAt: sub => sub.createdAt || sub.created_at
   }
 }
diff --git a/api/ssrApollo.js b/api/ssrApollo.js
index d5513b7d9..6ce7c77dc 100644
--- a/api/ssrApollo.js
+++ b/api/ssrApollo.js
@@ -11,6 +11,7 @@ import { ME } from '@/fragments/users'
 import { PRICE } from '@/fragments/price'
 import { BLOCK_HEIGHT } from '@/fragments/blockHeight'
 import { CHAIN_FEE } from '@/fragments/chainFee'
+import { GET_CUSTOM_BRANDING } from '@/fragments/brandings'
 import { getServerSession } from 'next-auth/next'
 import { getAuthOptions } from '@/pages/api/auth/[...nextauth]'
 import { NOFOLLOW_LIMIT } from '@/lib/constants'
@@ -152,6 +153,18 @@ export function getGetServerSideProps (
 
     const client = await getSSRApolloClient({ req, res })
 
+    const isCustomDomain = req.headers.host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
+    const subName = req.headers['x-stacker-news-subname'] || null
+    let customDomain = null
+    if (isCustomDomain && subName) {
+      const { data: { customBranding } } = await client.query({ query: GET_CUSTOM_BRANDING, variables: { subName } })
+      customDomain = {
+        domain: req.headers.host,
+        subName,
+        branding: customBranding || null
+      }
+    }
+
     let { data: { me } } = await client.query({ query: ME })
 
     // required to redirect to /signup on page reload
@@ -216,6 +229,7 @@ export function getGetServerSideProps (
     return {
       props: {
         ...props,
+        customDomain,
         me,
         price,
         blockHeight,
diff --git a/api/typeDefs/branding.js b/api/typeDefs/branding.js
new file mode 100644
index 000000000..085955eb8
--- /dev/null
+++ b/api/typeDefs/branding.js
@@ -0,0 +1,27 @@
+import { gql } from 'graphql-tag'
+
+export default gql`
+  extend type Query {
+    customBranding(subName: String!): CustomBranding
+  }
+
+  extend type Mutation {
+    setCustomBranding(subName: String!, branding: CustomBrandingInput!): CustomBranding
+  }
+
+  type CustomBranding {
+    title: String
+    colors: JSONObject
+    logoId: String
+    faviconId: String
+    subName: String
+  }
+
+  input CustomBrandingInput {
+    title: String
+    colors: JSONObject
+    logoId: String
+    faviconId: String
+    subName: String
+  }
+`
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
new file mode 100644
index 000000000..d7c02c1e2
--- /dev/null
+++ b/api/typeDefs/domain.js
@@ -0,0 +1,46 @@
+import { gql } from 'graphql-tag'
+
+export default gql`
+  extend type Query {
+    customDomain(subName: String!): CustomDomain
+    domainMapping(domain: String!): DomainMapping
+  }
+
+  extend type Mutation {
+    setCustomDomain(subName: String!, domain: String!): CustomDomain
+  }
+
+  type CustomDomain {
+    createdAt: Date!
+    updatedAt: Date!
+    domain: String!
+    subName: String!
+    lastVerifiedAt: Date
+    failedAttempts: Int
+    status: String
+    verification: CustomDomainVerification
+  }
+  
+  type DomainMapping {
+    domain: String!
+    subName: String!
+  }
+
+  type CustomDomainVerification {
+    dns: CustomDomainVerificationDNS
+    ssl: CustomDomainVerificationSSL
+  }
+
+  type CustomDomainVerificationDNS {
+    state: String
+    cname: String
+    txt: String
+  }
+
+  type CustomDomainVerificationSSL {
+    state: String
+    arn: String
+    cname: String
+    value: String
+  }
+`
diff --git a/api/typeDefs/index.js b/api/typeDefs/index.js
index eb4e1e427..5119ec7ee 100644
--- a/api/typeDefs/index.js
+++ b/api/typeDefs/index.js
@@ -19,6 +19,8 @@ import blockHeight from './blockHeight'
 import chainFee from './chainFee'
 import paidAction from './paidAction'
 import vault from './vault'
+import domain from './domain'
+import branding from './branding'
 
 const common = gql`
   type Query {
@@ -39,4 +41,4 @@ const common = gql`
 `
 
 export default [common, user, item, itemForward, message, wallet, lnurl, notifications, invite,
-  sub, upload, growth, rewards, referrals, price, admin, blockHeight, chainFee, paidAction, vault]
+  sub, upload, growth, rewards, referrals, price, admin, blockHeight, chainFee, domain, branding, paidAction, vault]
diff --git a/api/typeDefs/sub.js b/api/typeDefs/sub.js
index 8401f1854..9e612a222 100644
--- a/api/typeDefs/sub.js
+++ b/api/typeDefs/sub.js
@@ -55,7 +55,8 @@ export default gql`
     nposts(when: String, from: String, to: String): Int!
     ncomments(when: String, from: String, to: String): Int!
     meSubscription: Boolean!
-
+    customDomain: CustomDomain
+    customBranding: CustomBranding
     optional: SubOptional!
   }
 
diff --git a/components/form.js b/components/form.js
index c429ab7c9..16753aecf 100644
--- a/components/form.js
+++ b/components/form.js
@@ -23,7 +23,7 @@ import textAreaCaret from 'textarea-caret'
 import 'react-datepicker/dist/react-datepicker.css'
 import useDebounceCallback, { debounce } from './use-debounce-callback'
 import { FileUpload } from './file-upload'
-import { AWS_S3_URL_REGEXP } from '@/lib/constants'
+import { AWS_S3_URL_REGEXP, MEDIA_URL } from '@/lib/constants'
 import { whenRange } from '@/lib/time'
 import { useFeeButton } from './fee-button'
 import Thumb from '@/svgs/thumb-up-fill.svg'
@@ -41,6 +41,7 @@ import dynamic from 'next/dynamic'
 import { qrImageSettings } from './qr'
 import { useIsClient } from './use-client'
 import PageLoading from './page-loading'
+import Avatar from './avatar'
 
 export class SessionRequiredError extends Error {
   constructor () {
@@ -77,7 +78,7 @@ export function SubmitButton ({
   )
 }
 
-function CopyButton ({ value, icon, ...props }) {
+export function CopyButton ({ value, icon, append, ...props }) {
   const toaster = useToast()
   const [copied, setCopied] = useState(false)
 
@@ -100,6 +101,14 @@ function CopyButton ({ value, icon, ...props }) {
     )
   }
 
+  if (append) {
+    return (
+      <span className={styles.appendButton} {...props} onClick={handleClick}>
+        {append}
+      </span>
+    )
+  }
+
   return (
     <Button className={styles.appendButton} {...props} onClick={handleClick}>
       {copied ? <Thumb width={18} height={18} /> : 'copy'}
@@ -1385,5 +1394,54 @@ export function MultiInput ({
   )
 }
 
+export function ColorPicker ({ label, groupClassName, name, ...props }) {
+  const [field, , helpers] = useField({ ...props, name })
+
+  useEffect(() => {
+    helpers.setValue(field.value)
+  }, [field.value])
+
+  return (
+    <FormGroup label={label} className={groupClassName}>
+      <ClientInput
+        type='color'
+        {...field}
+        {...props}
+        onChange={(formik, e) => {
+          field.onChange(e)
+          if (props.onChange) {
+            props.onChange(formik, e)
+          }
+        }}
+      />
+    </FormGroup>
+  )
+}
+
+export function BrandingUpload ({ label, groupClassName, name, ...props }) {
+  const [field, , helpers] = useField({ ...props, name })
+  const [tempId, setTempId] = useState(field.value)
+
+  const handleSuccess = useCallback((id) => {
+    setTempId(id)
+    helpers.setValue(id)
+  }, [helpers])
+
+  return (
+    <FormGroup label={label} className={groupClassName}>
+      <img
+        src={tempId ? `${MEDIA_URL}/${tempId}` : '/favicon.png'}
+        alt={name}
+        width={100}
+        height={100}
+        style={{ objectFit: 'contain', position: 'relative' }}
+      />
+      <Avatar
+        onSuccess={handleSuccess}
+      />
+    </FormGroup>
+  )
+}
+
 export const ClientInput = Client(Input)
 export const ClientCheckbox = Client(Checkbox)
diff --git a/components/item.module.css b/components/item.module.css
index 8800900e5..1a98cbc3d 100644
--- a/components/item.module.css
+++ b/components/item.module.css
@@ -247,3 +247,31 @@ a.link:visited {
 .skeleton .otherItemLonger {
     width: 60px;
 }
+
+.record {
+    display: flex;
+    flex-direction: column;
+    margin-right: 0.5rem;
+}
+
+.clipboard {
+    cursor: pointer;
+    fill: var(--theme-grey);
+    width: 1rem;
+    height: 1rem;
+}
+
+.clipboard:hover {
+    fill: var(--bs-primary);
+}
+
+.refresh {
+    cursor: pointer;
+    fill: var(--theme-grey);
+    width: 1rem;
+    height: 1rem;
+}
+
+.refresh:hover {
+    fill: var(--bs-primary);
+}
\ No newline at end of file
diff --git a/components/login.js b/components/login.js
index 51f915948..c4f4a5854 100644
--- a/components/login.js
+++ b/components/login.js
@@ -139,6 +139,8 @@ export default function Login ({ providers, callbackUrl, multiAuth, error, text,
                 text={`${text || 'Login'} with`}
               />
             )
+          case 'Sync':
+            return null
           default:
             return (
               <OverlayTrigger
diff --git a/components/nav/common.js b/components/nav/common.js
index 89df6c7ed..6d7090248 100644
--- a/components/nav/common.js
+++ b/components/nav/common.js
@@ -26,12 +26,25 @@ import { useWalletIndicator } from '@/wallets/indicator'
 import SwitchAccountList, { nextAccount, useAccounts } from '@/components/account'
 import { useShowModal } from '@/components/modal'
 import { numWithUnits } from '@/lib/format'
+import { useDomain } from '@/components/territory-domains'
 
 export function Brand ({ className }) {
+  const { customDomain } = useDomain()
+  const branding = customDomain?.branding || {}
   return (
     <Link href='/' passHref legacyBehavior>
       <Navbar.Brand className={classNames(styles.brand, className)}>
-        <SnIcon width={36} height={36} />
+        {branding.logoId
+          ? (
+            <img
+              src={`${process.env.NEXT_PUBLIC_MEDIA_URL}/${branding.logoId}`}
+              alt='Logo'
+              style={{ width: '36px', height: '36px', borderRadius: '.25rem' }}
+            />
+            )
+          : (
+            <SnIcon width={36} height={36} />
+            )}
       </Navbar.Brand>
     </Link>
   )
@@ -120,11 +133,19 @@ export function NavSelect ({ sub: subName, className, size }) {
 
 export function NavNotifications ({ className }) {
   const hasNewNotes = useHasNewNotes()
-
+  const { customDomain } = useDomain()
+  const branding = customDomain?.branding || {}
   return (
     <>
       <Head>
-        <link rel='shortcut icon' href={hasNewNotes ? '/favicon-notify.png' : '/favicon.png'} />
+        <link
+          rel='shortcut icon'
+          href={hasNewNotes && !customDomain
+            ? '/favicon-notify.png'
+            : branding?.faviconId
+              ? `${process.env.NEXT_PUBLIC_MEDIA_URL}/${branding.faviconId}`
+              : '/favicon.png'}
+        />
       </Head>
       <Link href='/notifications' passHref legacyBehavior>
         <Nav.Link eventKey='notifications' className={classNames('position-relative', className)}>
@@ -297,6 +318,7 @@ function LogoutObstacle ({ onClose }) {
   const { registration: swRegistration, togglePushSubscription } = useServiceWorker()
   const { removeLocalWallets } = useWallets()
   const router = useRouter()
+  const { customDomain } = useDomain()
 
   return (
     <div className='d-flex m-auto flex-column w-fit-content'>
@@ -328,7 +350,10 @@ function LogoutObstacle ({ onClose }) {
 
             removeLocalWallets()
 
