diff --git a/.env.development b/.env.development
index 745a944e8..5b680e20b 100644
--- a/.env.development
+++ b/.env.development
@@ -1,7 +1,7 @@
 PRISMA_SLOW_LOGS_MS=
 GRAPHQL_SLOW_LOGS_MS=
 NODE_ENV=development
-COMPOSE_PROFILES='minimal,images,search,payments,wallets,email,capture'
+COMPOSE_PROFILES='minimal,images,search,payments,wallets,email,capture,domains'
 
 ############################################################################
 # OPTIONAL SECRETS                                                         #
@@ -114,7 +114,7 @@ NEXT_PUBLIC_EXTRA_LONG_POLL_INTERVAL=300000
 
 # containers can't use localhost, so we need to use the container name
 IMGPROXY_URL_DOCKER=http://imgproxy:8080
-MEDIA_URL_DOCKER=http://s3:4566/uploads
+MEDIA_URL_DOCKER=http://aws:4566/uploads
 
 # postgres container stuff
 POSTGRES_PASSWORD=password
@@ -177,6 +177,9 @@ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
+# custom domain ACM, ELBv2
+LOCALSTACK_ENDPOINT=http://aws:4566
+ELB_LISTENER_ARN=arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/sndev-lb/1234567890abcdef/1234567890abcdef
 
 # tor proxy
 TOR_PROXY=http://tor:7050/
diff --git a/api/acm/index.js b/api/acm/index.js
new file mode 100644
index 000000000..322849f88
--- /dev/null
+++ b/api/acm/index.js
@@ -0,0 +1,41 @@
+import AWS from 'aws-sdk'
+
+const config = {
+  region: 'us-east-1',
+  // for local development, we use the LOCALSTACK_ENDPOINT
+  endpoint: process.env.NODE_ENV === 'development' ? process.env.LOCALSTACK_ENDPOINT : undefined
+}
+
+export async function requestCertificate (domain) {
+  const acm = new AWS.ACM(config)
+  const params = {
+    DomainName: domain,
+    ValidationMethod: 'DNS',
+    Tags: [
+      {
+        Key: 'ManagedBy',
+        Value: 'stacker.news'
+      }
+    ]
+  }
+
+  const certificate = await acm.requestCertificate(params).promise()
+  return certificate.CertificateArn
+}
+
+export async function describeCertificate (certificateArn) {
+  const acm = new AWS.ACM(config)
+  const certificate = await acm.describeCertificate({ CertificateArn: certificateArn }).promise()
+  return certificate
+}
+
+export async function getCertificateStatus (certificateArn) {
+  const certificate = await describeCertificate(certificateArn)
+  return certificate.Certificate.Status
+}
+
+export async function deleteCertificate (certificateArn) {
+  const acm = new AWS.ACM(config)
+  const result = await acm.deleteCertificate({ CertificateArn: certificateArn }).promise()
+  return result
+}
diff --git a/api/elb/index.js b/api/elb/index.js
new file mode 100644
index 000000000..eced0da12
--- /dev/null
+++ b/api/elb/index.js
@@ -0,0 +1,42 @@
+import AWS from 'aws-sdk'
+import { MockELBv2 } from './mocks'
+
+const ELB_LISTENER_ARN = process.env.ELB_LISTENER_ARN
+
+const config = {
+  region: 'us-east-1'
+}
+
+// attach a certificate to the elb listener
+async function attachCertificateToElb (certificateArn) {
+  const elbv2 = process.env.NODE_ENV === 'development'
+    ? new MockELBv2() // use the mocked elb for local development
+    : new AWS.ELBv2(config)
+
+  // attach the certificate
+  // AWS doesn't throw an error if the certificate is already attached to the listener
+  await elbv2.addListenerCertificates({
+    ListenerArn: ELB_LISTENER_ARN,
+    Certificates: [{ CertificateArn: certificateArn }]
+  }).promise()
+
+  return true
+}
+
+// detach a certificate from the elb listener
+async function detachCertificateFromElb (certificateArn) {
+  const elbv2 = process.env.NODE_ENV === 'development'
+    ? new MockELBv2() // use the mocked elb for local development
+    : new AWS.ELBv2(config)
+
+  // detach the certificate
+  // AWS doesn't throw an error if the certificate is not attached to the listener
+  await elbv2.removeListenerCertificates({
+    ListenerArn: ELB_LISTENER_ARN,
+    Certificates: [{ CertificateArn: certificateArn }]
+  }).promise()
+
+  return true
+}
+
+export { attachCertificateToElb, detachCertificateFromElb }
diff --git a/api/elb/mocks.js b/api/elb/mocks.js
new file mode 100644
index 000000000..d0fa434d1
--- /dev/null
+++ b/api/elb/mocks.js
@@ -0,0 +1,120 @@
+// mock Load Balancers and Listeners for testing
+const mockedElb = {
+  loadBalancers: [
+    {
+      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/sndev-lb/1234567890abcdef',
+      DNSName: 'sndev-lb.us-east-1.elb.amazonaws.com',
+      LoadBalancerName: 'sndev-lb',
+      Type: 'application'
+    }
+  ],
+  listeners: [
+    {
+      ListenerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/sndev-lb/1234567890abcdef/1234567890abcdef',
+      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/sndev-lb/1234567890abcdef',
+      Protocol: 'HTTPS',
+      Port: 443
+    }
+  ],
+  certificates: []
+}
+
+// mock AWS.ELBv2 class
+class MockELBv2 {
+  // mock describeLoadBalancers
+  // return the load balancers that match the names in the params
+  describeLoadBalancers (params) {
+    const { Names } = params
+    let loadBalancers = [...mockedElb.loadBalancers]
+
+    if (Names && Names.length > 0) {
+      loadBalancers = loadBalancers.filter(lb => Names.includes(lb.LoadBalancerName))
+    }
+
+    return {
+      promise: () => Promise.resolve({ LoadBalancers: loadBalancers })
+    }
+  }
+
+  // mock describeListeners
+  // return the listeners that match the load balancer arn in the params
+  describeListeners (params) {
+    const { LoadBalancerArn, Filters } = params
+    let listeners = [...mockedElb.listeners]
+
+    if (LoadBalancerArn) {
+      listeners = listeners.filter(listener => listener.LoadBalancerArn === LoadBalancerArn)
+    }
+
+    if (Filters && Filters.length > 0) {
+      Filters.forEach(filter => {
+        if (filter.Name === 'protocol' && filter.Values) {
+          listeners = listeners.filter(listener =>
+            filter.Values.includes(listener.Protocol)
+          )
+        }
+      })
+    }
+
+    return {
+      promise: () => Promise.resolve({ Listeners: listeners })
+    }
+  }
+
+  // mock describeListenerCertificates
+  // return the certificates that match the listener arn in the params
+  describeListenerCertificates (params) {
+    const { ListenerArn } = params
+    const certificates = mockedElb.certificates
+      .filter(cert => cert.ListenerArn === ListenerArn)
+      .map(cert => ({ CertificateArn: cert.CertificateArn }))
+
+    return {
+      promise: () => Promise.resolve({ Certificates: certificates })
+    }
+  }
+
+  // mock addListenerCertificates
+  // add the certificates to the mockedElb.certificates
+  addListenerCertificates (params) {
+    const { ListenerArn, Certificates } = params
+
+    Certificates.forEach(cert => {
+      // ELBv2 checks if the certificate is already attached to the listener
+      // and doesn't add it again if it is
+      const exists = mockedElb.certificates.some(
+        c => c.ListenerArn === ListenerArn && c.CertificateArn === cert.CertificateArn
+      )
+
+      if (!exists) {
+        mockedElb.certificates.push({
+          ListenerArn,
+          CertificateArn: cert.CertificateArn
+        })
+      }
+    })
+
+    return {
+      promise: () => Promise.resolve({})
+    }
+  }
+
+  // mock removeListenerCertificates
+  // remove the certificates from the mockedElb.certificates
+  // AWS doesn't throw an error if the certificate is not attached to the listener
+  removeListenerCertificates (params) {
+    const { ListenerArn, Certificates } = params
+
+    Certificates.forEach(cert => {
+      mockedElb.certificates = mockedElb.certificates.filter(
+        c => !(c.ListenerArn === ListenerArn && c.CertificateArn === cert.CertificateArn)
+      )
+    })
+
+    return {
+      promise: () => Promise.resolve({})
+    }
+  }
+}
+
+export { MockELBv2, mockedElb }
diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
new file mode 100644
index 000000000..2ed31d1af
--- /dev/null
+++ b/api/resolvers/domain.js
@@ -0,0 +1,140 @@
+import { validateSchema, customDomainSchema } from '@/lib/validate'
+import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
+import { getDomainMapping } from '@/lib/domains'
+import { SN_ADMIN_IDS } from '@/lib/constants'
+
+async function cleanDomainVerificationJobs (domain, models) {
+  // delete any existing domain verification job left
+  await models.$queryRaw`
+  DELETE FROM pgboss.job
+  WHERE name = 'domainVerification'
+      AND data->>'domainId' = ${domain.id}::TEXT`
+}
+
+export default {
+  Query: {
+    domain: async (parent, { subName }, { models }) => {
+      return models.domain.findUnique({
+        where: { subName },
+        include: { records: true, attempts: true, certificate: true }
+      })
+    },
+    domainMapping: async (parent, { domainName }, { models }) => {
+      const mapping = await getDomainMapping(domainName)
+      return mapping
+    }
+  },
+  Mutation: {
+    setDomain: async (parent, { subName, domainName }, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      if (!SN_ADMIN_IDS.includes(Number(me.id))) {
+        throw new Error('not an admin')
+      }
+
+      const sub = await models.sub.findUnique({ where: { name: subName } })
+      if (!sub) {
+        throw new GqlInputError('sub not found')
+      }
+
+      if (sub.userId !== me.id) {
+        throw new GqlInputError('you do not own this sub')
+      }
+
+      // we need to get the existing domain if we're updating or re-verifying
+      const existing = await models.domain.findUnique({
+        where: { subName },
+        include: { records: true }
+      })
+
+      if (domainName) {
+        // validate the domain name
+        domainName = domainName.trim() // protect against trailing spaces
+        await validateSchema(customDomainSchema, { domainName })
+
+        // updating the domain name and recovering from HOLD is allowed
+        if (existing && existing.domainName === domainName && existing.status !== 'HOLD') {
+          throw new GqlInputError('domain already set')
+        }
+
+        // we should always make sure to get a new updatedAt timestamp
+        // to know when should we put the domain in HOLD during verification
+        const initializeDomain = {
+          domainName,
+          updatedAt: new Date(),
+          status: 'PENDING'
+        }
+
+        const updatedDomain = await models.$transaction(async tx => {
+          // we're changing the domain name, delete the domain if it exists
+          if (existing) {
+            // delete any existing domain verification job left
+            await cleanDomainVerificationJobs(existing, tx)
+            // delete the domain if we're not resuming from HOLD
+            if (existing.status !== 'HOLD') {
+              await tx.domain.delete({ where: { subName } })
+            }
+          }
+
+          const domain = await tx.domain.create({
+            data: {
+              ...initializeDomain,
+              sub: { connect: { name: subName } }
+            }
+          })
+
+          // create the CNAME verification record
+          await tx.domainVerificationRecord.create({
+            data: {
+              domainId: domain.id,
+              type: 'CNAME',
+              recordName: domainName,
+              recordValue: new URL(process.env.NEXT_PUBLIC_URL).host
+            }
+          })
+
+          // create the job to verify the domain in 30 seconds
+          await tx.$executeRaw`
+          INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil, singletonkey)
+          VALUES ('domainVerification',
+                  jsonb_build_object('domainId', ${domain.id}::INTEGER),
+                  3,
+                  60,
+                  now() + interval '30 seconds',
+                  now() + interval '2 days',
+                  'domainVerification:' || ${domain.id}::TEXT -- domain <-> job isolation
+                )`
+
+          return domain
+        })
+
+        return updatedDomain
+      } else {
+        try {
+          if (existing) {
+            return await models.$transaction(async tx => {
+              // delete any existing domain verification job left
+              await cleanDomainVerificationJobs(existing, tx)
+              // delete the domain
+              return await tx.domain.delete({ where: { subName } })
+            })
+          }
+          return null
+        } catch (error) {
+          console.error(error)
+          throw new GqlInputError('failed to delete domain')
+        }
+      }
+    }
+  },
+  Domain: {
+    records: async (domain) => {
+      if (!domain.records) return []
+
+      // O(1) lookups by type, simpler checks for CNAME and ACM validation records
+      return Object.fromEntries(domain.records.map(record => [record.type, record]))
+    }
+  }
+}
diff --git a/api/resolvers/index.js b/api/resolvers/index.js
index eccfaf1d0..b503518b6 100644
--- a/api/resolvers/index.js
+++ b/api/resolvers/index.js
@@ -20,6 +20,7 @@ import { GraphQLScalarType, Kind } from 'graphql'
 import { createIntScalar } from 'graphql-scalar'
 import paidAction from './paidAction'
 import vault from './vault'
+import domain from './domain'
 
 const date = new GraphQLScalarType({
   name: 'Date',
@@ -56,4 +57,4 @@ const limit = createIntScalar({
 
 export default [user, item, message, wallet, lnurl, notifications, invite, sub,
   upload, search, growth, rewards, referrals, price, admin, blockHeight, chainFee,
-  { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
+  domain, { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
diff --git a/api/resolvers/sub.js b/api/resolvers/sub.js
index fef5ea737..a9db685a4 100644
--- a/api/resolvers/sub.js
+++ b/api/resolvers/sub.js
@@ -1,5 +1,5 @@
 import { whenRange } from '@/lib/time'
-import { validateSchema, territorySchema } from '@/lib/validate'
+import { validateSchema, territorySchema, subBrandingSchema } from '@/lib/validate'
 import { decodeCursor, LIMIT, nextCursorEncoded } from '@/lib/cursor'
 import { viewGroup } from './growth'
 import { notifyTerritoryTransfer } from '@/lib/webPush'
@@ -170,6 +170,9 @@ export default {
         cursor: subs.length === limit ? nextCursorEncoded(decodedCursor, limit) : null,
         subs
       }
+    },
+    subBranding: async (parent, { subName }, { models }) => {
+      return models.subBranding.findUnique({ where: { subName } })
     }
   },
   Mutation: {
@@ -298,6 +301,42 @@ export default {
       }
 
