Mastering GPT Actions Domain Settings in ChatGPT Enterprise: Step-by-Step Admin Guide

## Understanding GPT Actions and Domain Controls in ChatGPT Enterprise In a business environment, teams often need ChatGPT to interact seamlessly with custom tools, APIs, or internal data sources. GPT Actions make this possible by allowing ChatGPT to connect to external services on behalf of users. However, without proper controls, this could expose your organization to risks. That's where domain settings come in—they let Enterprise admins specify exactly which domains ChatGPT can access via Actions. By default, no external domains are permitted. This zero-trust approach ensures security from the start. Admins must explicitly add and verify domains, preventing unauthorized requests. This feature is exclusive to ChatGPT Enterprise, giving IT teams granular oversight. ### Real-World Scenario: Integrating with a Custom CRM Imagine your sales team uses a proprietary CRM at crm.yourcompany.com. Without domain settings, ChatGPT can't query it directly. By verifying the domain, you enable Actions like 'Fetch customer details from CRM' or 'Update deal status.' This boosts productivity while keeping data flows secure. ## Navigating to Domain Settings As a ChatGPT Enterprise admin, start by logging into the admin console: 1. Head to **Settings** in the left sidebar. 2. Select **Actions** from the menu. 3. Scroll to the **Domain settings** section. Here, you'll see a list of currently allowed domains—empty by default. Options include adding new domains, verifying ownership, and managing existing ones. ## Adding Domains and Leveraging Wildcards Click **Add domain** to input a new one, like `api.yourcompany.com`. For broader coverage: - Use wildcards: `*.yourcompany.com` permits all subdomains (e.g., api.yourcompany.com, dashboard.yourcompany.com). - Exact match: `yourcompany.com` only allows the root. Wildcards are powerful for enterprises with multiple services under one umbrella domain. For instance, a dev team might verify `*.internal.tools` to cover staging.internal.tools and prod.internal.tools without separate entries. **Pro Tip:** Plan your domains hierarchally. Verify the parent domain with a wildcard if subdomains share infrastructure, reducing admin overhead. ## Verifying Domain Ownership: The DNS TXT Process Adding a domain lists it as 'pending verification.' To activate it, prove ownership via a DNS TXT record. OpenAI generates a unique value, such as `openai-actions-domain-verification=abc123def456`. ### Detailed Verification Steps 1. **Copy the TXT Value:** In the domain settings, click **Verify** next to your domain. Copy the provided string. 2. **Access Your DNS Provider:** Log into your DNS management console (e.g., Route 53, Cloudflare, GoDaddy). Navigate to the root domain's DNS records. 3. **Create the TXT Record:** - **Host/Name:** Leave as `@` or blank for the apex domain. - **Type:** TXT - **Value:** Paste the exact string from OpenAI, e.g., `openai-actions-domain-verification=abc123def456` Example DNS configuration (visualize in your provider): ``` Type: TXT Host: @ Value: "openai-actions-domain-verification=abc123def456" TTL: 300 (or default) ``` 4. **Save and Propagate:** DNS changes take time—up to 72 hours globally, though often faster (minutes to hours). 5. **Check Status in OpenAI:** Return to **Actions > Domain settings**. Click **Refresh** or wait for auto-detection. Verified domains show a green checkmark and 'Verified' status. **Troubleshooting Common Issues:** - **Propagation Delays:** Use tools like `dig TXT yourdomain.com` in terminal to check: ```bash dig TXT yourdomain.com ``` Look for the OpenAI record in the output. - **Multiple TXT Records:** Fine, as long as OpenAI's is present. - **Subdomain Verification:** For `sub.yourdomain.com`, add TXT to sub.yourdomain.com's DNS. - **Wildcard Domains:** Verify the parent (e.g., yourcompany.com) to cover `*.yourcompany.com`. Once verified, GPT Actions can make authenticated requests to that domain, using OAuth or API keys as defined in your Action schemas. ## Managing and Revoking Domains Verified domains are active until revoked: - **Edit:** Click the domain to update or re-verify. - **Revoke:** Select **Revoke verification**. This immediately disables access, useful for decommissioning services or security incidents. Revocation is instant—no propagation delays. Audit logs in the admin console track changes. ### Security Best Practices - **Least Privilege:** Verify only necessary domains. Rotate verifications periodically. - **Monitor Usage:** Combine with ChatGPT's usage analytics to spot anomalous Action calls. - **Internal vs. Public:** For air-gapped setups, use VPN-restricted domains. - **Compliance:** Aligns with SOC 2, GDPR by controlling data egress. ## Building and Deploying Custom GPT Actions Domain verification unlocks custom Actions. Define them via OpenAI's schema: ```json { "openapi": "3.1.0", "info": { "title": "CRM API", "version": "1.0.0" }, "servers": [{"url": "https://api.yourcompany.com"}], "paths": { "/customers/{id}": { "get": { "parameters": [{"name": "id", "schema": {"type": "string"}}], "responses": {"200": {"description": "Customer data"}} } } } } ``` Host this OpenAPI spec at your verified domain's `/openapi.json`. Users can then invoke it in ChatGPT: "Get details for customer ABC123." **Enterprise Example: HR Onboarding Workflow** Verify `hr.yourcompany.com`. Build an Action to 'Fetch employee profile' or 'Schedule onboarding.' Sales reps query: "What's the org chart for engineering?"—ChatGPT pulls from verified HR API, responds securely. ## Limitations and Future Considerations - Propagation: Up to 72 hours—plan ahead for launches. - Scope: Applies to GPT Actions only, not browser tools. - Enterprise-Only: Team/Plus plans lack this. Stay updated via OpenAI's changelog. For complex setups, consult OpenAI support. This setup empowers secure, scalable AI integrations, transforming ChatGPT into your organization's intelligent assistant. --- <div style="text-align: center; margin-top: 2rem;"> <a href="https://help.openai.com/en/articles/9442513-gpt-actions-domain-settings-chatgpt-enterprise" target="_blank" rel="noopener noreferrer" class="view-full-resource-btn" style="display: inline-block; background-color: #f97316; color: white; padding: 12px 24px; border-radius: 8px; text-decoration: none; font-weight: 600; transition: background-color 0.2s;">View Full Resource</a> </div>