-            await signOut({ callbackUrl: '/' })
+            await signOut({ callbackUrl: '/', redirect: !customDomain })
+            if (customDomain) {
+              router.push('/') // next auth redirect only supports the main domain
+            }
           }}
         >
           logout
diff --git a/components/nav/desktop/second-bar.js b/components/nav/desktop/second-bar.js
index 4120c3065..c6f30a368 100644
--- a/components/nav/desktop/second-bar.js
+++ b/components/nav/desktop/second-bar.js
@@ -3,7 +3,7 @@ import { NavSelect, PostItem, Sorts, hasNavSelect } from '../common'
 import styles from '../../header.module.css'
 
 export default function SecondBar (props) {
-  const { prefix, topNavKey, sub } = props
+  const { prefix, topNavKey, customDomain, sub } = props
   if (!hasNavSelect(props)) return null
   return (
     <Navbar className='pt-0 pb-2'>
@@ -11,8 +11,10 @@ export default function SecondBar (props) {
         className={styles.navbarNav}
         activeKey={topNavKey}
       >
-        <NavSelect sub={sub} size='medium' className='me-1' />
-        <div className='ms-2 d-flex'><Sorts {...props} className='ms-1' /></div>
+        {!customDomain && <NavSelect sub={sub} size='medium' className='me-1' />}
+        <div className={`${!customDomain ? 'ms-2' : ''} d-flex`}>
+          <Sorts {...props} className={`${!customDomain ? 'ms-1' : ''}`} />
+        </div>
         <PostItem className='ms-auto me-0 d-none d-md-flex' prefix={prefix} />
       </Nav>
     </Navbar>
diff --git a/components/nav/index.js b/components/nav/index.js
index beacbd6fc..d58138b21 100644
--- a/components/nav/index.js
+++ b/components/nav/index.js
@@ -3,16 +3,24 @@ import DesktopHeader from './desktop/header'
 import MobileHeader from './mobile/header'
 import StickyBar from './sticky-bar'
 import { PriceCarouselProvider } from './price-carousel'
+import { useDomain } from '@/components/territory-domains'
 
 export default function Navigation ({ sub }) {
   const router = useRouter()
+  const { customDomain } = useDomain()
+
   const path = router.asPath.split('?')[0]
   const props = {
     prefix: sub ? `/~${sub}` : '',
     path,
     pathname: router.pathname,
-    topNavKey: path.split('/')[sub ? 2 : 1] ?? '',
-    dropNavKey: path.split('/').slice(sub ? 2 : 1).join('/'),
+    topNavKey: customDomain
+      ? path.split('/')[1] ?? ''
+      : path.split('/')[sub ? 2 : 1] ?? '',
+    dropNavKey: customDomain
+      ? path.split('/').slice(1).join('/')
+      : path.split('/').slice(sub ? 2 : 1).join('/'),
+    customDomain,
     sub
   }
 
diff --git a/components/nav/mobile/top-bar.js b/components/nav/mobile/top-bar.js
index 7cb13191d..e496858b9 100644
--- a/components/nav/mobile/top-bar.js
+++ b/components/nav/mobile/top-bar.js
@@ -3,8 +3,9 @@ import styles from '../../header.module.css'
 import { Back, NavPrice, NavSelect, NavWalletSummary, SignUpButton, hasNavSelect } from '../common'
 import { useMe } from '@/components/me'
 
-export default function TopBar ({ prefix, sub, path, pathname, topNavKey, dropNavKey }) {
+export default function TopBar ({ prefix, sub, path, pathname, topNavKey, dropNavKey, customDomain }) {
   const { me } = useMe()
+  if (hasNavSelect({ path, pathname }) && customDomain) return null
   return (
     <Navbar>
       <Nav
diff --git a/components/seo.js b/components/seo.js
index 2aaa6615b..0a19932a2 100644
--- a/components/seo.js
+++ b/components/seo.js
@@ -2,26 +2,30 @@ import { NextSeo } from 'next-seo'
 import { useRouter } from 'next/router'
 import removeMd from 'remove-markdown'
 import { numWithUnits } from '@/lib/format'
+import { useDomain } from '@/components/territory-domains'
 
 export function SeoSearch ({ sub }) {
   const router = useRouter()
-  const subStr = sub ? ` ~${sub}` : ''
-  const title = `${router.query.q || 'search'} \\ stacker news${subStr}`
+  const { customDomain } = useDomain()
+  const branding = customDomain?.branding || null
+  const title = branding?.title || 'stacker news'
+  const subStr = sub && !customDomain ? ` ~${sub}` : ''
+  const snStr = `${router.query.q || 'search'} \\ ${title}${subStr}`
   const desc = `SN${subStr} search: ${router.query.q || ''}`
 
   return (
     <NextSeo
-      title={title}
+      title={snStr}
       description={desc}
       openGraph={{
-        title,
+        snStr,
         description: desc,
         images: [
           {
             url: 'https://capture.stacker.news' + router.asPath
           }
         ],
-        site_name: 'Stacker News'
+        site_name: title
       }}
       twitter={{
         site: '@stacker_news',
@@ -35,13 +39,17 @@ export function SeoSearch ({ sub }) {
 // item seo
 // index page seo
 // recent page seo
+// TODO CUSTOM DOMAINS: cleanup, verify everything is good, apply custom title to everything
 
 export default function Seo ({ sub, item, user }) {
   const router = useRouter()
+  const { customDomain } = useDomain()
+  const branding = customDomain?.branding || null
+  const title = branding?.title || 'stacker news'
   const pathNoQuery = router.asPath.split('?')[0]
   const defaultTitle = pathNoQuery.slice(1)
-  const snStr = `stacker news${sub ? ` ~${sub}` : ''}`
-  let fullTitle = `${defaultTitle && `${defaultTitle} \\ `}stacker news`
+  const snStr = `${title}${sub && !customDomain ? ` ~${sub}` : ''}`
+  let fullTitle = `${defaultTitle && `${defaultTitle} \\ `}${title}`
   let desc = "It's like Hacker News but we pay you Bitcoin."
   if (item) {
     if (item.title) {
@@ -84,7 +92,7 @@ export default function Seo ({ sub, item, user }) {
             url: 'https://capture.stacker.news' + pathNoQuery
           }
         ],
-        site_name: 'Stacker News'
+        site_name: title
       }}
       twitter={{
         site: '@stacker_news',
diff --git a/components/sub-select.js b/components/sub-select.js
index c6a136dd9..c484e9284 100644
--- a/components/sub-select.js
+++ b/components/sub-select.js
@@ -6,6 +6,7 @@ import { SUBS } from '@/fragments/subs'
 import { useQuery } from '@apollo/client'
 import styles from './sub-select.module.css'
 import { useMe } from './me'
+import { useDomain } from './territory-domains'
 
 export function SubSelectInitial ({ sub }) {
   const router = useRouter()
@@ -21,6 +22,8 @@ const DEFAULT_APPEND_SUBS = []
 const DEFAULT_FILTER_SUBS = () => true
 