       return await performPaidAction('TERRITORY_UNARCHIVE', data, { me, models, lnd })
+    },
+    upsertSubBranding: async (parent, { subName, branding }, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      const sub = await models.sub.findUnique({ where: { name: subName } })
+      if (!sub) {
+        throw new GqlInputError('sub not found')
+      }
+
+      if (sub.userId !== me.id) {
+        throw new GqlInputError('you do not own this sub')
+      }
+
+      await validateSchema(subBrandingSchema, branding)
+
+      if (branding.logoId) {
+        const upload = await models.upload.findUnique({ where: { id: Number(branding.logoId) } })
+        if (!upload) {
+          throw new GqlInputError('logo not found')
+        }
+      }
+
+      if (branding.faviconId) {
+        const upload = await models.upload.findUnique({ where: { id: Number(branding.faviconId) } })
+        if (!upload) {
+          throw new GqlInputError('favicon not found')
+        }
+      }
+
+      return await models.subBranding.upsert({
+        where: { subName },
+        update: { ...branding, subName },
+        create: { ...branding, subName }
+      })
     }
   },
   Sub: {
@@ -331,6 +370,12 @@ export default {
 
       return sub.SubSubscription?.length > 0
     },
+    domain: async (sub, args, { models }) => {
+      return models.domain.findUnique({ where: { subName: sub.name } })
+    },
+    branding: async (sub, args, { models }) => {
+      return models.subBranding.findUnique({ where: { subName: sub.name } })
+    },
     createdAt: sub => sub.createdAt || sub.created_at
   }
 }
diff --git a/api/ssrApollo.js b/api/ssrApollo.js
index d5513b7d9..6b807f059 100644
--- a/api/ssrApollo.js
+++ b/api/ssrApollo.js
@@ -16,6 +16,7 @@ import { getAuthOptions } from '@/pages/api/auth/[...nextauth]'
 import { NOFOLLOW_LIMIT } from '@/lib/constants'
 import { satsToMsats } from '@/lib/format'
 import { MULTI_AUTH_ANON, MULTI_AUTH_LIST } from '@/lib/auth'
+import { SUB_BRANDING } from '@/fragments/subs'
 
 export default async function getSSRApolloClient ({ req, res, me = null }) {
   const session = req && await getServerSession(req, res, getAuthOptions(req))
@@ -152,6 +153,22 @@ export function getGetServerSideProps (
 
     const client = await getSSRApolloClient({ req, res })
 
+    const isCustomDomain = req.headers.host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
+    const subName = req.headers['x-stacker-news-subname'] || null
+    let domain = null
+    if (isCustomDomain && subName) {
+      const { data: { subBranding } } = await client.query({
+        query: SUB_BRANDING,
+        variables: { subName }
+      })
+      console.log('subBranding', subBranding)
+      domain = {
+        domainName: req.headers.host,
+        subName,
+        branding: subBranding || null
+      }
+    }
+
     let { data: { me } } = await client.query({ query: ME })
 
     // required to redirect to /signup on page reload
@@ -216,6 +233,7 @@ export function getGetServerSideProps (
     return {
       props: {
         ...props,
+        domain,
         me,
         price,
         blockHeight,
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
new file mode 100644
index 000000000..83b956e2e
--- /dev/null
+++ b/api/typeDefs/domain.js
@@ -0,0 +1,100 @@
+import { gql } from 'graphql-tag'
+
+export default gql`
+  extend type Query {
+    domain(subName: String!): Domain
+    domainMapping(domainName: String!): DomainMapping
+  }
+
+  extend type Mutation {
+    setDomain(subName: String!, domainName: String!): Domain
+  }
+
+  type Domain {
+    id: Int!
+    createdAt: Date!
+    updatedAt: Date!
+    domainName: String!
+    subName: String!
+    status: DomainVerificationStatus
+    records: DomainVerificationRecordMap
+    attempts: [DomainVerificationAttempt]
+    certificate: DomainCertificate
+  }
+
+  type DomainVerificationRecord {
+    id: Int!
+    createdAt: Date!
+    updatedAt: Date!
+    lastCheckedAt: Date
+    domainId: Int!
+    type: DomainRecordType
+    recordName: String!
+    recordValue: String!
+    status: DomainVerificationStatus
+    attempts: [DomainVerificationAttempt]
+  }
+
+  type DomainVerificationRecordMap {
+    CNAME: DomainVerificationRecord
+    SSL: DomainVerificationRecord
+  }
+
+  type DomainVerificationAttempt {
+    id: Int!
+    createdAt: Date!
+    updatedAt: Date!
+    domainId: Int!
+    verificationRecordId: Int
+    stage: DomainVerificationStage
+    status: DomainVerificationStatus
+    message: String
+  }
+
+  type DomainCertificate {
+    id: Int!
+    createdAt: Date!
+    updatedAt: Date!
+    domainId: Int!
+    certificateArn: String!
+    status: DomainCertificateStatus
+  }
+
+  enum DomainVerificationStage {
+    GENERAL
+    CNAME
+    ACM_REQUEST_CERTIFICATE
+    ACM_REQUEST_VALIDATION_VALUES
+    ACM_VALIDATION
+    ELB_ATTACH_CERTIFICATE
+    VERIFICATION_COMPLETE
+  }
+
+  enum DomainRecordType {
+    CNAME
+    SSL
+  }
+
+  enum DomainVerificationStatus {
+    PENDING
+    VERIFIED
+    FAILED
+    ACTIVE
+    HOLD
+  }
+
+  enum DomainCertificateStatus {
+    PENDING_VALIDATION
+    ISSUED
+    INACTIVE
+    EXPIRED
+    REVOKED
+    FAILED
+    VALIDATION_TIMED_OUT
+  }
+  
+  type DomainMapping {
+    domainName: String!
+    subName: String!
+  }
+`
diff --git a/api/typeDefs/index.js b/api/typeDefs/index.js
index eb4e1e427..0acd7dc44 100644
--- a/api/typeDefs/index.js
+++ b/api/typeDefs/index.js
@@ -19,6 +19,7 @@ import blockHeight from './blockHeight'
 import chainFee from './chainFee'
 import paidAction from './paidAction'
 import vault from './vault'
+import domain from './domain'
 
 const common = gql`
   type Query {
@@ -39,4 +40,4 @@ const common = gql`
 `
 
 export default [common, user, item, itemForward, message, wallet, lnurl, notifications, invite,
-  sub, upload, growth, rewards, referrals, price, admin, blockHeight, chainFee, paidAction, vault]
+  sub, upload, growth, rewards, referrals, price, admin, blockHeight, chainFee, domain, paidAction, vault]
diff --git a/api/typeDefs/sub.js b/api/typeDefs/sub.js
index 6167d5350..fe3d56027 100644
--- a/api/typeDefs/sub.js
+++ b/api/typeDefs/sub.js
@@ -8,6 +8,7 @@ export default gql`
     topSubs(cursor: String, when: String, from: String, to: String, by: String, limit: Limit): Subs
     userSubs(name: String!, cursor: String, when: String, from: String, to: String, by: String, limit: Limit): Subs
     subSuggestions(q: String!, limit: Limit): [Sub!]!
+    subBranding(subName: String!): SubBranding
   }
 
   type Subs {
@@ -29,6 +30,7 @@ export default gql`
       replyCost: Int!, postTypes: [String!]!,
       billingType: String!, billingAutoRenew: Boolean!,
       moderated: Boolean!, nsfw: Boolean!): SubPaidAction!
+    upsertSubBranding(subName: String!, branding: SubBrandingInput): SubBranding!
   }
 
   type Sub {
@@ -56,7 +58,8 @@ export default gql`
     nposts(when: String, from: String, to: String): Int!
     ncomments(when: String, from: String, to: String): Int!
     meSubscription: Boolean!
-
+    domain: Domain
+    branding: SubBranding
     optional: SubOptional!
   }
 
@@ -68,4 +71,24 @@ export default gql`
     spent(when: String, from: String, to: String): Int
     revenue(when: String, from: String, to: String): Int
   }
+
+  type SubBranding {
+    id: Int!
+    subName: String!
+    title: String
+    description: String
+    logoId: Int
+    faviconId: Int
+    primaryColor: String
+    secondaryColor: String
+  }
+
+  input SubBrandingInput {
+    title: String
+    description: String
+    logoId: Int
+    faviconId: Int
+    primaryColor: String
+    secondaryColor: String
+  }
 `
diff --git a/components/form.js b/components/form.js
index e28d64c3c..77fb2a1ce 100644
--- a/components/form.js
+++ b/components/form.js
@@ -24,7 +24,7 @@ import textAreaCaret from 'textarea-caret'
 import 'react-datepicker/dist/react-datepicker.css'
 import useDebounceCallback, { debounce } from './use-debounce-callback'
 import { FileUpload } from './file-upload'
-import { AWS_S3_URL_REGEXP } from '@/lib/constants'
+import { AWS_S3_URL_REGEXP, MEDIA_URL } from '@/lib/constants'
 import { whenRange } from '@/lib/time'
 import { useFeeButton } from './fee-button'
 import Thumb from '@/svgs/thumb-up-fill.svg'
@@ -42,6 +42,7 @@ import dynamic from 'next/dynamic'
 import { qrImageSettings } from './qr'
 import { useIsClient } from './use-client'
 import PageLoading from './page-loading'
+import Avatar from './avatar'
 
 export class SessionRequiredError extends Error {
   constructor () {
@@ -78,7 +79,7 @@ export function SubmitButton ({
   )
 }
 
-function CopyButton ({ value, icon, ...props }) {
+export function CopyButton ({ value, icon, append, ...props }) {
   const toaster = useToast()
   const [copied, setCopied] = useState(false)
 
@@ -101,6 +102,14 @@ function CopyButton ({ value, icon, ...props }) {
     )
   }
 
+  if (append) {
+    return (
+      <span className={styles.appendButton} {...props} onClick={handleClick}>
+        {append}
+      </span>
+    )
+  }
+
   return (
     <Button className={styles.appendButton} {...props} onClick={handleClick}>
       {copied ? <Thumb width={18} height={18} /> : 'copy'}
@@ -1524,5 +1533,54 @@ export function MultiInput ({
   )
 }
 
+export function ColorPicker ({ label, groupClassName, name, ...props }) {
+  const [field, , helpers] = useField({ ...props, name })
+
+  useEffect(() => {
+    helpers.setValue(field.value)
+  }, [field.value])
+
+  return (
+    <FormGroup label={label} className={groupClassName}>
+      <ClientInput
+        type='color'
+        {...field}
+        {...props}
+        onChange={(formik, e) => {
+          field.onChange(e)
+          if (props.onChange) {
+            props.onChange(formik, e)
+          }
+        }}
+      />
+    </FormGroup>
+  )
+}
+
+export function BrandingUpload ({ label, groupClassName, name, ...props }) {
+  const [field, , helpers] = useField({ ...props, name })
+  const [tempId, setTempId] = useState(field.value)
+
+  const handleSuccess = useCallback((id) => {
+    setTempId(id)
+    helpers.setValue(id)
+  }, [helpers])
+
+  return (
+    <FormGroup label={label} className={groupClassName}>
+      <img
+        src={tempId ? `${MEDIA_URL}/${tempId}` : '/favicon.png'}
+        alt={name}
+        width={100}
+        height={100}
+        style={{ objectFit: 'contain', position: 'relative' }}
+      />
+      <Avatar
+        onSuccess={handleSuccess}
+      />
+    </FormGroup>
+  )
+}
+
 export const ClientInput = Client(Input)
 export const ClientCheckbox = Client(Checkbox)
diff --git a/components/item.module.css b/components/item.module.css
index 8800900e5..a529b29a9 100644
--- a/components/item.module.css
+++ b/components/item.module.css
@@ -247,3 +247,31 @@ a.link:visited {
 .skeleton .otherItemLonger {
     width: 60px;
 }
+
+.record {
+    display: flex;
+    flex-direction: column;
+    margin-right: 0.5rem;
+}
+
+.clipboard {
+    cursor: pointer;
+    fill: var(--theme-grey);
+    width: 1rem;
+    height: 1rem;
+}
+
+.clipboard:hover {
+    fill: var(--bs-primary);
+}
+
+.refresh {
+    cursor: pointer;
+    fill: var(--theme-grey);
+    width: 1rem;
+    height: 1rem;
+}
+
+.refresh:hover {
+    fill: var(--bs-primary);
+}
diff --git a/components/nav/common.js b/components/nav/common.js
index 89df6c7ed..3b07ea771 100644
--- a/components/nav/common.js
+++ b/components/nav/common.js
@@ -26,12 +26,19 @@ import { useWalletIndicator } from '@/wallets/indicator'
 import SwitchAccountList, { nextAccount, useAccounts } from '@/components/account'
 import { useShowModal } from '@/components/modal'
 import { numWithUnits } from '@/lib/format'
+import { useDomain } from '@/components/territory-domains'
 
 export function Brand ({ className }) {
+  // wip-branding: temporary logo branding concept
+  const { domain } = useDomain()
+  const branding = domain?.branding
+
   return (
     <Link href='/' passHref legacyBehavior>
       <Navbar.Brand className={classNames(styles.brand, className)}>
-        <SnIcon width={36} height={36} />
+        {branding?.logoId
+          ? <img src={branding.logoId} alt={branding.title} style={{ width: '36px', height: '36px' }} />
+          : <SnIcon width={36} height={36} />}
       </Navbar.Brand>
     </Link>
   )
@@ -119,12 +126,24 @@ export function NavSelect ({ sub: subName, className, size }) {
 }
 
 export function NavNotifications ({ className }) {
+  // wip-branding: temporary favicon branding concept
+  const { domain } = useDomain()
+  const branding = domain?.branding
+
   const hasNewNotes = useHasNewNotes()
 