 export function useSubs ({ prependSubs = DEFAULT_PREPEND_SUBS, sub, filterSubs = DEFAULT_FILTER_SUBS, appendSubs = DEFAULT_APPEND_SUBS }) {
+  const { customDomain } = useDomain()
+  if (customDomain) return [customDomain.subName]
   const { data, refetch } = useQuery(SUBS, SSR
     ? {}
     : {
diff --git a/components/territory-branding-form.js b/components/territory-branding-form.js
new file mode 100644
index 000000000..4f592c7ab
--- /dev/null
+++ b/components/territory-branding-form.js
@@ -0,0 +1,97 @@
+import { Form, SubmitButton, ColorPicker, Input, BrandingUpload } from './form'
+import { useMutation } from '@apollo/client'
+import { useToast } from './toast'
+import { customBrandingSchema } from '@/lib/validate'
+import { SET_CUSTOM_BRANDING } from '@/fragments/brandings'
+import AccordianItem from './accordian-item'
+
+export default function BrandingForm ({ sub }) {
+  const [setCustomBranding] = useMutation(SET_CUSTOM_BRANDING)
+  const toaster = useToast()
+
+  const onSubmit = async (values) => {
+    try {
+      await setCustomBranding({
+        variables: {
+          subName: sub.name,
+          branding: {
+            title: values.title,
+            colors: {
+              primary: values.primary,
+              secondary: values.secondary,
+              info: values.info,
+              success: values.success,
+              danger: values.danger
+            },
+            logoId: values.logoId,
+            faviconId: values.faviconId
+          }
+        }
+      })
+      toaster.success('Branding updated successfully')
+    } catch (error) {
+      console.error(error)
+      toaster.danger('Failed to update branding', { error })
+    }
+  }
+
+  const customBranding = sub?.customBranding || {}
+  const subColors = customBranding?.colors || {}
+
+  const initialValues = {
+    title: customBranding?.title || sub?.name,
+    primary: subColors?.primary || '#FADA5E',
+    secondary: subColors?.secondary || '#F6911D',
+    info: subColors?.info || '#007cbe',
+    success: subColors?.success || '#5c8001',
+    danger: subColors?.danger || '#c03221',
+    logoId: customBranding?.logoId || null,
+    faviconId: customBranding?.faviconId || null
+  }
+
+  return (
+    <Form
+      initial={initialValues}
+      schema={customBrandingSchema}
+      onSubmit={onSubmit}
+    >
+      <Input label='title' name='title' />
+      <div className='row'>
+        <ColorPicker groupClassName='col-4' label='primary color' name='primary' />
+        <ColorPicker groupClassName='col-4' label='secondary color' name='secondary' />
+      </div>
+      <AccordianItem
+        header={<div className='fw-bold text-muted'>more colors</div>}
+        body={
+          <div className='row'>
+            <ColorPicker groupClassName='col-4' label='info color' name='info' />
+            <ColorPicker groupClassName='col-4' label='success color' name='success' />
+            <ColorPicker groupClassName='col-4' label='danger color' name='danger' />
+          </div>
+        }
+      />
+      <AccordianItem
+        header={<div className='fw-bold text-muted'>logo and favicon</div>}
+        body={
+          <div className='row'>
+            <div className='col-2'>
+              <label className='form-label'>logo</label>
+              <div style={{ position: 'relative', width: '100px', height: '100px', border: '1px solid #dee2e6', borderRadius: '5px', overflow: 'hidden' }}>
+                <BrandingUpload name='logoId' />
+              </div>
+            </div>
+            <div className='col-2'>
+              <label className='form-label'>favicon</label>
+              <div style={{ position: 'relative', width: '100px', height: '100px', border: '1px solid #dee2e6', borderRadius: '5px', overflow: 'hidden' }}>
+                <BrandingUpload name='faviconId' />
+              </div>
+            </div>
+          </div>
+        }
+      />
+      <div className='mt-3 d-flex justify-content-end'>
+        <SubmitButton variant='primary'>save branding</SubmitButton>
+      </div>
+    </Form>
+  )
+}
diff --git a/components/territory-domains.js b/components/territory-domains.js
new file mode 100644
index 000000000..8ec090f2f
--- /dev/null
+++ b/components/territory-domains.js
@@ -0,0 +1,307 @@
+import { Badge } from 'react-bootstrap'
+import { Form, Input, SubmitButton, CopyButton } from './form'
+import { useMutation, useQuery } from '@apollo/client'
+import { customDomainSchema } from '@/lib/validate'
+import { useToast } from '@/components/toast'
+import { NORMAL_POLL_INTERVAL, SSR } from '@/lib/constants'
+import { GET_CUSTOM_DOMAIN, SET_CUSTOM_DOMAIN } from '@/fragments/domains'
+import { useEffect, createContext, useContext, useState } from 'react'
+import { useRouter } from 'next/router'
+import { signIn } from 'next-auth/react'
+import BrandingForm from '@/components/territory-branding-form'
+import Head from 'next/head'
+import Moon from '@/svgs/moon-fill.svg'
+import ClipboardLine from '@/svgs/clipboard-line.svg'
+import RefreshLine from '@/svgs/refresh-line.svg'
+import styles from './item.module.css'
+
+// Domain context for custom domains
+const DomainContext = createContext({
+  customDomain: {
+    domain: null,
+    subName: null,
+    branding: null
+  }
+})
+
+export const DomainProvider = ({ customDomain: ssrCustomDomain, children }) => {
+  const router = useRouter()
+  const [customDomain, setCustomDomain] = useState(ssrCustomDomain || null)
+
+  // maintain the custom domain state across re-renders
+  useEffect(() => {
+    if (ssrCustomDomain && !customDomain) {
+      setCustomDomain(ssrCustomDomain)
+    }
+  }, [ssrCustomDomain])
+
+  // temporary auth sync
+  useEffect(() => {
+    if (router.query.type === 'sync') {
+      console.log('signing in with sync', router.query)
+      signIn('sync', {
+        token: router.query.token,
+        multiAuth: router.query.multiAuth,
+        redirect: false
+      })
+      router.push(router.query.callbackUrl) // next auth redirect only supports the main domain
+    }
+  }, [router.query.type])
+
+  const branding = customDomain?.branding || null
+  const colors = branding?.colors || null
+
+  return (
+    <DomainContext.Provider value={{ customDomain }}>
+      {branding && (
+        <>
+          <Head>
+            {branding?.title && <title>{branding?.title}</title>}
+            {branding?.favicon && <link rel='icon' href={branding.favicon} />}
+          </Head>
+          {colors && <CustomStyles branding={branding} />}
+        </>
+      )}
+      {children}
+    </DomainContext.Provider>
+  )
+}
+
+export const useDomain = () => useContext(DomainContext)
+
+const getStatusBadge = (status) => {
+  switch (status) {
+    case 'VERIFIED':
+      return <Badge bg='success'>DNS verified</Badge>
+    default:
+      return <Badge bg='warning'>DNS pending</Badge>
+  }
+}
+
+const getSSLStatusBadge = (status) => {
+  switch (status) {
+    case 'VERIFIED':
+      return <Badge bg='success'>SSL verified</Badge>
+    case 'WAITING':
+      return <Badge bg='info'>SSL waiting</Badge>
+    default:
+      return <Badge bg='warning'>SSL pending</Badge>
+  }
+}
+
+const DomainLabel = ({ customDomain, polling }) => {
+  const { domain, status, verification, lastVerifiedAt } = customDomain || {}
+
+  return (
+    <div className='d-flex align-items-center gap-2'>
+      <span>custom domain</span>
+      {domain && (
+        <div className='d-flex align-items-center gap-2'>
+          {status !== 'HOLD'
+            ? (
+              <>
+                {getStatusBadge(verification?.dns?.state)}
+                {getSSLStatusBadge(verification?.ssl?.state)}
+              </>
+              )
+            : (<Badge bg='secondary'>HOLD</Badge>)}
+          {status === 'HOLD' && (
+            <SubmitButton variant='link' className='p-0'>
+              <RefreshLine className={styles.refresh} style={{ width: '1rem', height: '1rem' }} />
+            </SubmitButton>
+          )}
+          {polling && <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />}
+        </div>
+      )}
+      {lastVerifiedAt && status !== 'ACTIVE' && (
+        <span className='text-muted'>
+          <small>last verified {new Date(lastVerifiedAt).toLocaleString()}</small>
+        </span>
+      )}
+    </div>
+  )
+}
+
+const DomainGuidelines = ({ customDomain }) => {
+  const { domain, verification } = customDomain || {}
+
+  const dnsRecord = ({ host, value }) => {
+    return (
+      <div className='d-flex align-items-center gap-2'>
+        <span className={`${styles.record}`}>
+          <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
+            host
+            <CopyButton
+              value={host}
+              append={
+                <ClipboardLine
+                  className={`${styles.clipboard}`}
+                  style={{ width: '1rem', height: '1rem' }}
+                />
+              }
+            />
+          </small>
+          <pre>{host}</pre>
+        </span>
+        <span className={`${styles.record}`}>
+          <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
+            value
+            <CopyButton
+              value={value}
+              append={
+                <ClipboardLine
+                  className={`${styles.clipboard}`}
+                  style={{ width: '1rem', height: '1rem' }}
+                />
+              }
+            />
+          </small>
+          <pre>{value}</pre>
+        </span>
+      </div>
+    )
+  }
+
+  return (
+    <div className='d-flex'>
+      {(verification?.dns?.state && verification?.dns?.state !== 'VERIFIED') && (
+        <div className='d-flex flex-column gap-2'>
+          <h5>Step 1: Verify your domain</h5>
+          <p>Add the following DNS records to verify ownership of your domain:</p>
+          <h6>CNAME</h6>
+          {dnsRecord({ host: domain || 'www', value: verification?.dns?.cname })}
+          <hr />
+          <h6>TXT</h6>
+          {dnsRecord({ host: `_snverify.${domain}`, value: verification?.dns?.txt })}
+        </div>
+      )}
+      {verification?.ssl?.state === 'PENDING' && (
+        <div className=''>
+          <h5>Step 2: Prepare your domain for SSL</h5>
+          <p>We issued an SSL certificate for your domain. To validate it, add the following CNAME record:</p>
+          <h6>CNAME</h6>
+          {dnsRecord({ host: verification?.ssl?.cname || 'waiting for SSL certificate', value: verification?.ssl?.value || 'waiting for SSL certificate' })}
+        </div>
+      )}
+    </div>
+  )
+}
+
+export default function CustomDomainForm ({ sub }) {
+  const [setCustomDomain] = useMutation(SET_CUSTOM_DOMAIN)
+
+  // Get the custom domain and poll for changes
+  const { data, refetch } = useQuery(GET_CUSTOM_DOMAIN, SSR
+    ? {}
+    : {
+        variables: { subName: sub.name },
+        pollInterval: NORMAL_POLL_INTERVAL,
+        nextFetchPolicy: 'cache-and-network',
+        onCompleted: ({ customDomain }) => {
+          if (customDomain?.status !== 'PENDING') {
+            return { pollInterval: 0 }
+          }
+        }
+      })
+  const toaster = useToast()
+
+  const { domain, status } = data?.customDomain || {}
+  const polling = status === 'PENDING'
+
+  // Update the custom domain
+  const onSubmit = async ({ domain }) => {
+    try {
+      await setCustomDomain({
+        variables: {
+          subName: sub.name,
+          domain
+        }
+      })
+      refetch()
+      if (domain) {
+        toaster.success('started domain verification')
+      } else {
+        toaster.success('domain removed successfully')
+      }
+    } catch (error) {
+      toaster.danger(error.message)
+    }
+  }
+
+  return (
+    <>
+      <Form
+        initial={{ domain: domain || sub?.customDomain?.domain }}
+        schema={customDomainSchema}
+        onSubmit={onSubmit}
+        className='mb-2'
+      >
+        <div className='d-flex align-items-center gap-2'>
+          <Input
+            groupClassName='w-100'
+            label={<DomainLabel customDomain={data?.customDomain} polling={polling} />}
+            name='domain'
+            placeholder='www.example.com'
+          />
+          <SubmitButton variant='primary' className='mt-3'>save</SubmitButton>
+        </div>
+      </Form>
+      <DomainGuidelines customDomain={data?.customDomain} />
+      {status === 'ACTIVE' &&
+        <BrandingForm sub={sub} />}
+    </>
+  )
+}
+
+export function CustomStyles ({ branding }) {
+  useEffect(() => {
+    const colors = branding?.colors || null
+    if (colors) {
+      const styleElement = document.createElement('style')
+      styleElement.textContent = `
+        :root {
+          --bs-transition: all 0.3s ease;
+          --bs-primary: ${colors.primary};
+          --bs-secondary: ${colors.secondary};
+          --bs-info: ${colors.info};
+          --bs-success: ${colors.success};
+          --bs-danger: ${colors.danger};
+          --bs-primary-rgb: ${hexToRgb(colors.primary)};
+          --bs-secondary-rgb: ${hexToRgb(colors.secondary)};
+          --bs-info-rgb: ${hexToRgb(colors.info)};
+          --bs-success-rgb: ${hexToRgb(colors.success)};
+          --bs-danger-rgb: ${hexToRgb(colors.danger)};
+        }
+
+        .navbar-brand svg {
+          transition: var(--bs-transition);
+          fill: var(--bs-primary);
+        }
+
+        .btn-primary, .btn-secondary,
+        .bg-primary, .bg-secondary,
+        .text-primary, .text-secondary,
+        .border-primary, .border-secondary
+        [class*="btn-outline-primary"], [class*="btn-outline-secondary"],
+        [style*="--bs-primary"], [style*="--bs-secondary"] {
+          transition: var(--bs-transition);
+        }
+      `
+      document.head.appendChild(styleElement)
+
+      // Cleanup function
+      return () => {
+        document.head.removeChild(styleElement)
+      }
+    }
+  }, [branding])
+}
+
+// hex to rgb for compat
+function hexToRgb (hex) {
+  hex = hex.replace('#', '')
+  const r = parseInt(hex.substring(0, 2), 16)
+  const g = parseInt(hex.substring(2, 4), 16)
+  const b = parseInt(hex.substring(4, 6), 16)
+  return `${r}, ${g}, ${b}`
+}
diff --git a/components/territory-form.js b/components/territory-form.js
index 0983002c8..3306a0200 100644
--- a/components/territory-form.js
+++ b/components/territory-form.js
@@ -14,11 +14,15 @@ import { purchasedType } from '@/lib/territory'
 import { SUB } from '@/fragments/subs'
 import { usePaidMutation } from './use-paid-mutation'
 import { UNARCHIVE_TERRITORY, UPSERT_SUB } from '@/fragments/paidAction'
+import TerritoryDomains, { useDomain } from './territory-domains'
+import Link from 'next/link'
 
 export default function TerritoryForm ({ sub }) {
   const router = useRouter()
   const client = useApolloClient()
   const { me } = useMe()
+  const { customDomain } = useDomain()
+
   const [upsertSub] = usePaidMutation(UPSERT_SUB)
   const [unarchiveTerritory] = usePaidMutation(UNARCHIVE_TERRITORY)
 