   return (
     <>
       <Head>
-        <link rel='shortcut icon' href={hasNewNotes ? '/favicon-notify.png' : '/favicon.png'} />
+        <link
+          rel='shortcut icon'
+          // wip-branding: temporary favicon branding, doesn't support custom favicon with hasNewNotes
+          href={hasNewNotes && !branding?.faviconId
+            ? '/favicon-notify.png'
+            : branding?.faviconId
+              ? branding.faviconId
+              : '/favicon.png'}
+        />
       </Head>
       <Link href='/notifications' passHref legacyBehavior>
         <Nav.Link eventKey='notifications' className={classNames('position-relative', className)}>
diff --git a/components/nav/index.js b/components/nav/index.js
index beacbd6fc..892d7d683 100644
--- a/components/nav/index.js
+++ b/components/nav/index.js
@@ -3,16 +3,23 @@ import DesktopHeader from './desktop/header'
 import MobileHeader from './mobile/header'
 import StickyBar from './sticky-bar'
 import { PriceCarouselProvider } from './price-carousel'
+import { useDomain } from '../territory-domains'
 
 export default function Navigation ({ sub }) {
   const router = useRouter()
+  const { domain } = useDomain()
   const path = router.asPath.split('?')[0]
   const props = {
     prefix: sub ? `/~${sub}` : '',
     path,
     pathname: router.pathname,
-    topNavKey: path.split('/')[sub ? 2 : 1] ?? '',
-    dropNavKey: path.split('/').slice(sub ? 2 : 1).join('/'),
+    topNavKey: domain
+      // on custom domains, the nav key is in the first path segment
+      ? path.split('/')[1] ?? ''
+      : path.split('/')[sub ? 2 : 1] ?? '',
+    dropNavKey: domain
+      ? path.split('/').slice(1).join('/')
+      : path.split('/').slice(sub ? 2 : 1).join('/'),
     sub
   }
 
diff --git a/components/seo.js b/components/seo.js
index 2aaa6615b..2beffdbee 100644
--- a/components/seo.js
+++ b/components/seo.js
@@ -2,12 +2,17 @@ import { NextSeo } from 'next-seo'
 import { useRouter } from 'next/router'
 import removeMd from 'remove-markdown'
 import { numWithUnits } from '@/lib/format'
+import { useDomain } from '@/components/territory-domains'
 
 export function SeoSearch ({ sub }) {
   const router = useRouter()
-  const subStr = sub ? ` ~${sub}` : ''
-  const title = `${router.query.q || 'search'} \\ stacker news${subStr}`
-  const desc = `SN${subStr} search: ${router.query.q || ''}`
+  const { domain } = useDomain()
+
+  // wip-branding: temporary branding concept
+  // if it's a territory with a custom domain, we don't want to show the sub in the title
+  const subStr = sub && !domain ? ` ~${sub}` : ''
+  const title = `${router.query.q || 'search'} \\ ${domain?.branding?.title || 'stacker news'}${subStr}`
+  const desc = `${domain?.branding?.title || 'SN'}${subStr} search: ${router.query.q || ''}`
 
   return (
     <NextSeo
@@ -21,7 +26,7 @@ export function SeoSearch ({ sub }) {
             url: 'https://capture.stacker.news' + router.asPath
           }
         ],
-        site_name: 'Stacker News'
+        site_name: domain?.branding?.title || 'Stacker News'
       }}
       twitter={{
         site: '@stacker_news',
@@ -40,9 +45,13 @@ export default function Seo ({ sub, item, user }) {
   const router = useRouter()
   const pathNoQuery = router.asPath.split('?')[0]
   const defaultTitle = pathNoQuery.slice(1)
-  const snStr = `stacker news${sub ? ` ~${sub}` : ''}`
-  let fullTitle = `${defaultTitle && `${defaultTitle} \\ `}stacker news`
-  let desc = "It's like Hacker News but we pay you Bitcoin."
+  const { domain } = useDomain()
+  // wip-branding: temporary branding concept
+  // on custom domains, replace stacker news with the domain title if it exists,
+  // also don't show sub in the title
+  const snStr = `${domain?.branding?.title || 'stacker news'}${sub && !domain ? ` ~${sub}` : ''}`
+  let fullTitle = `${defaultTitle && `${defaultTitle} \\ `}${domain?.branding?.title || 'stacker news'}`
+  let desc = domain?.branding?.description || "It's like Hacker News but we pay you Bitcoin."
   if (item) {
     if (item.title) {
       fullTitle = `${item.title} \\ ${snStr}`
@@ -84,7 +93,7 @@ export default function Seo ({ sub, item, user }) {
             url: 'https://capture.stacker.news' + pathNoQuery
           }
         ],
-        site_name: 'Stacker News'
+        site_name: domain?.branding?.title || 'Stacker News'
       }}
       twitter={{
         site: '@stacker_news',
diff --git a/components/territory-branding.js b/components/territory-branding.js
new file mode 100644
index 000000000..14b9af74b
--- /dev/null
+++ b/components/territory-branding.js
@@ -0,0 +1,97 @@
+import { useToast } from '@/components/toast'
+import { SUB_BRANDING, UPSERT_SUB_BRANDING } from '@/fragments/subs'
+import { useMutation, useQuery } from '@apollo/client'
+import { subBrandingSchema } from '@/lib/validate'
+import { Form, Input, ColorPicker, SubmitButton, BrandingUpload } from '@/components/form'
+import AccordianItem from '@/components/accordian-item'
+import Moon from '@/svgs/moon-fill.svg'
+
+export default function TerritoryBrandingForm ({ sub }) {
+  const [upsertSubBranding] = useMutation(UPSERT_SUB_BRANDING)
+  const toaster = useToast()
+
+  const { data, loading } = useQuery(SUB_BRANDING, {
+    variables: { subName: sub.name }
+  })
+
+  if (loading) {
+    return <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />
+  }
+
+  const subBranding = data?.subBranding || {
+    title: sub.name,
+    description: sub.desc,
+    primaryColor: '#FADA5E',
+    secondaryColor: '#F6911D',
+    logoId: null,
+    faviconId: null
+  }
+
+  const onSubmit = async (values) => {
+    try {
+      await upsertSubBranding({
+        variables: {
+          subName: sub.name,
+          branding: {
+            title: values.title || sub.name,
+            description: values.description || sub.desc,
+            primaryColor: values.primaryColor || '#FADA5E',
+            secondaryColor: values.secondaryColor || '#F6911D',
+            logoId: values.logoId,
+            faviconId: values.faviconId
+          }
+        }
+      })
+      toaster.success('branding updated successfully')
+    } catch (error) {
+      console.error(error)
+      toaster.danger('failed to update branding', { error })
+    }
+  }
+
+  const initialValues = {
+    title: subBranding.title,
+    description: subBranding.description,
+    primaryColor: subBranding.primaryColor,
+    secondaryColor: subBranding.secondaryColor,
+    logoId: subBranding.logoId,
+    faviconId: subBranding.faviconId
+  }
+
+  return (
+    <Form
+      initial={initialValues}
+      schema={subBrandingSchema}
+      onSubmit={onSubmit}
+    >
+      <Input label='title' name='title' />
+      <Input label='description' name='description' />
+      <div className='row'>
+        <ColorPicker groupClassName='col-4' label='primary color' name='primaryColor' />
+        <ColorPicker groupClassName='col-4' label='secondary color' name='secondaryColor' />
+      </div>
+      <AccordianItem
+        header={<div className='fw-bold text-muted'>logo and favicon</div>}
+        body={
+          <div className='row'>
+            <div className='col-2'>
+              <label className='form-label'>logo</label>
+              <div style={{ position: 'relative', width: '100px', height: '100px', border: '1px solid #dee2e6', borderRadius: '5px', overflow: 'hidden' }}>
+                <BrandingUpload name='logoId' />
+              </div>
+            </div>
+            <div className='col-2'>
+              <label className='form-label'>favicon</label>
+              <div style={{ position: 'relative', width: '100px', height: '100px', border: '1px solid #dee2e6', borderRadius: '5px', overflow: 'hidden' }}>
+                <BrandingUpload name='faviconId' />
+              </div>
+            </div>
+          </div>
+        }
+      />
+      <div className='mt-3 d-flex justify-content-end'>
+        <SubmitButton variant='primary'>save branding</SubmitButton>
+      </div>
+    </Form>
+  )
+}
diff --git a/components/territory-domains.js b/components/territory-domains.js
new file mode 100644
index 000000000..febff79e8
--- /dev/null
+++ b/components/territory-domains.js
@@ -0,0 +1,235 @@
+import { Badge } from 'react-bootstrap'
+import { Form, Input, SubmitButton, CopyButton } from './form'
+import { useMutation, useQuery } from '@apollo/client'
+import { customDomainSchema } from '@/lib/validate'
+import { useToast } from '@/components/toast'
+import { NORMAL_POLL_INTERVAL, SSR } from '@/lib/constants'
+import { GET_DOMAIN, SET_DOMAIN } from '@/fragments/domains'
+import { useEffect, createContext, useContext, useState } from 'react'
+import Moon from '@/svgs/moon-fill.svg'
+import ClipboardLine from '@/svgs/clipboard-line.svg'
+import RefreshLine from '@/svgs/refresh-line.svg'
+import styles from './item.module.css'
+import TerritoryBrandingForm from './territory-branding'
+import Head from 'next/head'
+import { setBrandingColors } from '@/lib/domain-css-injection'
+
+// Domain context for custom domains
+const DomainContext = createContext({
+  domain: {
+    domainName: null,
+    subName: null,
+    branding: null // wip-brandings
+  }
+})
+
+export const DomainProvider = ({ domain: ssrDomain, children }) => {
+  const [domain, setDomain] = useState(ssrDomain || null)
+  const [loaded, setLoaded] = useState(false)
+
+  // maintain the custom domain state across re-renders
+  useEffect(() => {
+    if (ssrDomain && !domain) {
+      setDomain(ssrDomain)
+    }
+
+    // wip-brandings: set the branding colors
+    if (ssrDomain?.branding) {
+      setBrandingColors(ssrDomain.branding)
+      setTimeout(() => {
+        setLoaded(true)
+      }, 1000)
+    }
+  }, [ssrDomain])
+
+  // wip-brandings: workaround for the branding colors not being applied immediately
+  if (ssrDomain?.branding && !loaded) {
+    return (
+      <div className='d-flex flex-column justify-content-center align-items-center' style={{ minHeight: '100vh', fontFamily: 'lightning' }}>
+        {ssrDomain?.branding?.title && <h1 className='text-muted'>{ssrDomain.branding.title}</h1>}
+        <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />
+      </div>
+    )
+  }
+
+  return (
+    <DomainContext.Provider value={{ domain }}>
+      <Head>
+        {ssrDomain?.branding?.title && <title>{ssrDomain.branding.title}</title>}
+        {ssrDomain?.branding?.description && <meta name='description' content={ssrDomain.branding.description} />}
+        {ssrDomain?.branding?.faviconId && <link rel='shortcut icon' href={ssrDomain.branding.faviconId} />}
+      </Head>
+      {children}
+    </DomainContext.Provider>
+  )
+}
+
+export const useDomain = () => useContext(DomainContext)
+
+const getStatusBadge = (type, status) => {
+  switch (status) {
+    case 'VERIFIED':
+      return <Badge bg='success'>{type} verified</Badge>
+    default:
+      return <Badge bg='warning'>{type} pending</Badge>
+  }
+}
+
+const DomainLabel = ({ domain, polling }) => {
+  const { status, records } = domain || {}
+
+  return (
+    <div className='d-flex align-items-center gap-2'>
+      <span>custom domain</span>
+      {domain && (
+        <div className='d-flex align-items-center gap-2'>
+          {status !== 'HOLD'
+            ? (
+              <>
+                {getStatusBadge('CNAME', records?.CNAME?.status)}
+                {getStatusBadge('SSL', records?.SSL?.status)}
+              </>
+              )
+            : (
+              <>
+                <Badge bg='secondary'>HOLD</Badge>
+                <SubmitButton variant='link' className='p-0'>
+                  <RefreshLine className={styles.refresh} style={{ width: '1rem', height: '1rem' }} />
+                </SubmitButton>
+              </>
+              )}
+          {polling && <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />}
+        </div>
+      )}
+    </div>
+  )
+}
+
+const DomainGuidelines = ({ domain }) => {
+  const { records } = domain || {}
+
+  const dnsRecord = ({ record }) => {
+    return (
+      <div className='d-flex align-items-center gap-2 flex-wrap'>
+        <span className={`${styles.record}`}>
+          <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
+            host
+            <CopyButton
+              value={record?.recordName}
+              append={
+                <ClipboardLine
+                  className={`${styles.clipboard}`}
+                  style={{ width: '1rem', height: '1rem' }}
+                />
+              }
+            />
+          </small>
+          <pre>{record?.recordName}</pre>
+        </span>
+        <span className={`${styles.record}`}>
+          <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
+            value
+            <CopyButton
+              value={record?.recordValue}
+              append={
+                <ClipboardLine
+                  className={`${styles.clipboard}`}
+                  style={{ width: '1rem', height: '1rem' }}
+                />
+              }
+            />
+          </small>
+          <pre>{record?.recordValue}</pre>
+        </span>
+      </div>
+    )
+  }
+
+  return (
+    <div className='d-flex'>
+      {records?.CNAME?.status === 'PENDING' && (
+        <div className='d-flex flex-column gap-2'>
+          <h5>Step 1: Verify your domain</h5>
+          <p>Add the following DNS record to verify ownership of your domain:</p>
+          <h6>CNAME</h6>
+          {dnsRecord({ record: records?.CNAME })}
+        </div>
+      )}
+      {records?.SSL?.status === 'PENDING' && (
+        <div className=''>
+          <h5>Step 2: Prepare your domain for SSL</h5>
+          <p>We issued an SSL certificate for your domain. To validate it, add the following CNAME record:</p>
+          <h6>CNAME</h6>
+          {dnsRecord({ record: records?.SSL })}
+        </div>
+      )}
+    </div>
+  )
+}
+
+export default function CustomDomainForm ({ sub }) {
+  const [setDomain] = useMutation(SET_DOMAIN)
+
+  // Get the custom domain and poll for changes
+  const { data, refetch } = useQuery(GET_DOMAIN, SSR
+    ? {}
+    : {
+        variables: { subName: sub.name },
+        pollInterval: NORMAL_POLL_INTERVAL,
+        nextFetchPolicy: 'cache-and-network',
+        onCompleted: ({ domain }) => {
+          if (domain?.status !== 'PENDING') {
+            return { pollInterval: 0 }
+          }
+        }
+      })
+  const toaster = useToast()
+
+  const { domainName, status } = data?.domain || {}
+  const polling = status === 'PENDING'
+
+  // Update the custom domain
+  const onSubmit = async ({ domainName }) => {
+    try {
+      await setDomain({
+        variables: {
+          subName: sub.name,
+          domainName
+        }
+      })
+      refetch()
+      if (domainName) {
+        toaster.success('started domain verification')
+      } else {
+        toaster.success('domain removed successfully')
+      }
+    } catch (error) {
+      toaster.danger(error.message)
+    }
+  }
+
+  return (
+    <>
+      <Form
+        initial={{ domainName: domainName || sub?.domain?.domainName }}
+        schema={customDomainSchema}
+        onSubmit={onSubmit}
+        className='mb-2'
+      >
+        <div className='d-flex align-items-center gap-2'>
+          <Input
+            groupClassName='w-100'
+            label={<DomainLabel domain={data?.domain} polling={polling} />}
+            name='domainName'
+            placeholder='www.example.com'
+          />
+          <SubmitButton variant='primary' className='mt-3'>save</SubmitButton>
+        </div>
+      </Form>
+      {data?.domain && data?.domain?.status !== 'ACTIVE' && (
+        <DomainGuidelines domain={data?.domain} />
+      )}
+      {data?.domain?.status === 'ACTIVE' && <TerritoryBrandingForm sub={sub} />}
+    </>
+  )
+}
diff --git a/components/territory-form.js b/components/territory-form.js
index 0983002c8..6221909c5 100644
--- a/components/territory-form.js
+++ b/components/territory-form.js
@@ -5,7 +5,7 @@ import FeeButton, { FeeButtonProvider } from './fee-button'
 import { gql, useApolloClient, useLazyQuery } from '@apollo/client'
 import { useCallback, useMemo, useState } from 'react'
 import { useRouter } from 'next/router'
-import { MAX_TERRITORY_DESC_LENGTH, POST_TYPES, TERRITORY_BILLING_OPTIONS, TERRITORY_PERIOD_COST } from '@/lib/constants'
+import { MAX_TERRITORY_DESC_LENGTH, POST_TYPES, SN_ADMIN_IDS, TERRITORY_BILLING_OPTIONS, TERRITORY_PERIOD_COST } from '@/lib/constants'
 import { territorySchema } from '@/lib/validate'
 import { useMe } from './me'
 import Info from './info'
@@ -14,11 +14,14 @@ import { purchasedType } from '@/lib/territory'
 import { SUB } from '@/fragments/subs'
 import { usePaidMutation } from './use-paid-mutation'
 import { UNARCHIVE_TERRITORY, UPSERT_SUB } from '@/fragments/paidAction'
+import TerritoryDomains, { useDomain } from './territory-domains'
+import Link from 'next/link'
 
 export default function TerritoryForm ({ sub }) {
   const router = useRouter()
   const client = useApolloClient()
   const { me } = useMe()
+  const { domain } = useDomain()
   const [upsertSub] = usePaidMutation(UPSERT_SUB)
   const [unarchiveTerritory] = usePaidMutation(UNARCHIVE_TERRITORY)
 
@@ -286,6 +289,17 @@ export default function TerritoryForm ({ sub }) {
           />
         </div>
       </Form>
+      {SN_ADMIN_IDS.includes(Number(me.id)) &&
+        <>
+          {sub && !domain &&
+            <div className='w-100'>
+              <AccordianItem
+                header={<div style={{ fontWeight: 'bold', fontSize: '92%' }}>advanced</div>}
+                body={<TerritoryDomains sub={sub} />}
+              />
+            </div>}
+          {sub && domain && <Link className='text-muted w-100' href={`${process.env.NEXT_PUBLIC_URL}/~${sub.name}/edit`}>domain settings on stacker.news</Link>}
+        </>}
     </FeeButtonProvider>
   )
 }
diff --git a/components/territory-header.js b/components/territory-header.js
index de52ec929..44e31900a 100644
--- a/components/territory-header.js
+++ b/components/territory-header.js
@@ -69,6 +69,7 @@ export function TerritoryInfo ({ sub, includeLink }) {
             <span className='fw-bold'>{numWithUnits(sub.replyCost)}</span>
           </div>
         </div>
+        {/* TODO: Show custom domain if it exists */}
         <TerritoryBillingLine sub={sub} />
       </CardFooter>
     </>
diff --git a/docker-compose.yml b/docker-compose.yml
index 35b6e232c..034cca83e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -139,9 +139,9 @@ services:
     labels:
       - "CONNECT=localhost:3001"
     cpu_shares: "${CPU_SHARES_LOW}"
-  s3:
-    container_name: s3
-    image: localstack/localstack:s3-latest
+  aws:
+    container_name: aws
+    image: localstack/localstack:latest
     # healthcheck:
     #   test: ["CMD-SHELL", "awslocal", "s3", "ls", "s3://uploads"]
     #   interval: 10s
@@ -151,6 +151,7 @@ services:
     restart: unless-stopped
     profiles:
       - images
+      - domains
     env_file: *env_file
     environment:
       - DEBUG=1
@@ -159,9 +160,9 @@ services:
     expose:
       - "4566"
     volumes:
-      - 's3:/var/lib/localstack'
-      - './docker/s3/init-s3.sh:/etc/localstack/init/ready.d/init-s3.sh'
-      - './docker/s3/cors.json:/etc/localstack/init/ready.d/cors.json'
+      - 'aws:/var/lib/localstack'
+      - './docker/aws/init-s3.sh:/etc/localstack/init/ready.d/init-s3.sh'
+      - './docker/aws/cors.json:/etc/localstack/init/ready.d/cors.json'
     labels:
       - "CONNECT=localhost:4566"
     cpu_shares: "${CPU_SHARES_LOW}"
@@ -839,7 +840,7 @@ volumes:
   lnd:
   cln:
   router_lnd:
-  s3:
+  aws:
   nwc_send:
   nwc_recv:
   tordata:
diff --git a/docker/s3/cors.json b/docker/aws/cors.json
similarity index 100%
rename from docker/s3/cors.json
rename to docker/aws/cors.json
diff --git a/docker/s3/init-s3.sh b/docker/aws/init-s3.sh
similarity index 100%
rename from docker/s3/init-s3.sh
rename to docker/aws/init-s3.sh
diff --git a/docs/dev/custom-domains.md b/docs/dev/custom-domains.md
new file mode 100644
index 000000000..22eadc208
--- /dev/null
+++ b/docs/dev/custom-domains.md
@@ -0,0 +1,302 @@
+Lets territory owners attach a domain to their territories.
+TODO: change the title
+
+Index:
+TODO
+
+# Middleware
+Every time we hit a custom domain, our middleware:
+- Looks up a cached map of `ACTIVE` custom domains and their `subName`
+- Redirects and rewrites URLs to provide a seamless territory-specific SN experience.
+##### Main middleware
+Referral cookies and security headers are applied as usual ensuring that the same Stacker News functionality are applied to responses returned by `customDomainMiddleware`
+##### Custom Domain Middleware
+Injects a `x-stacker-news-subname` header into the request, so that we can avoid checking the cached map of domains again on other parts of the code.
+
+Since SN has several paths that depends on the `sub` parameter or the `~subName/` paths, it manipulates the URL to always stay on the right territory:
+- Forces the `sub` parameter to match the custom domain's `subName`
+- Internally rewrites `/` to `/~subName/`
+- Redirects paths that uses `~subName` to `/`
+
+The territory paths are the following:
+`['/~', '/recent', '/random', '/top', '/post', '/edit']`
+
+Rewriting `~subName` to `/` gives custom domains an **independent-like look**, so that things like `/~subName/post` can now look like `/post`, etc.
+# Domain Verification
+We use a pgboss job called `domainVerification`, to verify domains, manage AWS integrations and update domain status.
+A new job is scheduled 30 seconds after domain creation or `domainVerification` resulting in `PENDING`, including a `singletonKey` to prevent concurrency from other workers.
+
+The Domain Verification Flow is structured this way:
+```
+domain is PENDING
+  0. check if it's PENDING since 48 hours
+	  OK: delete the certificate;
+	      put the domain on HOLD.
+	  KO: proceed
+
+  1. verify DNS CNAME record
+      KO: schedule job
+      OK: proceed
+
+  IMPLICIT: DNS is OK
+  2. Certificate Management
+	  KO: critical AWS error, schedule up to 3 retries
+          every step can throw an error
+
+        CONDITION: certificate is not issued
+        2a. issue certificate
+		  OK: proceed
+
+        CONDITION: SSL records are not present
+        2b. get SSL validation values
+		  OK: schedule job, the user will add the records
+
+        IMPLICIT: certificate is issued, SSL records are present
+        2c. check certificate status
+		  KO: schedule job
+		  OK: update certificate status, proceed
+
+		IMPLICIT: certificate is verified by ACM
+		2d. attach certificate to the load balancer listener
+		  KO: throw critical AWS error
+		  OK: proceed
+
+  IMPLICIT: DNS is OK, certificate is VERIFIED and ATTACHED to the ALB
+  3. update domain status to VERIFIED 🎉
+```
+
+### DNS Verification
+It uses `Resolver` from `node:dns/promises` to fetch CNAME records.
+
+A successful CNAME lookup logs a `DomainVerificationAttempt` with status `VERIFIED`, triggering an update to the corresponding `DomainVerificationRecord` via database triggers.
+##### local testing with dnsmasq
+In local, **dnsmasq** is used as a DNS server to mock records for the domain verification job.
+To have a dedicated IP for the `node:dns` Resolver, the `worker` container is part of a dedicated docker network that gives dnsmasq the `172.30.0.2` IP address.
+
+You can also set your machine's DNS configuration to point to 127.0.0.1:5353 and access custom rules that you might've set. For example, if you have a CNAME record www.pizza.com pointing to `local.sndev`, you can access www.pizza.com from your browser.
+
+For more information on how to add/remove records, take a look at `README.md` on the `Custom domains` section.
+### AWS management
+AWS operations are handled within the verification job. Each steps logs attempts and allows up to 3 pgboss job retries on critical thrown errors.
+
+- certificate issuance
+- certificate validation values
+- certificate polling
+- certificate attachment to ELB
+
+##### Certificate issuance
+After DNS checks, if we don't have a certificate already, we request ACM a new certificate for the domain.
+ACM will return a `certificateArn`, which is the unique ID of an ACM certificate, that is immediately used to check its status. These informations are then stored in the `DomainCertificate` table.
+
+##### Certificate validation values
+ACM needs to verify domain ownership in order to validate the certificate, in this case we use the DNS method.
+
+We ask ACM for the DNS records so that we can store them as a `DomainVerificationRecord` and present them to the user. Finally, we re-schedule the job so that the user can adjust their DNS configuration.
+
+##### Certificate validation and status polling
+We asked ACM for a certificate, got its validation values and presented them to the user. Now we need to poll ACM to know if the verification was successful.
+
+Since we're directly checking the certificate status, we also update `DomainCertificate` on our DB with the new status.
+
+AWS validation timings are unpredictable, if the verification returns a negative result, we re-schedule the job to repeat this step.
+
+##### Certificate attachment to the ALB listener
+This is the last step regarding AWS in our domain verification job, it attaches a completely verified ACM certificate to our load balancer listener.
+
+The ALB listener is the gatekeeper of the application load balancer (ALB), it determines how incoming requests should be routed to the target server.
+
+In the case of Stacker News, the domain points directly to the load balancer listener, this means that we can both direct the user to point their `CNAME` record to `stacker.news` and we can serve their ACM certificate directly from the load balancer.
+
+### Error handling
+Every AWS or DNS step is wrapped in try/catch:
+If something throws an error, we catch it to log the attempt and then re-throw it to let pgboss retry up to 3 times.
+
+Using the `jobId` that we pass with each job, we can know if we're reaching 3 retries using pgboss' `getJobById`. And if we did reach 3 retries, we put the domain on `HOLD`, stopping and deleting future jobs tied to this domain.
+
+### End of the job
+When we finish a step in the domain verification job, and the resulting status is still `PENDING`, we re-schedule a job using `sendDebounced` by pgboss.
+
+Since we use a `singletonKey` to avoid same-domain concurrent jobs, and you can't schedule another job if one is already running, `sendDebounced` will try to schedule a job when it can, e.g. when the job finishes or after 30 seconds.
+
+### Domain Verification logger
+We need to be able to track where, when and what went wrong during domain verification. To do this, every step of the job calls `logAttempt`
+##### logAttempt
+This is a simple function that logs a message returned by a domain verification step in the DB.
+Some steps, like DNS and SSL verification, calls `logAttempt` by also passing the interested record in `DomainVerificationRecord`, triggering a synchronization of `status` by the result of a step.
+
+# AWS
+### ACM certificates
+We don't expect territory owners to set up their own SSL certificates but we expect their custom domain to have SSL to reach Stacker News.
+With ACM we can request a certificate for a domain and serve it via the Application Load Balancer, effectively giving the custom domain a SSL certificate.
+
+The implemented functions are non-destructive to the original Stacker News configuration:
+- Request Certificate
+- Describe Certificate
+- Get Certificate Status
+- Delete Certificate
+
+We request a certificate intentionally asking for DNS validation as it's the most reliable method of verification, and also fits nicely with the CNAME record we ask the user to insert in their DNS configuration.
+
+Describe Certificate is crucial to get SSL validation values that the user needs to put in their domain's DNS configuration; also to get the **status** of a certificate.
+
+We can only delete a certificate if we have the `certificateArn` (unique ID). In fact, when a domain gets deleted, we trigger a job that takes the `certificateArn` as parameter before we lose it forever, trying up to 3 times if ACM gives an error.
+
+In local, Localstack provides bare-minimum ACM operations and OK responses.
+
+### AWS Application Load Balancer
+The Application Load Balancer distributes the incoming requests across Stacker News servers. We can attach up to **25** ACM certificates (per default quota).
+
+After creating and verifying an ACM certificate, the next step is to attach this certificate to our ALB Listener, so that the load balancer can serve the right certificate for the right domain.
+
+Since in local we don't have the possibility to use Localstack to mock the ALB, there's a new class called `MockELBv2`: it provides bare minimum response mocks for attach/detach operations.
+
+As the ALB is really important to reach stacker.news, we only implemented Attach/Detach certificate functions that takes a specific `certificateArn` (unique ID). This way we can't possibly mess with the default ALB configuration.
+
+# Triggers, cleanup and maintenance
+### Clear Long Held Domains
+Every midnight, the `clearLongHeldDomains` job gets executed to remove domains that have been on `HOLD` for more than 30 days.
+
+A domain removal also means the certificate removal, which triggers **Ask ACM to delete certificate**.
+
+### Update `DomainVerificationRecord` status
+The `DomainVerification` job logs every step into `DomainVerificationAttempt`, when it comes to steps that involves DNS records like the `CNAME` record or ACM validation records, a connection between `DomainVerificationAttempt` and `DomainVerificationRecord` gets established.
+
+If the result of a DNS verification on the `CNAME` record is `VERIFIED`, it triggers a field `status` update to the related `DomainVerificationRecord`, keeping the record **statuses** in sync with the `DomainVerification` job results.
+
+### HOLD domain on territory STOP
+Let's say the territory owner doesn't renew their territory, and they have a custom domain attached to it. We can't let the custom domain access Stacker News as the domain can be transferred or out of original owner's control.
+
+A territory stop triggers a function that puts the custom domain on `HOLD`, effectively stopping the custom domain functionality.
+
+If the territory owner comes back and renews, they have to repeat the Domain Verification process just to make sure that everything is alright. The verification values will be the same and the certificate hasn't been deleted, so it should just take 30 seconds.
+
+### Clear domain on territory takeover
+If a new territory owner comes up, we delete every trace of the custom domain. This also deletes its certificates, verification attempts, DNS records and customizations.
+
+The main reason is safety: as we don't delete this stuff when a territory gets stopped, in hope that the original territory owner renews it, it's best to delete everything - above all, validation values. This will also trigger **Ask ACM to delete certificate**.
+
+### Ask ACM to delete certificate
+Whenever a domain or domain certificate gets deleted, we run a job called `deleteCertificateExternal`.
+It detaches the ACM certificate from our ALB listener and then deletes the ACM certificate from ACM.
+
+It's a necessary step to ensure that we don't waste AWS resources and also provide safety regarding the custom domain access to Stacker News.
+
+# Neat stuff
+
+### Let's go HTTPS with a reverse proxy
+
+To set custom domains correctly we need to have a domain and SSL certificates.
+
+We'll cover a basic **NGINX** configuration with **Let's Encrypt/certbot** on Linux-based systems, but you have the freedom to experiment with other methods and platforms.
+
+#### Prerequisites
+- a domain or a public hostname
+- install [nginx](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/)
+- install [certbot](https://certbot.eff.org/instructions?ws=nginx&os=pip)
+- possibility to add `CNAME` and `TXT` records
+- domain with an `A` record at your nginx host
+
+
+### Step 1: Create a nginx site for your SN instance
+
+Start creating a new site by editing `/etc/nginx/sites-available/your-domain.tld` with your editor of choice.
+
+<details><summary>A sample nginx site configuration to prepare for certbot</summary>
+Edit this configuration to match your configuration, you can have more domains.
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    # for Let's Encrypt SSL issuance
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        try_files $uri =404;
+    }
+}
+```
+</details>
+
+after editing, send `sudo systemctl restart nginx`
+
+### Step 2: Get a certificate for your domains
+We can now get a certificate for your domain from Let's Encrypt/certbot.
+
+Edit the `-d` section to match your configuration. Every domain, sub-domain needs to have its own certificate.
+
+```
+sudo certbot certonly \
+  --webroot -w /var/www/letsencrypt \
+  -d your-domain.tld (-d sub.your-domain.tld -d another.your-domain.tld) \
+  --email your@email.com \
+  --agree-tos --no-eff-email \
+  --deploy-hook "systemctl reload nginx"
+```
+
+If everything went smooth, we should now have a domain with a valid SSL certificate.
+
+### Step 3: Proxy everything to sndev!
+
+Let's go back to `/etc/nginx/sites-available/your-domain.tld` to add a SSL proxy for our sndev instance
+
+<details><summary>A sample nginx reverse proxy config</summary>
+Edit this configuration to match your configuration, you can have more domains.
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    # for Let's Encrypt SSL issuance
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        try_files $uri =404;
+    }
+
+    # 301 to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    ssl_certificate     /etc/letsencrypt/live/your-domain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/your-domain.tld/privkey.pem;
+    include             /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
+
+    # proxy everything to sndev
+    location / {
+        proxy_pass http://sndev-instance-ip:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+
+    # optional security headers
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "no-referrer-when-downgrade";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+}
+```
+</details>
+
+### Step 4: Start sndev
+Make sure to change your environment variables such as `.env.local` from something like `http://localhost:3000` to `https://your-domain.tld`
+
+Start sndev with `./sndev start` and then navigate to your domain, you should see **Stacker News**!
+
+If not, go back and make sure that everything is correct, you can encounter any kind of errors and **Internet can be of help**.
diff --git a/fragments/domains.js b/fragments/domains.js
new file mode 100644
index 000000000..645bc61e9
--- /dev/null
+++ b/fragments/domains.js
@@ -0,0 +1,95 @@
+import { gql } from 'graphql-tag'
+
+export const DOMAIN_FIELDS = gql`
+  fragment DomainFields on Domain {
+    domainName
+    status
+    subName
+  }
+`
+
+export const DOMAIN_VERIFICATION_RECORD_FIELDS = gql`
+  fragment DomainVerificationRecordFields on DomainVerificationRecord {
+    id
+    type
+    recordName
+    recordValue
+    status
+    lastCheckedAt
+  }
+`
+
+export const DOMAIN_VERIFICATION_RECORD_MAP_FIELDS = gql`
+  ${DOMAIN_VERIFICATION_RECORD_FIELDS}
+  fragment DomainVerificationRecordMapFields on DomainVerificationRecordMap {
+    CNAME {
+      ...DomainVerificationRecordFields
+    }
+    SSL {
+      ...DomainVerificationRecordFields
+    }
+  }
+`
+
+export const DOMAIN_VERIFICATION_ATTEMPT_FIELDS = gql`
+  fragment DomainVerificationAttemptFields on DomainVerificationAttempt {
+    id
+    stage
+    status
+    message
+    createdAt
+  }
+`
+
+export const DOMAIN_CERTIFICATE_FIELDS = gql`
+  fragment DomainCertificateFields on DomainCertificate {
+    id
+    certificateArn
+    status
+  }
+`
+
+export const DOMAIN_FULL_FIELDS = gql`
+  ${DOMAIN_FIELDS}
+  ${DOMAIN_VERIFICATION_RECORD_MAP_FIELDS}
+  ${DOMAIN_VERIFICATION_ATTEMPT_FIELDS}
+  ${DOMAIN_CERTIFICATE_FIELDS}
+  fragment DomainFullFields on Domain {
+    ...DomainFields
+    records {
+      ...DomainVerificationRecordMapFields
+    }
+    attempts {
+      ...DomainVerificationAttemptFields
+    }
+    certificate {
+      ...DomainCertificateFields
+    }
+  }
+`
+
+export const GET_DOMAIN = gql`
+  ${DOMAIN_FULL_FIELDS}
+  query Domain($subName: String!) {
+    domain(subName: $subName) {
+      ...DomainFullFields
+    }
+  }
+`
+
+export const GET_DOMAIN_MAPPING = gql`
+  query DomainMapping($domainName: String!) {
+    domainMapping(domainName: $domainName) {
+      domainName
+      subName
+    }
+  }
+`
+
+export const SET_DOMAIN = gql`
+  mutation SetDomain($subName: String!, $domainName: String!) {
+    setDomain(subName: $subName, domainName: $domainName) {
+      domainName
+    }
+  }
+`
diff --git a/fragments/subs.js b/fragments/subs.js
index 6c5ab8d94..8a0caaeb3 100644
--- a/fragments/subs.js
+++ b/fragments/subs.js
@@ -1,6 +1,7 @@
 import { gql } from '@apollo/client'
 import { ITEM_FIELDS, ITEM_FULL_FIELDS } from './items'
 import { COMMENTS_ITEM_EXT_FIELDS } from './comments'
+import { DOMAIN_FIELDS } from './domains'
 