@@ -254,7 +258,7 @@ export default function TerritoryForm ({ sub }) {
                       </ol>
                     </Info>
                   </div>
-          }
+                }
                 name='moderated'
                 groupClassName='ms-1'
               />
@@ -270,13 +274,12 @@ export default function TerritoryForm ({ sub }) {
                       </ol>
                     </Info>
                   </div>
-          }
+                }
                 name='nsfw'
                 groupClassName='ms-1'
               />
             </>
-
-}
+          }
         />
         <div className='mt-3 d-flex justify-content-end'>
           <FeeButton
@@ -286,6 +289,14 @@ export default function TerritoryForm ({ sub }) {
           />
         </div>
       </Form>
+      {sub && !customDomain &&
+        <div className='w-100'>
+          <AccordianItem
+            header={<div style={{ fontWeight: 'bold', fontSize: '92%' }}>advanced</div>}
+            body={<TerritoryDomains sub={sub} />}
+          />
+        </div>}
+      {sub && customDomain && <Link className='text-muted w-100' href={`${process.env.NEXT_PUBLIC_URL}/~${sub.name}/edit`}>domain settings on stacker.news</Link>}
     </FeeButtonProvider>
   )
 }
diff --git a/components/territory-header.js b/components/territory-header.js
index de52ec929..1c2e70323 100644
--- a/components/territory-header.js
+++ b/components/territory-header.js
@@ -12,6 +12,7 @@ import { gql, useMutation } from '@apollo/client'
 import { useToast } from './toast'
 import ActionDropdown from './action-dropdown'
 import { TerritoryTransferDropdownItem } from './territory-transfer'
+import { useDomain } from './territory-domains'
 
 export function TerritoryDetails ({ sub, children }) {
   return (
@@ -69,6 +70,12 @@ export function TerritoryInfo ({ sub, includeLink }) {
             <span className='fw-bold'>{numWithUnits(sub.replyCost)}</span>
           </div>
         </div>
+        {sub.customDomain?.status === 'ACTIVE' && (
+          <div className='text-muted'>
+            <span>website </span>
+            <Link className='fw-bold' href={`https://${sub.customDomain.domain}`}>{sub.customDomain.domain}</Link>
+          </div>
+        )}
         <TerritoryBillingLine sub={sub} />
       </CardFooter>
     </>
@@ -78,6 +85,7 @@ export function TerritoryInfo ({ sub, includeLink }) {
 export default function TerritoryHeader ({ sub }) {
   const { me } = useMe()
   const toaster = useToast()
+  const { customDomain } = useDomain()
 
   const [toggleMuteSub] = useMutation(
     gql`
@@ -96,6 +104,7 @@ export default function TerritoryHeader ({ sub }) {
   )
 
   const isMine = Number(sub.userId) === Number(me?.id)
+  if (customDomain && !isMine) return null
 
   return (
     <>
diff --git a/docker-compose.yml b/docker-compose.yml
index 60d870ce6..83b73f931 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -136,9 +136,9 @@ services:
     labels:
       - "CONNECT=localhost:3001"
     cpu_shares: "${CPU_SHARES_LOW}"
-  s3:
-    container_name: s3
-    image: localstack/localstack:s3-latest
+  aws:
+    container_name: aws
+    image: localstack/localstack:latest
     # healthcheck:
     #   test: ["CMD-SHELL", "awslocal", "s3", "ls", "s3://uploads"]
     #   interval: 10s
@@ -156,9 +156,9 @@ services:
     expose:
       - "4566"
     volumes:
-      - 's3:/var/lib/localstack'
-      - './docker/s3/init-s3.sh:/etc/localstack/init/ready.d/init-s3.sh'
-      - './docker/s3/cors.json:/etc/localstack/init/ready.d/cors.json'
+      - 'aws:/var/lib/localstack'
+      - './docker/aws/s3/init-s3.sh:/etc/localstack/init/ready.d/init-s3.sh'
+      - './docker/aws/s3/cors.json:/etc/localstack/init/ready.d/cors.json'
     labels:
       - "CONNECT=localhost:4566"
     cpu_shares: "${CPU_SHARES_LOW}"
@@ -814,7 +814,7 @@ volumes:
   lnd:
   cln:
   router_lnd:
-  s3:
+  aws:
   nwc_send:
   nwc_recv:
   tordata:
diff --git a/docker/s3/cors.json b/docker/aws/s3/cors.json
similarity index 100%
rename from docker/s3/cors.json
rename to docker/aws/s3/cors.json
diff --git a/docker/s3/init-s3.sh b/docker/aws/s3/init-s3.sh
similarity index 100%
rename from docker/s3/init-s3.sh
rename to docker/aws/s3/init-s3.sh
diff --git a/docs/dev/custom-domains.md b/docs/dev/custom-domains.md
new file mode 100644
index 000000000..34dea2751
--- /dev/null
+++ b/docs/dev/custom-domains.md
@@ -0,0 +1,123 @@
+# Custom Domains
+tbd
+
+### Content
+- [Let's go HTTPS](#prerequisites)
+
+## Let's go HTTPS with a reverse proxy
+
+To set custom domains correctly we need to have a domain and SSL certificates.
+
+We'll cover a basic **NGINX** configuration with **Let's Encrypt/certbot** on Linux-based systems, but you have the freedom to experiment with other methods and platforms.
+
+#### Prerequisites
+- a domain or a public hostname
+- install [nginx](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/)
+- install [certbot](https://certbot.eff.org/instructions?ws=nginx&os=pip)
+- possibility to add `CNAME` and `TXT` records
+- domain with an `A` record at your nginx host
+
+
+### Step 1: Create a nginx site for your SN instance
+
+Start creating a new site by editing `/etc/nginx/sites-available/your-domain.tld` with your editor of choice.
+
+<details><summary>A sample nginx site configuration to prepare for certbot</summary>
+Edit this configuration to match your configuration, you can have more domains.
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    # for Let's Encrypt SSL issuance
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        try_files $uri =404;
+    }
+}
+```
+</details>
+
+after editing, send `sudo systemctl restart nginx`
+
+### Step 2: Get a certificate for your domains
+We can now get a certificate for your domain from Let's Encrypt/certbot.
+
+Edit the `-d` section to match your configuration. Every domain, sub-domain needs to have its own certificate.
+
+```
+sudo certbot certonly \
+  --webroot -w /var/www/letsencrypt \
+  -d your-domain.tld (-d sub.your-domain.tld -d another.your-domain.tld) \
+  --email your@email.com \
+  --agree-tos --no-eff-email \
+  --deploy-hook "systemctl reload nginx"
+```
+
+If everything went smooth, we should now have a domain with a valid SSL certificate.
+
+### Step 3: Proxy everything to sndev!
+
+Let's go back to `/etc/nginx/sites-available/your-domain.tld` to add a SSL proxy for our sndev instance
+
+<details><summary>A sample nginx reverse proxy config</summary>
+Edit this configuration to match your configuration, you can have more domains.
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    # for Let's Encrypt SSL issuance
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        try_files $uri =404;
+    }
+
+    # 301 to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    ssl_certificate     /etc/letsencrypt/live/your-domain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/your-domain.tld/privkey.pem;
+    include             /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
+
+    # proxy everything to sndev
+    location / {
+        proxy_pass http://sndev-instance-ip:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+
+    # optional security headers
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "no-referrer-when-downgrade";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+}
+```
+</details>
+
+### Step 4: Start sndev
+Make sure to change your environment variables such as `.env.local` from something like `http://localhost:3000` to `https://your-domain.tld`
+
+Start sndev with `./sndev start` and then navigate to your domain, you should see **Stacker News**!
+
+If not, go back and make sure that everything is correct, you can encounter any kind of errors and **Internet can be of help**.
diff --git a/fragments/brandings.js b/fragments/brandings.js
new file mode 100644
index 000000000..380afd280
--- /dev/null
+++ b/fragments/brandings.js
@@ -0,0 +1,29 @@
+import { gql } from 'graphql-tag'
+
+export const CUSTOM_BRANDING_FIELDS = gql`
+  fragment CustomBrandingFields on CustomBranding {
+    title
+    colors
+    logoId
+    faviconId
+    subName
+  }
+`
+
+export const GET_CUSTOM_BRANDING = gql`
+  ${CUSTOM_BRANDING_FIELDS}
+  query CustomBranding($subName: String!) {
+    customBranding(subName: $subName) {
+      ...CustomBrandingFields
+    }
+  }
+`
+
+export const SET_CUSTOM_BRANDING = gql`
+  ${CUSTOM_BRANDING_FIELDS}
+  mutation SetCustomBranding($subName: String!, $branding: CustomBrandingInput!) {
+    setCustomBranding(subName: $subName, branding: $branding) {
+      ...CustomBrandingFields
+    }
+  }
+`
diff --git a/fragments/domains.js b/fragments/domains.js
new file mode 100644
index 000000000..d6b4a05eb
--- /dev/null
+++ b/fragments/domains.js
@@ -0,0 +1,68 @@
+import { gql } from 'graphql-tag'
+
+export const CUSTOM_DOMAIN_FIELDS = gql`
+  fragment CustomDomainFields on CustomDomain {
+    domain
+    status
+  }
+`
+
+export const CUSTOM_DOMAIN_FULL_FIELDS = gql`
+  ${CUSTOM_DOMAIN_FIELDS}
+  fragment CustomDomainFullFields on CustomDomain {
+    ...CustomDomainFields
+    lastVerifiedAt
+    verification {
+      dns {
+        state
+        cname
+        txt
+      }
+      ssl {
+        state
+        arn
+        cname
+        value
+      }
+    }
+  }
+`
+
+export const GET_CUSTOM_DOMAIN = gql`
+  ${CUSTOM_DOMAIN_FULL_FIELDS}
+  query CustomDomain($subName: String!) {
+    customDomain(subName: $subName) {
+      ...CustomDomainFullFields
+    }
+  }
+`
+
+export const GET_DOMAIN_MAPPING = gql`
+  query DomainMapping($domain: String!) {
+    domainMapping(domain: $domain) {
+      domain
+      subName
+    }
+  }
+`
+
+export const SET_CUSTOM_DOMAIN = gql`
+  mutation SetCustomDomain($subName: String!, $domain: String!) {
+    setCustomDomain(subName: $subName, domain: $domain) {
+      domain
+      verification {
+        dns {
+          state
+          cname
+          txt
+        }
+        ssl {
+          state
+          arn
+          cname
+          value
+        }
+      }
+    }
+  }
+`
diff --git a/fragments/subs.js b/fragments/subs.js
index 70fddd6b5..815d99b08 100644
--- a/fragments/subs.js
+++ b/fragments/subs.js
@@ -1,6 +1,8 @@
 import { gql } from '@apollo/client'
 import { ITEM_FIELDS, ITEM_FULL_FIELDS } from './items'
 import { COMMENTS_ITEM_EXT_FIELDS } from './comments'
+import { CUSTOM_DOMAIN_FIELDS } from './domains'
+import { CUSTOM_BRANDING_FIELDS } from './brandings'
 
 // we can't import from users because of circular dependency
 const STREAK_FIELDS = gql`
@@ -13,7 +15,10 @@ const STREAK_FIELDS = gql`
   }
 `
 
+// TODO: better place
 export const SUB_FIELDS = gql`
+  ${CUSTOM_DOMAIN_FIELDS}
+  ${CUSTOM_BRANDING_FIELDS}
   fragment SubFields on Sub {
     name
     createdAt
@@ -34,6 +39,12 @@ export const SUB_FIELDS = gql`
     meMuteSub
     meSubscription
     nsfw
+    customDomain {
+      ...CustomDomainFields
+    }
+    customBranding {
+      ...CustomBrandingFields
+    }
   }`
 
 export const SUB_FULL_FIELDS = gql`
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
new file mode 100644
index 000000000..eca43f7c9
--- /dev/null
+++ b/lib/domain-verification.js
@@ -0,0 +1,112 @@
+import { requestCertificate, getCertificateStatus, describeCertificate } from '@/api/acm'
+import { Resolver } from 'node:dns/promises'
+
+// Issue a certificate for a custom domain
+export async function issueDomainCertificate (domainName) {
+  try {
+    const certificateArn = await requestCertificate(domainName)
+    return certificateArn
+  } catch (error) {
+    console.error(`Failed to issue certificate for domain ${domainName}:`, error)
+    return null
+  }
+}
+
+// Check the status of a certificate for a custom domain
+export async function checkCertificateStatus (certificateArn) {
+  let certStatus
+  try {
+    certStatus = await getCertificateStatus(certificateArn)
+  } catch (error) {
+    console.error(`Certificate status check failed: ${error.message}`)
+    return 'FAILED'
+  }
+
+  // map ACM statuses
+  switch (certStatus) {
+    case 'ISSUED':
+      return 'VERIFIED'
+    case 'PENDING_VALIDATION':
+      return 'PENDING'
+    case 'VALIDATION_TIMED_OUT':
+    case 'FAILED':
+      return 'FAILED'
+    default:
+      return 'PENDING'
+  }
+}
+
+// Get the details of a certificate for a custom domain
+export async function certDetails (certificateArn) {
+  try {
+    const certificate = await describeCertificate(certificateArn)
+    return certificate
+  } catch (error) {
+    console.error(`Certificate description failed: ${error.message}`)
+    return null
+  }
+}
+
+// Get the validation values for a certificate for a custom domain
+// TODO: Test with real values, localstack don't have this info until the certificate is issued
+export async function getValidationValues (certificateArn) {
+  const certificate = await certDetails(certificateArn)
+  if (!certificate || !certificate.Certificate || !certificate.Certificate.DomainValidationOptions) {
+    return { cname: null, value: null }
+  }
+
+  console.log(certificate.Certificate.DomainValidationOptions)
+  return {
+    cname: certificate.Certificate.DomainValidationOptions[0]?.ResourceRecord?.Name || null,
+    value: certificate.Certificate.DomainValidationOptions[0]?.ResourceRecord?.Value || null
+  }
+}
+
+// Verify the DNS records for a custom domain
+export async function verifyDomainDNS (domainName, verificationTxt, verificationCname) {
+  const cname = verificationCname || process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
+  const txtHost = `_snverify.${domainName}`
+  const result = {
+    txtValid: false,
+    cnameValid: false,
+    error: null
+  }
+
+  // by default use cloudflare DNS resolver
+  const resolver = new Resolver()
+  resolver.setServers([process.env.DNS_RESOLVER || '1.1.1.1'])
+
+  // TXT Records checking
+  try {
+    const txtRecords = await resolver.resolveTxt(txtHost)
+    const txtText = txtRecords.flat().join(' ')
+
+    // the TXT record should include the verificationTxt that we have in the database
+    result.txtValid = txtText.includes(verificationTxt)
+  } catch (error) {
+    if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
+      result.error = `TXT record not found: ${error.code}`
+    } else {
+      result.error = `TXT error: ${error.message}`
+    }
+  }
+
+  // CNAME Records checking
+  try {
+    const cnameRecords = await resolver.resolveCname(domainName)
+
+    // the CNAME record should include the cname that we have in the database
+    result.cnameValid = cnameRecords.some(record =>
+      record.includes(cname)
+    )
+  } catch (error) {
+    if (!result.error) { // this is to avoid overriding the error from the TXT check
+      if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
+        result.error = `CNAME record not found: ${error.code}`
+      } else {
+        result.error = `CNAME error: ${error.message}`
+      }
+    }
+  }
+  return result
+}
diff --git a/lib/domains.js b/lib/domains.js
new file mode 100644
index 000000000..407842db7
--- /dev/null
+++ b/lib/domains.js
@@ -0,0 +1,40 @@
+import { cachedFetcher } from '@/lib/fetch'
+
+export const loggerInstance = process.env.CUSTOM_DOMAIN_LOGGER === 'true'
+  ? {
+      log: (message, ...args) => {
+        console.log(message, ...args)
+      },
+      error: (message, ...args) => {
+        console.error(message, ...args)
+      }
+    }
+  : {
+      log: () => {},
+      error: () => {}
+    }
+
+export const domainLogger = () => loggerInstance
+
+// fetch custom domain mappings from our API, caching it for 5 minutes
+export const getDomainMappingsCache = cachedFetcher(async function fetchDomainMappings () {
+  const url = `${process.env.NEXT_PUBLIC_URL}/api/domains`
+  domainLogger().log('fetching domain mappings from', url) // TEST
+  try {
+    const response = await fetch(url)
+    if (!response.ok) {
+      domainLogger().error(`Cannot fetch domain mappings: ${response.status} ${response.statusText}`)
+      return null
+    }
+
+    const data = await response.json()
+    return Object.keys(data).length > 0 ? data : null
+  } catch (error) {
+    domainLogger().error('Cannot fetch domain mappings:', error)
+    return null
+  }
+}, {
+  cacheExpiry: 300000, // 5 minutes cache
+  forceRefreshThreshold: 600000, // 10 minutes before force refresh
+  keyGenerator: () => 'domain_mappings'
+})
diff --git a/lib/validate.js b/lib/validate.js
index 5bc4fe7d7..b77c0b8c1 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -356,6 +356,32 @@ export function territoryTransferSchema ({ me, ...args }) {
   })
 }
 
+// Custom Domain validation schema
+export function customDomainSchema (args) {
+  return object({
+    domain: string().matches(/^(?:[a-z0-9-]+\.){2,}[a-z]{2,}$/, {
+      message: 'CNAME records only support subdomains (e.g., www.example.com, sub.example.com)'
+    }).nullable()
+  })
+}
+
+export function customBrandingSchema (args) {
+  const hexRegex = /^#([0-9a-fA-F]{6})$/
+  return object({
+    title: string().trim().max(
+      50,
+      ({ max, value }) => `-${Math.abs(max - value.length)} characters remaining`
+    ).nullable(),
+    primary: string().matches(hexRegex, 'must be a valid hex color code (e.g. #FADA5E)').nullable(),
+    secondary: string().matches(hexRegex, 'must be a valid hex color code (e.g. #F6911D)').nullable(),
+    info: string().matches(hexRegex, 'must be a valid hex color code (e.g. #007cbe)').nullable(),
+    success: string().matches(hexRegex, 'must be a valid hex color code (e.g. #5c8001)').nullable(),
+    danger: string().matches(hexRegex, 'must be a valid hex color code (e.g. #c03221)').nullable(),
+    logoId: string().nullable(),
+    faviconId: string().nullable()
+  })
+}
+
 export function userSchema (args) {
   return object({
     name: nameValidator
diff --git a/middleware.js b/middleware.js
index f88bda31c..8badffd9b 100644
--- a/middleware.js
+++ b/middleware.js
@@ -1,4 +1,5 @@
 import { NextResponse, URLPattern } from 'next/server'
+import { domainLogger, getDomainMappingsCache } from '@/lib/domains'
 
 const referrerPattern = new URLPattern({ pathname: ':pathname(*)/r/:referrer([\\w_]+)' })
 const itemPattern = new URLPattern({ pathname: '/items/:id(\\d+){/:other(\\w+)}?' })
@@ -11,6 +12,78 @@ const SN_REFERRER = 'sn_referrer'
 const SN_REFERRER_NONCE = 'sn_referrer_nonce'
 // key for referred pages
 const SN_REFEREE_LANDING = 'sn_referee_landing'
+// rewrite to ~subName paths
+const TERRITORY_PATHS = ['/~', '/recent', '/random', '/top', '/post', '/edit']
+
+// Redirects and rewrites for custom domains
+async function customDomainMiddleware (req, referrerResp, mainDomain, domain, subName) {
+  // clone the request url to build on top of it
+  const url = req.nextUrl.clone()
+  // get the pathname from the url
+  const pathname = url.pathname
+  // get the query params from the url
+  const query = url.searchParams
+
+  // TEST
+  domainLogger().log('req.headers host', req.headers.get('host'))
+  domainLogger().log('main domain', mainDomain)
+  domainLogger().log('custom domain', domain)
+  domainLogger().log('subName', subName)
+  domainLogger().log('pathname', pathname)
+  domainLogger().log('query', query)
+
+  const requestHeaders = new Headers(req.headers)
+  requestHeaders.set('x-stacker-news-subname', subName)
+
+  // Auth sync redirects with domain and optional callbackUrl and multiAuth params
+  if (pathname === '/login' || pathname === '/signup') {
+    const redirectUrl = new URL(pathname, mainDomain)
+    redirectUrl.searchParams.set('domain', domain)
+    if (query.get('callbackUrl')) {
+      redirectUrl.searchParams.set('callbackUrl', query.get('callbackUrl'))
+    }
+    if (query.get('multiAuth')) {
+      redirectUrl.searchParams.set('multiAuth', query.get('multiAuth'))
+    }
+    const redirectResp = NextResponse.redirect(redirectUrl, {
+      headers: requestHeaders
+    })
+    // apply referrer cookies to the redirect
+    return applyReferrerCookies(redirectResp, referrerResp)
+  }
+
+  // If trying to access a ~subname path, rewrite to /
+  if (pathname.startsWith(`/~${subName}`)) {
+    // remove the territory prefix from the path
+    const cleanPath = pathname.replace(`/~${subName}`, '') || '/'
+    domainLogger().log('Redirecting to clean path:', cleanPath)
+    const redirectResp = NextResponse.redirect(new URL(cleanPath + url.search, url.origin), {
+      headers: requestHeaders
+    })
+    // apply referrer cookies to the redirect
+    return applyReferrerCookies(redirectResp, referrerResp)
+  }
+
+  // If we're at the root or a territory path, rewrite to the territory path
+  if (pathname === '/' || TERRITORY_PATHS.some(p => pathname.startsWith(p))) {
+    const internalUrl = new URL(url)
+    internalUrl.pathname = `/~${subName}${pathname === '/' ? '' : pathname}`
+    domainLogger().log('Rewrite to:', internalUrl.pathname)
+    // rewrite to the territory path
+    const resp = NextResponse.rewrite(internalUrl, {
+      headers: requestHeaders
+    })
+    // apply referrer cookies to the rewrite
+    return applyReferrerCookies(resp, referrerResp)
+  }
+
+  // continue if we don't need to rewrite or redirect
+  return NextResponse.next({
+    request: {
+      headers: requestHeaders
+    }
+  })
+}
 
 function getContentReferrer (request, url) {
   if (itemPattern.test(url)) {
@@ -30,6 +103,22 @@ function getContentReferrer (request, url) {
   }
 }
 