 // we can't import from users because of circular dependency
 const STREAK_FIELDS = gql`
@@ -14,6 +15,7 @@ const STREAK_FIELDS = gql`
 `
 
 export const SUB_FIELDS = gql`
+  ${DOMAIN_FIELDS}
   fragment SubFields on Sub {
     name
     createdAt
@@ -34,6 +36,9 @@ export const SUB_FIELDS = gql`
     meMuteSub
     meSubscription
     nsfw
+    domain {
+      ...DomainFields
+    }
   }`
 
 export const SUB_FULL_FIELDS = gql`
@@ -149,3 +154,32 @@ export const TOP_SUBS = gql`
     }
   }
 `
+
+export const SUB_BRANDING_FIELDS = gql`
+  fragment SubBrandingFields on SubBranding {
+    title
+    description
+    logoId
+    faviconId
+    primaryColor
+    secondaryColor
+  }
+`
+
+export const SUB_BRANDING = gql`
+  ${SUB_BRANDING_FIELDS}
+  query SubBranding($subName: String!) {
+    subBranding(subName: $subName) {
+      ...SubBrandingFields
+    }
+  }
+`
+
+export const UPSERT_SUB_BRANDING = gql`
+  ${SUB_BRANDING_FIELDS}
+  mutation upsertSubBranding($subName: String!, $branding: SubBrandingInput) {
+    upsertSubBranding(subName: $subName, branding: $branding) {
+      ...SubBrandingFields
+    }
+  }
+`
diff --git a/lib/domain-css-injection.js b/lib/domain-css-injection.js
new file mode 100644
index 000000000..07a79f01a
--- /dev/null
+++ b/lib/domain-css-injection.js
@@ -0,0 +1,69 @@
+// wip: experimental css injection for branding colors
+export const setBrandingColors = (branding) => {
+  const styleElement = document.createElement('style')
+  styleElement.id = 'branding-colors'
+
+  if (branding.primaryColor) {
+    const primaryRgb = hexToRgb(branding.primaryColor)
+    const secondaryRgb = hexToRgb(branding.secondaryColor)
+    styleElement.textContent = `
+      :root {
+        --bs-primary: ${branding.primaryColor};
+        --bs-primary-rgb: ${primaryRgb};
+        --bs-secondary: ${branding.secondaryColor};
+        --bs-secondary-rgb: ${secondaryRgb};
+
+        .btn-primary {
+          --bs-btn-bg: ${branding.primaryColor};
+          --bs-btn-border-color: ${branding.primaryColor};
+          --bs-btn-hover-bg: ${adjustBrightness(branding.primaryColor, -10)};
+          --bs-btn-hover-border-color: ${adjustBrightness(branding.primaryColor, -10)};
+          --bs-btn-active-bg: ${adjustBrightness(branding.primaryColor, -15)};
+          --bs-btn-active-border-color: ${adjustBrightness(branding.primaryColor, -15)};
+          --bs-btn-outline-color: ${branding.primaryColor};
+          --bs-btn-outline-border-color: ${branding.primaryColor};
+        }
+
+        .btn-secondary {
+          --bs-btn-bg: ${branding.secondaryColor};
+          --bs-btn-border-color: ${branding.secondaryColor};
+          --bs-btn-hover-bg: ${adjustBrightness(branding.secondaryColor, -10)};
+          --bs-btn-hover-border-color: ${adjustBrightness(branding.secondaryColor, -10)};
+          --bs-btn-active-bg: ${adjustBrightness(branding.secondaryColor, -15)};
+          --bs-btn-active-border-color: ${adjustBrightness(branding.secondaryColor, -15)};
+          --bs-btn-outline-color: ${branding.secondaryColor};
+          --bs-btn-outline-border-color: ${branding.secondaryColor};
+        }
+
+        --bs-navbar-brand-color: ${branding.primaryColor};
+        --bs-navbar-brand-hover-color: ${branding.primaryColor};
+        --bs-navbar-brand-hover-bg: ${branding.primaryColor};
+      }
+    `
+    document.head.appendChild(styleElement)
+  }
+
+  return () => {
+    document.head.removeChild(styleElement)
+  }
+}
+
+function hexToRgb (hex) {
+  hex = hex.replace('#', '')
+  const r = parseInt(hex.substring(0, 2), 16)
+  const g = parseInt(hex.substring(2, 4), 16)
+  const b = parseInt(hex.substring(4, 6), 16)
+  return `${r}, ${g}, ${b}`
+}
+
+function adjustBrightness (hex, percent) {
+  hex = hex.replace('#', '')
+  const num = parseInt(hex, 16)
+  const amt = Math.round(2.55 * percent)
+  const R = (num >> 16) + amt
+  const G = (num >> 8 & 0x00FF) + amt
+  const B = (num & 0x0000FF) + amt
+  return '#' + (0x1000000 + (R < 255 ? R < 1 ? 0 : R : 255) * 0x10000 +
+    (G < 255 ? G < 1 ? 0 : G : 255) * 0x100 +
+    (B < 255 ? B < 1 ? 0 : B : 255)).toString(16).slice(1)
+}
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
new file mode 100644
index 000000000..677e26ca1
--- /dev/null
+++ b/lib/domain-verification.js
@@ -0,0 +1,134 @@
+import { requestCertificate, getCertificateStatus, describeCertificate, deleteCertificate } from '@/api/acm'
+import { detachCertificateFromElb, attachCertificateToElb } from '@/api/elb'
+import { Resolver } from 'node:dns/promises'
+
+// Issue a certificate for a custom domain
+export async function issueDomainCertificate (domainName) {
+  try {
+    const certificateArn = await requestCertificate(domainName)
+    return { certificateArn, error: null }
+  } catch (error) {
+    console.error(`Failed to issue certificate for domain ${domainName}:`, error)
+    return { certificateArn: null, error: error.message }
+  }
+}
+
+// Check the status of a certificate for a custom domain
+export async function checkCertificateStatus (certificateArn) {
+  let certStatus
+  try {
+    certStatus = await getCertificateStatus(certificateArn)
+    return { certStatus, error: null }
+  } catch (error) {
+    console.error(`Certificate status check failed: ${error.message}`)
+    return { certStatus: 'FAILED', error: error.message }
+  }
+}
+
+// Get the details of a certificate for a custom domain
+export async function certDetails (certificateArn) {
+  try {
+    const certificate = await describeCertificate(certificateArn)
+    return { certificate, error: null }
+  } catch (error) {
+    console.error(`Certificate description failed: ${error.message}`)
+    return { certificate: null, error: error.message }
+  }
+}
+
+// Get the validation values for a certificate for a custom domain
+export async function getValidationValues (certificateArn) {
+  const { certificate, error } = await certDetails(certificateArn)
+  if (error) {
+    return { cname: null, value: null, error }
+  }
+
+  if (!certificate || !certificate.Certificate || !certificate.Certificate.DomainValidationOptions) {
+    return { cname: null, value: null, error: 'Certificate not found' }
+  }
+
+  return {
+    cname: certificate.Certificate.DomainValidationOptions[0]?.ResourceRecord?.Name || null,
+    value: certificate.Certificate.DomainValidationOptions[0]?.ResourceRecord?.Value || null
+  }
+}
+
+// Attach a certificate to the ELB listener
+export async function attachDomainCertificate (certificateArn) {
+  try {
+    await attachCertificateToElb(certificateArn)
+    return { error: null }
+  } catch (error) {
+    console.error(`Failed to attach certificate to elb: ${error.message}`)
+    return { error: error.message }
+  }
+}
+
+// Verify the DNS records for a custom domain
+export async function verifyDNSRecord (type, recordName, recordValue) {
+  const result = {
+    valid: false,
+    error: null
+  }
+
+  // DNS setup
+  const resolver = new Resolver()
+  const dnsServers = []
+  try {
+    const localDnsServer = process.env.DOMAINS_DNS_SERVER
+    // use the dnsmasq DNS server in development
+    if (process.env.NODE_ENV === 'development' && localDnsServer) {
+      console.log('[node:dns] Using local development DNS server', localDnsServer)
+      dnsServers.push(localDnsServer)
+    }
+    // fallback to the system DNS servers
+    dnsServers.push(...resolver.getServers())
+    resolver.setServers(dnsServers)
+  } catch (error) {
+    console.error(`[node:dns] Failed to set DNS servers: ${error.message}`)
+    return { valid: false, error: error.message }
+  }
+
+  let domainRecords = null
+
+  try {
+    if (type === 'CNAME') {
+      domainRecords = await resolver.resolveCname(recordName)
+      result.valid = domainRecords.some(record =>
+        record.includes(recordValue)
+      )
+    } else {
+      result.error = `Invalid DNS record type: ${type}`
+    }
+  } catch (error) {
+    if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
+      result.error = `DNS record not found: ${error.code}`
+    } else {
+      result.error = `DNS error: ${error.message}`
+    }
+  }
+
+  return result
+}
+
+// Detach a certificate from the elb listener
+export async function detachDomainCertificate (certificateArn) {
+  try {
+    await detachCertificateFromElb(certificateArn)
+    return { error: null }
+  } catch (error) {
+    console.error(`Failed to detach certificate from elb: ${error.message}`)
+    return { error: error.message }
+  }
+}
+
+// Delete a certificate for a custom domain
+export async function deleteDomainCertificate (certificateArn) {
+  try {
+    await deleteCertificate(certificateArn)
+    return { error: null }
+  } catch (error) {
+    console.error(`Failed to delete certificate: ${error.message}`)
+    return { error: error.message }
+  }
+}
diff --git a/lib/domains.js b/lib/domains.js
new file mode 100644
index 000000000..48fa492fb
--- /dev/null
+++ b/lib/domains.js
@@ -0,0 +1,28 @@
+import { cachedFetcher } from '@/lib/fetch'
+
+export const domainsMappingsCache = cachedFetcher(async function fetchDomainsMappings () {
+  const url = `${process.env.NEXT_PUBLIC_URL}/api/domains`
+  console.log('[domains] cache miss, fetching domain mappings from', url) // TEST
+  try {
+    const response = await fetch(url)
+    if (!response.ok) {
+      console.log('[domains] error fetching domain mappings', response.statusText) // TEST
+      return null
+    }
+
+    const data = await response.json()
+    return Object.keys(data).length > 0 ? data : null
+  } catch (error) {
+    console.error('[domains] error fetching domain mappings', error) // TEST
+    return null
+  }
+}, {
+  cacheExpiry: 1000 * 60 * 5, // 5 minutes cache
+  forceRefreshThreshold: 1000 * 60 * 10, // 10 minutes before cache expiry
+  keyGenerator: () => 'domain_mappings'
+})
+
+export const getDomainMapping = async (domain) => {
+  const domainsMappings = await domainsMappingsCache()
+  return domainsMappings?.[domain?.toLowerCase()]
+}
diff --git a/lib/validate.js b/lib/validate.js
index 5bc4fe7d7..000534130 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -356,6 +356,37 @@ export function territoryTransferSchema ({ me, ...args }) {
   })
 }
 
+// Custom Domain validation schema
+export function customDomainSchema (args) {
+  return object({
+    domainName: string().matches(/^(?:[a-z0-9-]+\.){2,}[a-z]{2,}$/, {
+      message: 'CNAME records only support subdomains (e.g., www.example.com, sub.example.com)'
+    }).nullable()
+  })
+}
+
+// Sub Branding validation schema
+// sanitize the input for correct colors and text
+export function subBrandingSchema (args) {
+  const hexRegex = /^#([0-9a-fA-F]{6})$/
+  return object({
+    title: string().max(50, 'must be at most 50 characters').matches(/^[a-zA-Z0-9\s]+$/, {
+      message: 'title must only contain letters, numbers, and spaces'
+    }).nullable().trim(),
+    description: string().max(100, 'must be at most 100 characters').matches(/^[a-zA-Z0-9\s]+$/, {
+      message: 'description must only contain letters, numbers, and spaces'
+    }).nullable().trim(),
+    logoId: intValidator.nullable().positive('must be positive').integer('must be an integer'),
+    faviconId: intValidator.nullable().positive('must be positive').integer('must be an integer'),
+    primaryColor: string().matches(hexRegex, {
+      message: 'primary color must be a valid hex color'
+    }).nullable(),
+    secondaryColor: string().matches(hexRegex, {
+      message: 'secondary color must be a valid hex color'
+    }).nullable()
+  })
+}
+
 export function userSchema (args) {
   return object({
     name: nameValidator
diff --git a/middleware.js b/middleware.js
index f88bda31c..c5307cdbc 100644
--- a/middleware.js
+++ b/middleware.js
@@ -1,4 +1,5 @@
 import { NextResponse, URLPattern } from 'next/server'
+import { getDomainMapping } from '@/lib/domains'
 
 const referrerPattern = new URLPattern({ pathname: ':pathname(*)/r/:referrer([\\w_]+)' })
 const itemPattern = new URLPattern({ pathname: '/items/:id(\\d+){/:other(\\w+)}?' })
@@ -11,6 +12,56 @@ const SN_REFERRER = 'sn_referrer'
 const SN_REFERRER_NONCE = 'sn_referrer_nonce'
 // key for referred pages
 const SN_REFEREE_LANDING = 'sn_referee_landing'
+// main domain
+const SN_MAIN_DOMAIN = new URL(process.env.NEXT_PUBLIC_URL)
+// territory paths that needs to be rewritten to ~subname
+const SN_TERRITORY_PATHS = ['/~', '/recent', '/random', '/top', '/post', '/edit']
+
+async function customDomainMiddleware (request, domain, subName) {
+  // clone the url to build on top of it
+  const url = request.nextUrl.clone()
+  // we need pathname, searchParams and origin
+  const { pathname, searchParams } = url
+  // set the subname in the request headers
+  const headers = new Headers(request.headers)
+  headers.set('x-stacker-news-subname', subName)
+
+  // TEST
+  console.log('[domains] custom domain', domain, 'with subname', subName) // TEST
+  console.log('[domains] main domain', SN_MAIN_DOMAIN) // TEST
+  console.log('[domains] pathname', pathname) // TEST
+  console.log('[domains] searchParams', searchParams) // TEST
+
+  // TODO: handle auth sync
+
+  // if sub param exists and doesn't match the domain's subname, update it
+  if (searchParams.has('sub') && searchParams.get('sub') !== subName) {
+    console.log('[domains] setting sub to', subName) // TEST
+    searchParams.set('sub', subName)
+    url.search = searchParams.toString()
+    return NextResponse.redirect(url, { headers })
+  }
+
+  // clean up the pathname from any subname
+  if (pathname.startsWith('/~')) {
+    const cleanPath = pathname.replace(/^\/~[^/]+/, '') || '/'
+    url.pathname = cleanPath
+    console.log('[domains] redirecting to clean url:', url) // TEST
+    // redirect to the clean path
+    return NextResponse.redirect(url, { headers })
+  }
+
+  // if we're at the root or on some territory path, hide the subname by rewriting
+  if (pathname === '/' || SN_TERRITORY_PATHS.some(p => pathname.startsWith(p))) {
+    url.pathname = `/~${subName}${pathname === '/' ? '' : pathname}`
+    console.log('[domains] rewrite to:', url.pathname) // TEST
+    // rewrite to the territory path
+    return NextResponse.rewrite(url, { headers })
+  }
+
+  // continue if we don't need to redirect, mainly for API routes
+  return NextResponse.next({ request: { headers } })
+}
 
 function getContentReferrer (request, url) {
   if (itemPattern.test(url)) {
@@ -84,9 +135,23 @@ function referrerMiddleware (request) {
   return response
 }
 
-export function middleware (request) {
-  const resp = referrerMiddleware(request)
+function applyReferrerCookies (response, referrer) {
+  for (const cookie of referrer.cookies.getAll()) {
+    response.cookies.set(
+      cookie.name,
+      cookie.value,
+      {
+        maxAge: cookie.maxAge,
+        expires: cookie.expires,
+        path: cookie.path
+      }
+    )
+  }
+  console.log('[domains] response.cookies', response.cookies) // TEST
+  return response
+}
 
+function applySecurityHeaders (resp) {
   const isDev = process.env.NODE_ENV === 'development'
 
   const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
@@ -133,6 +198,34 @@ export function middleware (request) {
   return resp
 }
 
+export async function middleware (request) {
+  const referrerResp = referrerMiddleware(request)
+  // TODO: check if we actually need this, and WHY
+  if (referrerResp.headers.get('Location')) {
+    // this is a redirect, apply security headers
+    return applySecurityHeaders(referrerResp)
+  }
+
+  // if we're on a custom domain, handle it
+  const domain = request.headers.get('x-forwarded-host') || request.headers.get('host')
+  if (domain !== SN_MAIN_DOMAIN?.host) { // we don't need middleware to fail if dev messes up ENVs
+    // in development we might have a port in the domain
+    const domainToMap = process.env.NODE_ENV === 'development' ? domain.split(':')[0] : domain
+    // check if we have a mapping for this domain
+    const subName = await getDomainMapping(domainToMap)
+    if (subName) {
+      console.log('[domains] allowed custom domain', domain, 'detected, pointing to', subName) // TEST
+      const resp = await customDomainMiddleware(request, domain, subName.subName)
+      // apply referrer cookies to the custom domain response
+      const referredResp = applyReferrerCookies(resp, referrerResp)
+      // finally apply security headers
+      return applySecurityHeaders(referredResp)
+    }
+  }
+
+  return applySecurityHeaders(referrerResp)
+}
+
 export const config = {
   matcher: [
     // NextJS recommends to not add the CSP header to prefetches and static assets
diff --git a/pages/_app.js b/pages/_app.js
index 1c2ee9b3c..27ad968ef 100644
--- a/pages/_app.js
+++ b/pages/_app.js
@@ -22,6 +22,7 @@ import dynamic from 'next/dynamic'
 import { HasNewNotesProvider } from '@/components/use-has-new-notes'
 import { WebLnProvider } from '@/wallets/webln/client'
 import { WalletsProvider } from '@/wallets/index'
+import { DomainProvider } from '@/components/territory-domains'
 
 const PWAPrompt = dynamic(() => import('react-ios-pwa-prompt'), { ssr: false })
 