+function applyReferrerCookies (response, referrer) {
+  for (const cookie of referrer.cookies.getAll()) {
+    response.cookies.set(
+      cookie.name,
+      cookie.value,
+      {
+        maxAge: cookie.maxAge,
+        expires: cookie.expires,
+        path: cookie.path
+      }
+    )
+  }
+  domainLogger().log('response.cookies', response.cookies)
+  return response
+}
+
 // we store the referrers in cookies for a future signup event
 // we pass the referrers in the request headers so we can use them in referral rewards for logged in stackers
 function referrerMiddleware (request) {
@@ -84,9 +173,7 @@ function referrerMiddleware (request) {
   return response
 }
 
-export function middleware (request) {
-  const resp = referrerMiddleware(request)
-
+function applySecurityHeaders (resp) {
   const isDev = process.env.NODE_ENV === 'development'
 
   const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
@@ -133,6 +220,33 @@ export function middleware (request) {
   return resp
 }
 
+export async function middleware (request) {
+  // First run referrer middleware to capture referrer data
+  const referrerResp = referrerMiddleware(request)
+  if (referrerResp.headers.get('Location')) {
+    // This is a redirect from the referrer middleware
+    return applySecurityHeaders(referrerResp)
+  }
+
+  // If we're on a custom domain, handle that next
+  const domain = request.headers.get('x-forwarded-host') || request.headers.get('host')
+  // get the main domain from the env vars
+  const mainDomain = new URL(process.env.NEXT_PUBLIC_URL).host
+  if (domain !== mainDomain) {
+    // get the subName from the domain mappings cache
+    const cachedDomainMappings = await getDomainMappingsCache()
+    const domainMapping = cachedDomainMappings?.[domain?.toLowerCase()]
+    if (domainMapping) {
+      domainLogger().log('detected allowed custom domain for: ', domainMapping.subName)
+      // handle the custom domain
+      const customDomainResp = await customDomainMiddleware(request, referrerResp, mainDomain, domain, domainMapping.subName)
+      return applySecurityHeaders(customDomainResp)
+    }
+  }
+
+  return applySecurityHeaders(referrerResp)
+}
+
 export const config = {
   matcher: [
     // NextJS recommends to not add the CSP header to prefetches and static assets
diff --git a/pages/_app.js b/pages/_app.js
index 1c2ee9b3c..659b1fa5f 100644
--- a/pages/_app.js
+++ b/pages/_app.js
@@ -22,6 +22,7 @@ import dynamic from 'next/dynamic'
 import { HasNewNotesProvider } from '@/components/use-has-new-notes'
 import { WebLnProvider } from '@/wallets/webln/client'
 import { WalletsProvider } from '@/wallets/index'
+import { DomainProvider } from '@/components/territory-domains'
 
 const PWAPrompt = dynamic(() => import('react-ios-pwa-prompt'), { ssr: false })
 
@@ -98,7 +99,7 @@ export default function MyApp ({ Component, pageProps: { ...props } }) {
     If we are on the client, we populate the apollo cache with the
     ssr data
   */
-  const { apollo, ssrData, me, price, blockHeight, chainFee, ...otherProps } = props
+  const { apollo, ssrData, me, price, blockHeight, chainFee, customDomain, ...otherProps } = props
   useEffect(() => {
     writeQuery(client, apollo, ssrData)
   }, [client, apollo, ssrData])
@@ -111,34 +112,36 @@ export default function MyApp ({ Component, pageProps: { ...props } }) {
       <ErrorBoundary>
         <PlausibleProvider domain='stacker.news' trackOutboundLinks>
           <ApolloProvider client={client}>
-            <MeProvider me={me}>
-              <WalletsProvider>
-                <HasNewNotesProvider>
-                  <LoggerProvider>
-                    <WebLnProvider>
-                      <ServiceWorkerProvider>
-                        <PriceProvider price={price}>
-                          <LightningProvider>
-                            <ToastProvider>
-                              <ShowModalProvider>
-                                <BlockHeightProvider blockHeight={blockHeight}>
-                                  <ChainFeeProvider chainFee={chainFee}>
-                                    <ErrorBoundary>
-                                      <Component ssrData={ssrData} {...otherProps} />
-                                      {!router?.query?.disablePrompt && <PWAPrompt copyBody='This website has app functionality. Add it to your home screen to use it in fullscreen and receive notifications. In Safari:' promptOnVisit={2} />}
-                                    </ErrorBoundary>
-                                  </ChainFeeProvider>
-                                </BlockHeightProvider>
-                              </ShowModalProvider>
-                            </ToastProvider>
-                          </LightningProvider>
-                        </PriceProvider>
-                      </ServiceWorkerProvider>
-                    </WebLnProvider>
-                  </LoggerProvider>
-                </HasNewNotesProvider>
-              </WalletsProvider>
-            </MeProvider>
+            <DomainProvider customDomain={customDomain}>
+              <MeProvider me={me}>
+                <WalletsProvider>
+                  <HasNewNotesProvider>
+                    <LoggerProvider>
+                      <WebLnProvider>
+                        <ServiceWorkerProvider>
+                          <PriceProvider price={price}>
+                            <LightningProvider>
+                              <ToastProvider>
+                                <ShowModalProvider>
+                                  <BlockHeightProvider blockHeight={blockHeight}>
+                                    <ChainFeeProvider chainFee={chainFee}>
+                                      <ErrorBoundary>
+                                        <Component ssrData={ssrData} {...otherProps} />
+                                        {!router?.query?.disablePrompt && <PWAPrompt copyBody='This website has app functionality. Add it to your home screen to use it in fullscreen and receive notifications. In Safari:' promptOnVisit={2} />}
+                                      </ErrorBoundary>
+                                    </ChainFeeProvider>
+                                  </BlockHeightProvider>
+                                </ShowModalProvider>
+                              </ToastProvider>
+                            </LightningProvider>
+                          </PriceProvider>
+                        </ServiceWorkerProvider>
+                      </WebLnProvider>
+                    </LoggerProvider>
+                  </HasNewNotesProvider>
+                </WalletsProvider>
+              </MeProvider>
+            </DomainProvider>
           </ApolloProvider>
         </PlausibleProvider>
       </ErrorBoundary>
diff --git a/pages/api/auth/[...nextauth].js b/pages/api/auth/[...nextauth].js
index 8070d6ea3..6e54ab643 100644
--- a/pages/api/auth/[...nextauth].js
+++ b/pages/api/auth/[...nextauth].js
@@ -128,6 +128,7 @@ function getCallbacks (req, res) {
 
       if (user && req && res) {
         // add multi_auth cookie for user that just logged in
+        console.log('adding multi_auth cookie')
         const secret = process.env.NEXTAUTH_SECRET
         const jwt = await encodeJWT({ token, secret })
         const me = await prisma.user.findUnique({ where: { id: token.id } })
@@ -222,6 +223,32 @@ async function nostrEventAuth (event) {
   return { k1, pubkey }
 }
 
+// Authentication Provider for syncing a user's session to a custom domain
+const syncAuth = async (token, req, res) => {
+  try {
+    const verificationToken = await prisma.verificationToken.findUnique({ where: { token } })
+    if (!verificationToken) return null
+
+    // has to be a sync token
+    if (!verificationToken.identifier.startsWith('sync:')) return null
+
+    // sync has user id
+    const userId = parseInt(verificationToken.identifier.split(':')[1], 10)
+    if (!userId) return null
+
+    // delete the token to prevent reuse
+    await prisma.verificationToken.delete({
+      where: { id: verificationToken.id }
+    })
+    if (new Date() > verificationToken.expires) return null
+
+    return await prisma.user.findUnique({ where: { id: userId } })
+  } catch (error) {
+    console.error('auth sync error:', error)
+    return null
+  }
+}
+
 /** @type {import('next-auth/providers').Provider[]} */
 const getProviders = (req, res) => [
   CredentialsProvider({
@@ -246,6 +273,16 @@ const getProviders = (req, res) => [
       return await pubkeyAuth(credentials, req, res, 'nostrAuthPubkey')
     }
   }),
+  CredentialsProvider({
+    id: 'sync',
+    name: 'Sync',
+    credentials: {
+      token: { label: 'token', type: 'text' }
+    },
+    authorize: async ({ token }, req) => {
+      return await syncAuth(token, req, res)
+    }
+  }),
   GitHubProvider({
     clientId: process.env.GITHUB_ID,
     clientSecret: process.env.GITHUB_SECRET,
@@ -404,7 +441,7 @@ export default async (req, res) => {
   await NextAuth(req, res, getAuthOptions(req, res))
 }
 