@@ -98,7 +99,7 @@ export default function MyApp ({ Component, pageProps: { ...props } }) {
     If we are on the client, we populate the apollo cache with the
     ssr data
   */
-  const { apollo, ssrData, me, price, blockHeight, chainFee, ...otherProps } = props
+  const { apollo, ssrData, me, price, blockHeight, chainFee, domain, ...otherProps } = props
   useEffect(() => {
     writeQuery(client, apollo, ssrData)
   }, [client, apollo, ssrData])
@@ -111,34 +112,36 @@ export default function MyApp ({ Component, pageProps: { ...props } }) {
       <ErrorBoundary>
         <PlausibleProvider domain='stacker.news' trackOutboundLinks>
           <ApolloProvider client={client}>
-            <MeProvider me={me}>
-              <WalletsProvider>
-                <HasNewNotesProvider>
-                  <LoggerProvider>
-                    <WebLnProvider>
-                      <ServiceWorkerProvider>
-                        <PriceProvider price={price}>
-                          <LightningProvider>
-                            <ToastProvider>
-                              <ShowModalProvider>
-                                <BlockHeightProvider blockHeight={blockHeight}>
-                                  <ChainFeeProvider chainFee={chainFee}>
-                                    <ErrorBoundary>
-                                      <Component ssrData={ssrData} {...otherProps} />
-                                      {!router?.query?.disablePrompt && <PWAPrompt copyBody='This website has app functionality. Add it to your home screen to use it in fullscreen and receive notifications. In Safari:' promptOnVisit={2} />}
-                                    </ErrorBoundary>
-                                  </ChainFeeProvider>
-                                </BlockHeightProvider>
-                              </ShowModalProvider>
-                            </ToastProvider>
-                          </LightningProvider>
-                        </PriceProvider>
-                      </ServiceWorkerProvider>
-                    </WebLnProvider>
-                  </LoggerProvider>
-                </HasNewNotesProvider>
-              </WalletsProvider>
-            </MeProvider>
+            <DomainProvider domain={domain}>
+              <MeProvider me={me}>
+                <WalletsProvider>
+                  <HasNewNotesProvider>
+                    <LoggerProvider>
+                      <WebLnProvider>
+                        <ServiceWorkerProvider>
+                          <PriceProvider price={price}>
+                            <LightningProvider>
+                              <ToastProvider>
+                                <ShowModalProvider>
+                                  <BlockHeightProvider blockHeight={blockHeight}>
+                                    <ChainFeeProvider chainFee={chainFee}>
+                                      <ErrorBoundary>
+                                        <Component ssrData={ssrData} {...otherProps} />
+                                        {!router?.query?.disablePrompt && <PWAPrompt copyBody='This website has app functionality. Add it to your home screen to use it in fullscreen and receive notifications. In Safari:' promptOnVisit={2} />}
+                                      </ErrorBoundary>
+                                    </ChainFeeProvider>
+                                  </BlockHeightProvider>
+                                </ShowModalProvider>
+                              </ToastProvider>
+                            </LightningProvider>
+                          </PriceProvider>
+                        </ServiceWorkerProvider>
+                      </WebLnProvider>
+                    </LoggerProvider>
+                  </HasNewNotesProvider>
+                </WalletsProvider>
+              </MeProvider>
+            </DomainProvider>
           </ApolloProvider>
         </PlausibleProvider>
       </ErrorBoundary>
diff --git a/pages/api/domains/index.js b/pages/api/domains/index.js
new file mode 100644
index 000000000..dc85e6b71
--- /dev/null
+++ b/pages/api/domains/index.js
@@ -0,0 +1,35 @@
+import prisma from '@/api/models'
+
+// API Endpoint for getting all VERIFIED custom domains, used by a cachedFetcher
+export default async function handler (req, res) {
+  // Only allow GET requests
+  if (req.method !== 'GET') {
+    return res.status(405).json({ error: 'Method not allowed' })
+  }
+
+  try {
+    // fetch all VERIFIED custom domains from the database
+    const domains = await prisma.domain.findMany({
+      select: {
+        domainName: true,
+        subName: true
+      },
+      where: {
+        status: 'ACTIVE'
+      }
+    })
+
+    // map domains to a key-value pair
+    const domainMappings = domains.reduce((acc, domain) => {
+      acc[domain.domainName.toLowerCase()] = {
+        subName: domain.subName
+      }
+      return acc
+    }, {})
+
+    return res.status(200).json(domainMappings)
+  } catch (error) {
+    console.error('cannot fetch domains:', error)
+    return res.status(500).json({ error: 'Failed to fetch domains' })
+  }
+}
diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
new file mode 100644
index 000000000..a846c00d6
--- /dev/null
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -0,0 +1,206 @@
+-- CreateEnum
+CREATE TYPE "DomainVerificationStage" AS ENUM ('GENERAL', 'CNAME', 'ACM_REQUEST_CERTIFICATE', 'ACM_REQUEST_VALIDATION_VALUES', 'ACM_VALIDATION', 'ELB_ATTACH_CERTIFICATE', 'VERIFICATION_COMPLETE');
+
+-- CreateEnum
+CREATE TYPE "DomainRecordType" AS ENUM ('CNAME', 'SSL');
+
+-- CreateEnum
+CREATE TYPE "DomainVerificationStatus" AS ENUM ('PENDING', 'VERIFIED', 'FAILED', 'ACTIVE', 'HOLD');
+
+-- CreateEnum
+CREATE TYPE "DomainCertificateStatus" AS ENUM ('PENDING_VALIDATION', 'ISSUED', 'INACTIVE', 'EXPIRED', 'REVOKED', 'FAILED', 'VALIDATION_TIMED_OUT');
+
+-- CreateTable
+CREATE TABLE "Domain" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainName" CITEXT NOT NULL,
+    "subName" CITEXT NOT NULL,
+    "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
+
+    CONSTRAINT "Domain_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "DomainVerificationAttempt" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainId" INTEGER NOT NULL,
+    "verificationRecordId" INTEGER,
+    "stage" "DomainVerificationStage" NOT NULL DEFAULT 'GENERAL',
+    "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
+    "message" TEXT,
+
+    CONSTRAINT "DomainVerificationAttempt_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "DomainVerificationRecord" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "last_checked_at" TIMESTAMP(3),
+    "domainId" INTEGER NOT NULL,
+    "type" "DomainRecordType" NOT NULL,
+    "recordName" TEXT NOT NULL,
+    "recordValue" TEXT NOT NULL,
+    "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
+
+    CONSTRAINT "DomainVerificationRecord_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "DomainCertificate" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainId" INTEGER NOT NULL,
+    "certificateArn" TEXT NOT NULL,
+    "status" "DomainCertificateStatus" NOT NULL,
+
+    CONSTRAINT "DomainCertificate_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Domain_domainName_key" ON "Domain"("domainName");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Domain_subName_key" ON "Domain"("subName");
+
+-- CreateIndex
+CREATE INDEX "Domain_domainName_idx" ON "Domain"("domainName");
+
+-- CreateIndex
+CREATE INDEX "Domain_created_at_idx" ON "Domain"("created_at");
+
+-- CreateIndex
+CREATE INDEX "Domain_subName_idx" ON "Domain"("subName");
+
+-- CreateIndex
+CREATE INDEX "DomainVerificationAttempt_domainId_idx" ON "DomainVerificationAttempt"("domainId");
+
+-- CreateIndex
+CREATE INDEX "DomainVerificationAttempt_verificationRecordId_idx" ON "DomainVerificationAttempt"("verificationRecordId");
+
+-- CreateIndex
+CREATE INDEX "DomainVerificationRecord_domainId_idx" ON "DomainVerificationRecord"("domainId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DomainVerificationRecord_domainId_type_recordName_key" ON "DomainVerificationRecord"("domainId", "type", "recordName");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DomainCertificate_certificateArn_key" ON "DomainCertificate"("certificateArn");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DomainCertificate_domainId_key" ON "DomainCertificate"("domainId");
+
+-- AddForeignKey
+ALTER TABLE "Domain" ADD CONSTRAINT "Domain_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainVerificationAttempt" ADD CONSTRAINT "DomainVerificationAttempt_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainVerificationAttempt" ADD CONSTRAINT "DomainVerificationAttempt_verificationRecordId_fkey" FOREIGN KEY ("verificationRecordId") REFERENCES "DomainVerificationRecord"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainVerificationRecord" ADD CONSTRAINT "DomainVerificationRecord_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainCertificate" ADD CONSTRAINT "DomainCertificate_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- Clear domains that have been on HOLD for 30 days or more every midnight.
+CREATE OR REPLACE FUNCTION schedule_clear_long_held_domains()
+RETURNS INTEGER
+LANGUAGE plpgsql
+AS $$
+DECLARE
+BEGIN
+    INSERT INTO pgboss.schedule (name, cron, timezone)
+    VALUES ('clearLongHeldDomains', '0 0 * * *', 'America/Chicago') ON CONFLICT DO NOTHING;
+    return 0;
+EXCEPTION WHEN OTHERS THEN
+    return 0;
+END;
+$$;
+
+SELECT schedule_clear_long_held_domains();
+DROP FUNCTION IF EXISTS schedule_clear_long_held_domains;
+
+-- Update the record status from the attempt
+CREATE OR REPLACE FUNCTION update_record_status_from_attempt()
+RETURNS TRIGGER AS $$
+BEGIN
+  UPDATE "DomainVerificationRecord"
+  SET status = NEW.status,
+      last_checked_at = NEW.created_at
+  WHERE id = NEW."verificationRecordId";
+
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trigger_update_record_status
+AFTER INSERT ON "DomainVerificationAttempt"
+FOR EACH ROW
+EXECUTE FUNCTION update_record_status_from_attempt();
+
+-- SCENARIO: Territory got stopped after grace period
+-- HOLD the domain when the sub is stopped
+-- this is to prevent the domain from being used by another sub;
+-- won't delete anything but it will require a new verification attempt if the sub is resumed
+CREATE OR REPLACE FUNCTION hold_domain_on_sub_stop()
+RETURNS TRIGGER AS $$
+BEGIN
+  UPDATE "Domain" SET "status" = 'HOLD' WHERE "subName" = NEW.name;
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trigger_hold_domain_on_sub_stop
+AFTER UPDATE ON "Sub"
+FOR EACH ROW
+WHEN (NEW.status = 'STOPPED')
+EXECUTE FUNCTION hold_domain_on_sub_stop();
+
+-- SCENARIO: Territory got taken over by a different user
+-- clear the domain when the sub is taken over by a different user;
+-- this will delete the domain, its certificates, verification attempts, DNS records and brandings.
+-- will also trigger a request to ACM to delete the certificate because the domain is being deleted
+CREATE OR REPLACE FUNCTION clear_domain_on_sub_takeover()
+RETURNS TRIGGER AS $$
+BEGIN
+  DELETE FROM "Domain" WHERE "subName" = NEW.name;
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trigger_clear_domain_on_sub_takeover
+AFTER UPDATE ON "Sub"
+FOR EACH ROW
+WHEN (NEW."userId" != OLD."userId")
+EXECUTE FUNCTION clear_domain_on_sub_takeover();
+
+-- ask ACM to delete the certificate
+CREATE OR REPLACE FUNCTION ask_acm_to_delete_certificate()
+RETURNS TRIGGER AS $$
+BEGIN
+  INSERT INTO pgboss.job (name, data, retrylimit, retrydelay)
+    VALUES (
+      'deleteDomainCertificate',
+      jsonb_build_object('certificateArn', OLD."certificateArn"),
+      3, -- retry 3 times on ACM errors
+      60*60 -- wait 1 hour between retries
+    ) ON CONFLICT DO NOTHING;
+  RETURN OLD;
+END;
+$$ LANGUAGE plpgsql;
+
+-- everytime a domain (relation) or a domainCertificate is deleted, also ask ACM to delete the certificate
+CREATE TRIGGER trigger_ask_acm_to_delete_certificate
+AFTER DELETE ON "DomainCertificate"
+FOR EACH ROW
+WHEN (OLD."certificateArn" IS NOT NULL)
+EXECUTE FUNCTION ask_acm_to_delete_certificate();
diff --git a/prisma/migrations/20250602225647_custom_domains_branding/migration.sql b/prisma/migrations/20250602225647_custom_domains_branding/migration.sql
new file mode 100644
index 000000000..b7abb52a1
--- /dev/null
+++ b/prisma/migrations/20250602225647_custom_domains_branding/migration.sql
@@ -0,0 +1,28 @@
+-- CreateTable
+CREATE TABLE "SubBranding" (
+    "id" SERIAL NOT NULL,
+    "subName" CITEXT NOT NULL,
+    "title" TEXT,
+    "description" TEXT,
+    "logoId" INTEGER,
+    "faviconId" INTEGER,
+    "primaryColor" TEXT,
+    "secondaryColor" TEXT,
+
+    CONSTRAINT "SubBranding_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "SubBranding_subName_key" ON "SubBranding"("subName");
+
+-- CreateIndex
+CREATE INDEX "SubBranding_subName_idx" ON "SubBranding"("subName");
+
+-- AddForeignKey
+ALTER TABLE "SubBranding" ADD CONSTRAINT "SubBranding_logoId_fkey" FOREIGN KEY ("logoId") REFERENCES "Upload"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "SubBranding" ADD CONSTRAINT "SubBranding_faviconId_fkey" FOREIGN KEY ("faviconId") REFERENCES "Upload"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "SubBranding" ADD CONSTRAINT "SubBranding_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index cb92eab87..f24d0ea28 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -455,6 +455,8 @@ model Upload {
   user               User                @relation("Uploads", fields: [userId], references: [id], onDelete: Cascade)
   User               User[]
   ItemUpload         ItemUpload[]
+  SubBrandingLogo    SubBranding[]       @relation("SubBrandingLogo")
+  SubBrandingFavicon SubBranding[]       @relation("SubBrandingFavicon")
 
   @@index([createdAt], map: "Upload.created_at_index")
   @@index([userId], map: "Upload.userId_index")
@@ -801,6 +803,8 @@ model Sub {
   SubSubscription   SubSubscription[]
   TerritoryTransfer TerritoryTransfer[]
   UserSubTrust      UserSubTrust[]
+  domain            Domain?
+  branding          SubBranding?
 
   @@index([parentName])
   @@index([createdAt])
@@ -1243,6 +1247,123 @@ model Reminder {
   @@index([userId, remindAt], map: "Reminder.userId_reminderAt_index")
 }
 