-function generateRandomString (length = 6, charset = BECH32_CHARSET) {
+export function generateRandomString (length = 6, charset = BECH32_CHARSET) {
   const bytes = randomBytes(length)
   let result = ''
 
diff --git a/pages/api/auth/sync.js b/pages/api/auth/sync.js
new file mode 100644
index 000000000..8268ca5e5
--- /dev/null
+++ b/pages/api/auth/sync.js
@@ -0,0 +1,68 @@
+import { getServerSession } from 'next-auth/next'
+import { getAuthOptions, generateRandomString } from './[...nextauth]'
+import models from '@/api/models'
+
+// API Endpoint for syncing a user's session to a custom domain
+export default async function handler (req, res) {
+  const { redirectUrl, multiAuth } = req.query
+  if (!redirectUrl) {
+    return res.status(400).json({ status: 'ERROR', reason: 'missing redirectUrl parameter' })
+  }
+
+  // redirectUrl parse
+  const decodedRedirectUrl = decodeURIComponent(redirectUrl)
+  let customDomain
+  try {
+    customDomain = new URL(decodedRedirectUrl)
+    // not cached because we're handling sensitive data
+    const domain = await models.customDomain.findUnique({ where: { domain: customDomain.host, status: 'ACTIVE' } })
+    if (!domain) {
+      return res.status(400).json({ status: 'ERROR', reason: 'custom domain not found' })
+    }
+  } catch (error) {
+    return res.status(400).json({ status: 'ERROR', reason: 'invalid redirectUrl parameter' })
+  }
+
+  const mainDomain = process.env.NEXT_PUBLIC_MAIN_DOMAIN
+
+  // get the user's session
+  const session = await getServerSession(req, res, getAuthOptions(req, res))
+  if (!session) {
+    // redirect to the login page, middleware will handle the rest
+    return res.redirect(mainDomain + '/login?callbackUrl=' + encodeURIComponent(decodedRedirectUrl))
+  }
+
+  try {
+    const token = generateRandomString(32)
+    // create a sync token
+    await models.verificationToken.create({
+      data: {
+        identifier: `sync:${session.user.id}`,
+        token,
+        expires: new Date(Date.now() + 1 * 60 * 1000) // 1 minute
+      }
+    })
+
+    if (process.env.NODE_ENV === 'production') {
+      res.setHeader('Set-Cookie', [
+        'SameSite=Lax; Secure; HttpOnly'
+      ])
+    }
+
+    // domain provider will handle this sync request
+    const customDomainCallback = new URL('/?type=sync', decodedRedirectUrl)
+    customDomainCallback.searchParams.set('token', token)
+    customDomainCallback.searchParams.set('callbackUrl', decodedRedirectUrl)
+    if (multiAuth) {
+      customDomainCallback.searchParams.set('multiAuth', multiAuth)
+    }
+
+    // TODO: security headers?
+
+    // redirect to the custom domain callback
+    return res.redirect(customDomainCallback.toString())
+  } catch (error) {
+    console.error('Error generating token:', error)
+    return res.status(500).json({ error: 'Failed to generate token' })
+  }
+}
diff --git a/pages/api/domains/index.js b/pages/api/domains/index.js
new file mode 100644
index 000000000..11eac4f08
--- /dev/null
+++ b/pages/api/domains/index.js
@@ -0,0 +1,40 @@
+import prisma from '@/api/models'
+
+// TODO: Authentication for this?
+// API Endpoint for getting all VERIFIED custom domains, used by a cachedFetcher
+export default async function handler (req, res) {
+  res.setHeader('Access-Control-Allow-Origin', '*')
+  res.setHeader('Access-Control-Allow-Methods', 'GET')
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type')
+
+  // Only allow GET requests
+  if (req.method !== 'GET') {
+    return res.status(405).json({ error: 'Method not allowed' })
+  }
+
+  try {
+    // fetch all VERIFIED custom domains from the database
+    const domains = await prisma.customDomain.findMany({
+      select: {
+        domain: true,
+        subName: true
+      },
+      where: {
+        status: 'ACTIVE'
+      }
+    })
+
+    // map domains to a key-value pair
+    const domainMappings = domains.reduce((acc, domain) => {
+      acc[domain.domain.toLowerCase()] = {
+        subName: domain.subName
+      }
+      return acc
+    }, {})
+
+    return res.status(200).json(domainMappings)
+  } catch (error) {
+    console.error('cannot fetch domains:', error)
+    return res.status(500).json({ error: 'Failed to fetch domains' })
+  }
+}
diff --git a/pages/login.js b/pages/login.js
index b31df60ea..6566a4d62 100644
--- a/pages/login.js
+++ b/pages/login.js
@@ -7,7 +7,7 @@ import Login from '@/components/login'
 import { isExternal } from '@/lib/url'
 import { MULTI_AUTH_ANON, MULTI_AUTH_POINTER } from '@/lib/auth'
 
-export async function getServerSideProps ({ req, res, query: { callbackUrl, multiAuth = false, error = null } }) {
+export async function getServerSideProps ({ req, res, query: { callbackUrl, multiAuth = false, error = null, domain = null } }) {
   let session = await getServerSession(req, res, getAuthOptions(req))
 
   // required to prevent infinite redirect loops if we switch to anon
@@ -21,7 +21,7 @@ export async function getServerSideProps ({ req, res, query: { callbackUrl, mult
   // let undefined urls through without redirect ... otherwise this interferes with multiple auth linking
   let external = true
   try {
-    external = isExternal(decodeURIComponent(callbackUrl))
+    external = isExternal(decodeURIComponent(callbackUrl)) && !domain
   } catch (err) {
     console.error('error decoding callback:', callbackUrl, err)
   }
@@ -30,6 +30,16 @@ export async function getServerSideProps ({ req, res, query: { callbackUrl, mult
     callbackUrl = '/'
   }
 
+  // If we're coming from a custom domain, set as callbackUrl the auth sync endpoint
+  if (domain) {
+    const params = new URLSearchParams()
+    params.set('redirectUrl', encodeURIComponent(callbackUrl))
+    if (multiAuth) { // take care of multiAuth if requested
+      params.set('multiAuth', multiAuth)
+    }
+    callbackUrl = '/api/auth/sync?' + params.toString()
+  }
+
   if (session && callbackUrl && !multiAuth) {
     // in the case of auth linking we want to pass the error back to settings
     // in the case of multi auth, don't redirect if there is already a session
@@ -59,9 +69,13 @@ export async function getServerSideProps ({ req, res, query: { callbackUrl, mult
   }
 }
 
-function LoginFooter ({ callbackUrl }) {
+function LoginFooter ({ callbackUrl, multiAuth }) {
+  const query = { callbackUrl }
+  if (multiAuth) {
+    query.multiAuth = multiAuth
+  }
   return (
-    <small className='fw-bold text-muted pt-4'>New to town? <Link href={{ pathname: '/signup', query: { callbackUrl } }}>sign up</Link></small>
+    <small className='fw-bold text-muted pt-4'>New to town? <Link href={{ pathname: '/signup', query }}>sign up</Link></small>
   )
 }
 
@@ -80,7 +94,7 @@ export default function LoginPage (props) {
   return (
     <StaticLayout footerLinks={false}>
       <Login
-        Footer={() => <LoginFooter callbackUrl={props.callbackUrl} />}
+        Footer={() => <LoginFooter callbackUrl={props.callbackUrl} multiAuth={props.multiAuth} />}
         Header={() => <LoginHeader />}
         signin
         {...props}
diff --git a/prisma/migrations/20250304121322_custom_domains/migration.sql b/prisma/migrations/20250304121322_custom_domains/migration.sql
new file mode 100644
index 000000000..cc5995cfd
--- /dev/null
+++ b/prisma/migrations/20250304121322_custom_domains/migration.sql
@@ -0,0 +1,68 @@
+-- Custom Domain
+CREATE TABLE "CustomDomain" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domain" CITEXT NOT NULL,
+    "subName" CITEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'PENDING',
+    "failedAttempts" INTEGER NOT NULL DEFAULT 0,
+    "lastVerifiedAt" TIMESTAMP(3),
+    "verification" JSONB NOT NULL DEFAULT '{}',
+
+    CONSTRAINT "CustomDomain_pkey" PRIMARY KEY ("id")
+);
+
+-- verification jsonb schema
+-- {
+--     "dns": {
+--         "state": "VERIFIED",
+--         "cname": "stacker.news",
+--         "txt": b64 encoded txt value
+--     },
+--     "ssl": {
+--         "state": "VERIFIED",
+--         "cname": acm issued cname,
+--         "value": acm issued cname value,
+--         "arn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+--     }
+-- }
+
+-- CreateIndex
+CREATE UNIQUE INDEX "CustomDomain_domain_key" ON "CustomDomain"("domain");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "CustomDomain_subName_key" ON "CustomDomain"("subName");
+
+-- CreateIndex
+CREATE INDEX "CustomDomain_domain_idx" ON "CustomDomain"("domain");
+
+-- CreateIndex
+CREATE INDEX "CustomDomain_created_at_idx" ON "CustomDomain"("created_at");
+
+-- AddForeignKey
+ALTER TABLE "CustomDomain" ADD CONSTRAINT "CustomDomain_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- Custom Branding
+CREATE TABLE "CustomBranding" (
+    "id" SERIAL NOT NULL,
+    "title" TEXT,
+    "colors" JSONB DEFAULT '{}',
+    "logoId" INTEGER,
+    "faviconId" INTEGER,
+    "subName" CITEXT NOT NULL,
+
+    CONSTRAINT "CustomBranding_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "CustomBranding_subName_key" ON "CustomBranding"("subName");
+
+-- AddForeignKey
+ALTER TABLE "CustomBranding" ADD CONSTRAINT "CustomBranding_logoId_fkey" FOREIGN KEY ("logoId") REFERENCES "Upload"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "CustomBranding" ADD CONSTRAINT "CustomBranding_faviconId_fkey" FOREIGN KEY ("faviconId") REFERENCES "Upload"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "CustomBranding" ADD CONSTRAINT "CustomBranding_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index 49c4b858e..cf479fdca 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -454,6 +454,8 @@ model Upload {
   user               User                @relation("Uploads", fields: [userId], references: [id], onDelete: Cascade)
   User               User[]
   ItemUpload         ItemUpload[]
+  logoBranding       CustomBranding[]    @relation("LogoUpload")
+  faviconBranding    CustomBranding[]    @relation("FaviconUpload")
 
   @@index([createdAt], map: "Upload.created_at_index")
   @@index([userId], map: "Upload.userId_index")
@@ -800,6 +802,8 @@ model Sub {
   SubSubscription   SubSubscription[]
   TerritoryTransfer TerritoryTransfer[]
   UserSubTrust      UserSubTrust[]
+  customDomain      CustomDomain?
+  customBranding    CustomBranding?
 
   @@index([parentName])
   @@index([createdAt])
@@ -1242,6 +1246,34 @@ model Reminder {
   @@index([userId, remindAt], map: "Reminder.userId_reminderAt_index")
 }
 
+model CustomDomain {
+  id                      Int       @id @default(autoincrement())
+  createdAt               DateTime  @default(now()) @map("created_at")
+  updatedAt               DateTime  @default(now()) @updatedAt @map("updated_at")
+  domain                  String    @unique @db.Citext
+  subName                 String    @unique @db.Citext
+  status                  String    @default("PENDING")
+  failedAttempts          Int       @default(0)
+  lastVerifiedAt          DateTime?
+  verification            Json      @default("{}")
+  sub                     Sub       @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+  
+  @@index([domain])
+  @@index([createdAt])
+}
+
+model CustomBranding {
+  id                      Int       @id @default(autoincrement())
+  title                   String?
+  colors                  Json?     @default("{}")
+  logoId                  Int?
+  logo                    Upload?   @relation("LogoUpload", fields: [logoId], references: [id])
+  faviconId               Int?
+  favicon                 Upload?   @relation("FaviconUpload", fields: [faviconId], references: [id])
+  subName                 String    @unique @db.Citext
+  sub                     Sub       @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+}
+
 enum EarnType {
   POST
   COMMENT
diff --git a/styles/globals.scss b/styles/globals.scss
index b7923c828..055b36b91 100644
--- a/styles/globals.scss
+++ b/styles/globals.scss
@@ -216,6 +216,72 @@ $zindex-sticky: 900;
   --bs-gradient: none;
 }
 
+.btn-primary {
+  --bs-btn-bg: var(--bs-primary);
+  --bs-btn-border-color: var(--bs-primary);
+  --bs-btn-hover-border-color: var(--bs-primary);
+  --bs-btn-hover-bg: var(--bs-primary);
+  --bs-btn-active-bg: var(--bs-primary);
+  --bs-btn-focus-shadow-rgb: 233, 236, 239;
+  --bs-btn-active-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
+  --bs-btn-disabled-color: var(--bs-primary);
+  --bs-btn-disabled-bg: transparent;
+  --bs-btn-disabled-border-color: var(--bs-primary);
+}
+
+.btn-secondary {
+  --bs-btn-bg: var(--bs-secondary);
+  --bs-btn-border-color: var(--bs-secondary);
+  --bs-btn-hover-border-color: var(--bs-secondary);
+  --bs-btn-hover-bg: var(--bs-secondary);
+  --bs-btn-active-bg: var(--bs-secondary);
+  --bs-btn-focus-shadow-rgb: 233, 236, 239;
+  --bs-btn-active-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
+  --bs-btn-disabled-color: var(--bs-secondary);
+  --bs-btn-disabled-bg: transparent;
+  --bs-btn-disabled-border-color: var(--bs-secondary);
+}
+
+.btn-info {
+  --bs-btn-bg: var(--bs-info);
+  --bs-btn-border-color: var(--bs-info);
+  --bs-btn-hover-border-color: var(--bs-info);
+  --bs-btn-hover-bg: var(--bs-info);
+  --bs-btn-active-bg: var(--bs-info);
+  --bs-btn-focus-shadow-rgb: 233, 236, 239;
+  --bs-btn-active-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
+  --bs-btn-disabled-color: var(--bs-info);
+  --bs-btn-disabled-bg: transparent;
+  --bs-btn-disabled-border-color: var(--bs-info);
+}
+
+.btn-success {
+  --bs-btn-bg: var(--bs-success);
+  --bs-btn-border-color: var(--bs-success);
+  --bs-btn-hover-border-color: var(--bs-success);
+  --bs-btn-hover-bg: var(--bs-success);
+  --bs-btn-active-bg: var(--bs-success);
+  --bs-btn-focus-shadow-rgb: 233, 236, 239;
+  --bs-btn-active-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
+  --bs-btn-disabled-color: var(--bs-success);
+  --bs-btn-disabled-bg: transparent;
+  --bs-btn-disabled-border-color: var(--bs-success);
+}
+
+.btn-danger {
+  --bs-btn-bg: var(--bs-danger);
+  --bs-btn-border-color: var(--bs-danger);
+  --bs-btn-hover-border-color: var(--bs-danger);
+  --bs-btn-hover-bg: var(--bs-danger);
+  --bs-btn-active-bg: var(--bs-danger);
+  --bs-btn-focus-shadow-rgb: 233, 236, 239;
+  --bs-btn-active-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
+  --bs-btn-disabled-color: var(--bs-danger);
+  --bs-btn-disabled-bg: transparent;
+  --bs-btn-disabled-border-color: var(--bs-danger);
+}
+
+
 * {
   scroll-margin-top: 60px;
 }
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
new file mode 100644
index 000000000..74d8cb174
--- /dev/null
+++ b/worker/domainVerification.js
@@ -0,0 +1,168 @@
+import createPrisma from '@/lib/create-prisma'
+import { verifyDomainDNS, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteCertificate } from '@/lib/domain-verification'
+
+export async function domainVerification ({ id: jobId, data: { domainId }, boss }) {
+  // establish connection to database
+  const models = createPrisma({ connectionParams: { connection_limit: 1 } })
+  try {
+    // get domain from database
+    const domain = await models.customDomain.findUnique({ where: { id: domainId } })
+    // if we can't find the domain, bail without scheduling a retry
+    if (!domain) {
+      throw new Error(`domain with ID ${domainId} not found`)
+    }
+
+    // start verification process
+    const result = await verifyDomain(domain)
+    console.log(`domain verification result: ${JSON.stringify(result)}`)
+
+    // update the domain with the result
+    await models.customDomain.update({
+      where: { id: domainId },
+      data: result
+    })
+
+    // if the result is PENDING it means we still have to verify the domain
+    // if it's not PENDING, we stop the verification process.
+    if (result.status === 'PENDING') {
+      // we still need to verify the domain, schedule the job to run again in 5 minutes
+      const jobId = await boss.send('domainVerification', { domainId }, {
+        startAfter: 60 * 5, // start the job after 5 minutes
+        retryLimit: 3,
+        retryDelay: 30 // on critical errors, retry every 5 minutes
+      })
+      console.log(`domain ${domain.domain} is still pending verification, created job with ID ${jobId} to run in 5 minutes`)
+    }
+  } catch (error) {
+    console.error(`couldn't verify domain with ID ${domainId}: ${error.message}`)
+
+    // get the job details to get the retry count
+    const jobDetails = await boss.getJobById(jobId)
+    console.log(`job details: ${JSON.stringify(jobDetails)}`)
+    // if we couldn't verify the domain, put it on hold if it exists and delete any related verification jobs
+    if (jobDetails?.retrycount >= 3) {
+      console.log(`couldn't verify domain with ID ${domainId} for the third time, putting it on hold if it exists and deleting any related domain verification jobs`)
+      await models.customDomain.update({ where: { id: domainId }, data: { status: 'HOLD' } })
+      // delete any related domain verification jobs
+      await models.$queryRaw`
+      DELETE FROM pgboss.job
+      WHERE name = 'domainVerification'
+            AND data->>'domainId' = ${domainId}::TEXT`
+    }
+
+    throw error
+  }
+}
+
+async function verifyDomain (domain) {
+  const lastVerifiedAt = new Date()
+  const verification = domain.verification || { dns: {}, ssl: {} }
+  let status = domain.status || 'PENDING'
+
+  // step 1: verify DNS [CNAME and TXT]
+  // if DNS is not already verified
+  let dnsState = verification.dns.state || 'PENDING'
+  if (dnsState !== 'VERIFIED') {
+    dnsState = await verifyDNS(domain.domain, verification.dns.txt)
+
+    // log the result, throw an error if we couldn't verify the DNS
+    switch (dnsState) {
+      case 'VERIFIED':
+        console.log(`DNS verification for ${domain.domain} is ${dnsState}, proceeding to SSL verification`)
+        break
+      case 'PENDING':
+        console.log(`DNS verification for ${domain.domain} is ${dnsState}, will retry DNS verification in 5 minutes`)
+        break
+      default:
+        dnsState = 'PENDING'
+        console.log(`couldn't verify DNS for ${domain.domain}, will retry DNS verification in 5 minutes`)
+    }
+  }
+
+  // step 2: certificate issuance
+  // if DNS is verified and we don't have a SSL certificate, issue one
+  let sslArn = verification.ssl.arn || null
+  let sslState = verification.ssl.state || 'PENDING'
+  if (dnsState === 'VERIFIED' && !sslArn) {
+    sslArn = await issueDomainCertificate(domain.domain)
+    if (sslArn) {
+      console.log(`SSL certificate issued for ${domain.domain} with ARN ${sslArn}, will verify with ACM`)
+    } else {
+      console.log(`couldn't issue SSL certificate for ${domain.domain}, will retry certificate issuance in 5 minutes`)
+    }
+  }
+
+  // step 3: get validation values from ACM
+  // if we have a certificate and we don't already have the validation values
+  let acmValidationCname = verification.ssl.cname || null
+  let acmValidationValue = verification.ssl.value || null
+  if (sslArn && !acmValidationCname && !acmValidationValue) {
+    const values = await getValidationValues(sslArn)
+    acmValidationCname = values?.cname || null
+    acmValidationValue = values?.value || null
+    if (acmValidationCname && acmValidationValue) {
+      console.log(`Validation values retrieved for ${domain.domain}, will check ACM validation status`)
+    } else {
+      console.log(`couldn't retrieve validation values for ${domain.domain}, will retry to request validation values from ACM in 5 minutes`)
+    }
+  }
+
+  // step 4: check if the certificate is validated by ACM
+  // if DNS is verified and we have a SSL certificate
+  // it can happen that we just issued the certificate and it's not yet validated by ACM
+  if (sslArn && sslState !== 'VERIFIED') {
+    sslState = await checkCertificateStatus(sslArn)
+    switch (sslState) {
+      case 'VERIFIED':
+        console.log(`SSL certificate for ${domain.domain} is ${sslState}, verification routine complete`)
+        break
+      case 'PENDING':
+        console.log(`SSL certificate for ${domain.domain} is ${sslState}, will check again with ACM in 5 minutes`)
+        break
+      default:
+        sslState = 'PENDING'
+        console.log(`couldn't verify SSL certificate for ${domain.domain}, will retry certificate validation with ACM in 5 minutes`)
+    }
+  }
+
+  // step 5: update the status of the domain
+  // if the domain is fully verified, set the status to active
+  if (dnsState === 'VERIFIED' && sslState === 'VERIFIED') {
+    status = 'ACTIVE'
+  }
+  // if the domain has failed in some way and it's been 48 hours, put it on hold
+  if (status !== 'ACTIVE' && domain.createdAt < new Date(Date.now() - 1000 * 60 * 60 * 24 * 2)) {
+    status = 'HOLD'
+    // we stopped domain verification, delete the certificate as it will expire after 72 hours anyway
+    if (sslArn) {
+      console.log(`domain ${domain.domain} is on hold, deleting certificate as it will expire after 72 hours`)
+      const result = await deleteCertificate(sslArn)
+      console.log(`delete certificate attempt for ${domain.domain}, result: ${JSON.stringify(result)}`)
+    }
+  }
+
+  return {
+    lastVerifiedAt,
+    status,
+    verification: {
+      dns: {
+        ...verification.dns,
+        state: dnsState
+      },
+      ssl: {
+        arn: sslArn,
+        state: sslState,
+        cname: acmValidationCname,
+        value: acmValidationValue
+      }
+    }
+  }
+}
+
+async function verifyDNS (cname, txt) {
+  const { cnameValid, txtValid } = await verifyDomainDNS(cname, txt)
+  console.log(`${cname}: CNAME ${cnameValid ? 'valid' : 'invalid'}, TXT ${txtValid ? 'valid' : 'invalid'}`)
+
+  const dnsState = cnameValid && txtValid ? 'VERIFIED' : 'PENDING'
+  return dnsState
+}
diff --git a/worker/index.js b/worker/index.js
index 03b1a3f4c..b4c03fdf5 100644
--- a/worker/index.js
+++ b/worker/index.js
@@ -38,6 +38,7 @@ import { expireBoost } from './expireBoost'
 import { payingActionConfirmed, payingActionFailed } from './payingAction'
 import { autoDropBolt11s } from './autoDropBolt11'
 import { postToSocial } from './socialPoster'
+import { domainVerification } from './domainVerification'
 
 // WebSocket polyfill
 import ws from 'isomorphic-ws'
@@ -123,6 +124,7 @@ async function work () {
     await boss.work('imgproxy', jobWrapper(imgproxy))
     await boss.work('deleteUnusedImages', jobWrapper(deleteUnusedImages))
   }
+  await boss.work('domainVerification', jobWrapper(domainVerification))
   await boss.work('expireBoost', jobWrapper(expireBoost))
   await boss.work('weeklyPost-*', jobWrapper(weeklyPost))
   await boss.work('payWeeklyPostBounty', jobWrapper(payWeeklyPostBounty))