+model Domain {
+  id                      Int                         @id @default(autoincrement())
+  createdAt               DateTime                    @default(now()) @map("created_at")
+  updatedAt               DateTime                    @default(now()) @updatedAt @map("updated_at")
+  domainName              String                      @unique @db.Citext
+  subName                 String                      @unique @db.Citext
+  status                  DomainVerificationStatus    @default(PENDING)
+
+  sub                     Sub                         @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+  attempts                DomainVerificationAttempt[]
+  records                 DomainVerificationRecord[]
+  certificate             DomainCertificate?
+
+  @@index([domainName])
+  @@index([createdAt])
+  @@index([subName])
+}
+
+model SubBranding {
+  id                      Int                         @id @default(autoincrement())
+  subName                 String                      @unique @db.Citext
+  title                   String?                     // default title of the sub
+  description             String?                     // default description of the sub
+  logoId                  Int?
+  faviconId               Int?
+  primaryColor            String?
+  secondaryColor          String?
+
+  logoUpload Upload? @relation("SubBrandingLogo", fields: [logoId], references: [id], onDelete: SetNull)
+  faviconUpload Upload? @relation("SubBrandingFavicon", fields: [faviconId], references: [id], onDelete: SetNull)
+  sub Sub @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+
+  @@index([subName])
+}
+
+model DomainVerificationAttempt {
+  id                      Int                       @id @default(autoincrement())
+  createdAt               DateTime                  @default(now()) @map("created_at")
+  updatedAt               DateTime                  @default(now()) @updatedAt @map("updated_at")
+  domainId                Int
+  verificationRecordId    Int?
+  stage                   DomainVerificationStage   @default(GENERAL)
+  status                  DomainVerificationStatus  @default(PENDING)
+  message                 String?
+
+  domain                  Domain                    @relation(fields: [domainId], references: [id], onDelete: Cascade)
+  verificationRecord      DomainVerificationRecord? @relation(fields: [verificationRecordId], references: [id], onDelete: Cascade)
+
+  @@index([domainId])
+  @@index([verificationRecordId])
+}
+
+model DomainVerificationRecord {
+  id             Int                          @id @default(autoincrement())
+  createdAt      DateTime                     @default(now()) @map("created_at")
+  updatedAt      DateTime                     @default(now()) @updatedAt @map("updated_at")
+  lastCheckedAt  DateTime?                    @map("last_checked_at")
+  domainId       Int
+  type           DomainRecordType
+  recordName     String
+  recordValue    String
+  status         DomainVerificationStatus     @default(PENDING)
+  attempts       DomainVerificationAttempt[]
+
+  domain         Domain                       @relation(fields: [domainId], references: [id], onDelete: Cascade)
+
+  @@unique([domainId, type, recordName])
+  @@index([domainId])
+}
+
+model DomainCertificate {
+  id              Int                       @id @default(autoincrement())
+  createdAt       DateTime                  @default(now()) @map("created_at")
+  updatedAt       DateTime                  @default(now()) @updatedAt @map("updated_at")
+  domainId        Int
+  certificateArn  String                    @unique
+  status          DomainCertificateStatus
+
+  domain          Domain                    @relation(fields: [domainId], references: [id], onDelete: Cascade)
+
+  @@unique([domainId])
+}
+
+enum DomainVerificationStatus {
+  PENDING
+  VERIFIED
+  FAILED
+  ACTIVE
+  HOLD
+}
+
+enum DomainVerificationStage {
+  GENERAL
+  CNAME
+  ACM_REQUEST_CERTIFICATE
+  ACM_REQUEST_VALIDATION_VALUES
+  ACM_VALIDATION
+  ELB_ATTACH_CERTIFICATE
+  VERIFICATION_COMPLETE
+}
+
+enum DomainRecordType {
+  CNAME
+  SSL
+}
+
+// TODO: use these statuses or get rid of most of them
+enum DomainCertificateStatus {
+  PENDING_VALIDATION
+  ISSUED
+  INACTIVE
+  EXPIRED
+  REVOKED
+  FAILED
+  VALIDATION_TIMED_OUT
+}
+
 enum EarnType {
   POST
   COMMENT
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
new file mode 100644
index 000000000..cc6697901
--- /dev/null
+++ b/worker/domainVerification.js
@@ -0,0 +1,324 @@
+import createPrisma from '@/lib/create-prisma'
+import {
+  verifyDNSRecord,
+  issueDomainCertificate,
+  checkCertificateStatus,
+  getValidationValues,
+  attachDomainCertificate,
+  deleteDomainCertificate,
+  detachDomainCertificate
+} from '@/lib/domain-verification'
+import { datePivot } from '@/lib/time'
+
+const VERIFICATION_INTERVAL = (updatedAt) => {
+  const pivot = datePivot(new Date(), { hours: -1 }) // 1 hour ago
+  // after 1 hour, the verification interval is 5 minutes
+  if (pivot > updatedAt) return 60 * 5
+  // before 1 hour, the verification interval is 30 seconds
+  return 30
+}
+const VERIFICATION_HOLD_THRESHOLD = -2 // 2 days ago
+
+export async function domainVerification ({ id: jobId, data: { domainId }, boss }) {
+  // establish connection to database
+  const models = createPrisma({ connectionParams: { connection_limit: 1 } })
+  try {
+    // get domain from database
+    const domain = await models.domain.findUnique({
+      where: { id: domainId },
+      include: {
+        records: true,
+        certificate: true
+      }
+    })
+
+    console.log(`domainVerification: ${JSON.stringify(domain, null, 2)}`)
+
+    // if we can't find the domain, bail without scheduling a retry
+    if (!domain) {
+      console.log(`domain with ID ${domainId} not found`)
+      return
+    }
+
+    // start verification process
+    const result = await verifyDomain(domain, models)
+    console.log(`domain verification result: ${JSON.stringify(result)}`)
+
+    // update the domain with the result and register the attempt
+    await models.domain.update({
+      where: { id: domainId },
+      data: { status: result.status }
+    })
+
+    // log the general verification attempt
+    await logAttempt({ domain, models, stage: 'VERIFICATION_COMPLETE', status: result.status, message: result.message })
+
+    // if the result is PENDING it means we still have to verify the domain
+    // if it's not PENDING, we stop the verification process.
+    if (result.status === 'PENDING') {
+      // we still need to verify the domain, schedule the job to run again
+      const newJobId = await boss.sendDebounced('domainVerification', { domainId }, {
+        startAfter: VERIFICATION_INTERVAL(domain.updatedAt),
+        retryLimit: 3,
+        retryDelay: 60 // on critical errors, retry every minute
+      }, 30, `domainVerification:${domainId}`)
+      console.log(`domain ${domain.domainName} is still pending verification, created job with ID ${newJobId}`)
+    }
+  } catch (error) {
+    console.error(`couldn't verify domain with ID ${domainId}: ${error.message}`)
+
+    // get the job details to get the retry count
+    const jobDetails = await boss.getJobById(jobId)
+    console.log(`job details: ${JSON.stringify(jobDetails)}`)
+
+    // if we couldn't verify the domain after 3 attempts, put it on hold if it exists and delete any related verification jobs
+    if (jobDetails?.retrycount >= 3) {
+      console.log(`couldn't verify domain with ID ${domainId} for the third time, putting it on HOLD if it exists and deleting any related domain verification jobs`)
+      await models.domain.update({ where: { id: domainId }, data: { status: 'HOLD' } })
+
+      // delete any related domain verification jobs that may exist
+      await models.$queryRaw`
+      DELETE FROM pgboss.job
+      WHERE name = 'domainVerification'
+            AND data->>'domainId' = ${domainId}::TEXT`
+    }
+
+    throw error
+  } finally {
+    // close prisma connection
+    await models.$disconnect()
+  }
+}
+
+async function verifyDomain (domain, models) {
+  // if we're still here and it has been 48 hours, put the domain on HOLD, stopping the verification process
+  if (datePivot(new Date(), { days: VERIFICATION_HOLD_THRESHOLD }) > domain.updatedAt) {
+    // delete certificate infos if any, it will trigger a deleteCertificate job
+    // an ACM certificate would expire in 72 hours anyway, it's best to delete it
+    await models.domainCertificate.delete({ where: { domainId: domain.id } })
+    return { status: 'HOLD', message: `Domain ${domain.domainName} has been put on HOLD because we couldn't verify it in 48 hours` }
+  }
+
+  const status = 'PENDING'
+
+  // STEP 1: Check DNS each time
+  // map the records to a dictionary
+  const records = domain.records || []
+  const recordMap = Object.fromEntries(records.map(record => [record.type, record]))
+
+  // verify the CNAME record
+  const dnsVerified = await verifyRecord('CNAME', recordMap.CNAME, domain, models)
+  if (!dnsVerified) return { status, message: 'DNS verification has failed.' }
+
+  // STEP 2: Request a certificate, get its validation values and check ACM validation
+  // AWS external calls can fail, we'll catch the error for pgboss to retry the job
+  try {
+    // STEP 2a: Request a certificate
+    let certificateArn = domain.certificate?.certificateArn || null
+    if (!certificateArn) {
+      certificateArn = await requestCertificate(domain, models)
+    }
+
+    // STEP 2b: Get the validation values for the certificate
+    if (certificateArn && !recordMap.SSL) {
+      await getACMValidationValues(domain, models, certificateArn)
+
+      // return PENDING to check ACM validation later
+      return { status, message: 'Certificate issued and validation values stored.' }
+    }
+
+    // STEP 2c: Check ACM validation
+    const sslVerified = await checkACMValidation(domain, models, recordMap.SSL)
+    if (!sslVerified) return { status, message: 'ACM validation is still pending.' }
+
+    // STEP 2d: Attach the certificate to the ELB listener
+    await attachACMCertificateToELB(domain, models, certificateArn)
+  } catch (error) {
+    await logAttempt({ domain, models, stage: 'GENERAL', status, message: 'ACM services error: ' + error.message })
+    throw error
+  }
+
+  // STEP 3: If everything is verified, update the domain status to ACTIVE
+  return { status: 'ACTIVE', message: `Domain ${domain.domainName} has been successfully verified` }
+}
+
+// verify a single record, logs the result and returns true if the record is valid
+async function verifyRecord (type, record, domain, models) {
+  const result = await verifyDNSRecord(type, record.recordName, record.recordValue)
+  const status = result.valid ? 'VERIFIED' : 'PENDING'
+  const message = result.valid ? `${type} record verified` : result.error || `${type} record is not valid`
+
+  // log the record verification attempt
+  await logAttempt({ domain, models, record, stage: type, status, message })
+  return status === 'VERIFIED'
+}
+
+// request a certificate for the domain from ACM
+async function requestCertificate (domain, models) {
+  let message = null
+
+  // ask ACM to request a certificate for the domain
+  const { certificateArn, error } = await issueDomainCertificate(domain.domainName)
+
+  if (certificateArn) {
+    // check the status of the just created certificate
+    const { certStatus, error: checkError } = await checkCertificateStatus(certificateArn)
+    if (checkError) {
+      message = 'Could not check certificate status: ' + checkError
+      throw new Error(message)
+    } else {
+      try {
+        // store the certificate in the database with its status
+        await models.domainCertificate.create({
+          data: {
+            domain: { connect: { id: domain.id } },
+            certificateArn,
+            status: certStatus
+          }
+        })
+        message = 'An ACM certificate with arn ' + certificateArn + ' has been successfully requested'
+      } catch (e) {
+        // if record already exists, move on
+        if (e.code === 'P2002') {
+          message = 'Certificate already stored'
+        } else {
+          message = 'Could not store certificate in the database: ' + e.message
+          throw new Error(message)
+        }
+      }
+    }
+  } else {
+    message = 'Could not request an ACM certificate: ' + error
+    throw new Error(message)
+  }
+
+  const status = certificateArn ? 'PENDING' : 'FAILED'
+  await logAttempt({ domain, models, stage: 'ACM_REQUEST_CERTIFICATE', status, message })
+  return certificateArn
+}
+
+async function getACMValidationValues (domain, models, certificateArn) {
+  let message = null
+
+  // get the validation values for the certificate
+  const { cname, value, error } = await getValidationValues(certificateArn)
+  if (cname && value) {
+    try {
+      // store the validation values in the database
+      await models.domainVerificationRecord.create({
+        data: {
+          domain: { connect: { id: domain.id } },
+          type: 'SSL',
+          recordName: cname,
+          recordValue: value
+        }
+      })
+      message = 'Validation values stored'
+    } catch (e) {
+      // if record already exists, move on
+      if (e.code === 'P2002') {
+        message = 'Validation values already stored'
+      } else {
+        message = 'Could not store validation values: ' + e.message
+        throw new Error(message)
+      }
+    }
+  } else {
+    message = 'Could not get validation values: ' + error
+    throw new Error(message)
+  }
+
+  const status = cname && value ? 'PENDING' : 'FAILED'
+  await logAttempt({ domain, models, stage: 'ACM_REQUEST_VALIDATION_VALUES', status, message })
+  return status !== 'FAILED'
+}
+
+async function checkACMValidation (domain, models, record) {
+  let message = null
+
+  const { certStatus, error } = await checkCertificateStatus(domain.certificate.certificateArn)
+  if (certStatus) {
+    if (certStatus !== domain.certificate.status) {
+      console.log(`certificate status for ${domain.domainName} has changed from ${domain.certificate.status} to ${certStatus}`)
+      await models.domainCertificate.update({
+        where: { id: domain.certificate.id },
+        data: { status: certStatus }
+      })
+    }
+    message = `Certificate status is: ${certStatus}`
+  } else {
+    message = 'Could not check certificate status: ' + error
+    throw new Error(message)
+  }
+
+  const status = certStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
+  await logAttempt({ domain, models, record, stage: 'ACM_VALIDATION', status, message })
+  return status === 'VERIFIED'
+}
+
+async function attachACMCertificateToELB (domain, models, certificateArn) {
+  let message = null
+
+  // attach the certificate to the ELB listener
+  const { error } = await attachDomainCertificate(certificateArn)
+  if (!error) {
+    message = `Certificate ${certificateArn} is now attached to ELB listener`
+  } else {
+    message = `Could not attach certificate ${certificateArn} to ELB listener: ${error.message}`
+    throw new Error(message)
+  }
+
+  const status = !error ? 'VERIFIED' : 'FAILED'
+  await logAttempt({ domain, models, stage: 'ELB_ATTACH_CERTIFICATE', status, message })
+  return status !== 'FAILED'
+}
+
+async function logAttempt ({ domain, models, record, stage, status, message }) {
+  const data = {
+    domain: { connect: { id: domain.id } },
+    stage,
+    status,
+    message
+  }
+
+  if (record) {
+    data.verificationRecord = { connect: { id: record.id } }
+  }
+
+  console.log(`logAttempt: ${JSON.stringify(data, null, 2)}`)
+
+  return await models.domainVerificationAttempt.create({
+    data
+  })
+}
+
+// clear domains that have been on HOLD for 30 days or more
+export async function clearLongHeldDomains () {
+  const models = createPrisma({ connectionParams: { connection_limit: 1 } })
+  try {
+    await models.domain.deleteMany({
+      where: { status: 'HOLD', updatedAt: { lt: datePivot(new Date(), { days: 30 }) } }
+    })
+  } catch (error) {
+    console.error(`couldn't clear long held domains: ${error.message}`)
+  } finally {
+    await models.$disconnect()
+  }
+}
+
+// delete certificates from ACM and ELB
+export async function deleteCertificateExternal ({ data: { certificateArn } }) {
+  // detach the certificate from the elb listener
+  const { error: detachError } = await detachDomainCertificate(certificateArn)
+  if (detachError) {
+    console.error(`couldn't detach certificate with ARN ${certificateArn}: ${detachError.message}`)
+    throw detachError
+  }
+
+  // delete the certificate from ACM
+  const { error: deleteError } = await deleteDomainCertificate(certificateArn)
+  if (deleteError) {
+    console.error(`couldn't delete certificate with ARN ${certificateArn}: ${deleteError.message}`)
+    throw deleteError
+  }
+}
diff --git a/worker/index.js b/worker/index.js
index 03b1a3f4c..3b8a24388 100644
--- a/worker/index.js
+++ b/worker/index.js
@@ -38,6 +38,11 @@ import { expireBoost } from './expireBoost'
 import { payingActionConfirmed, payingActionFailed } from './payingAction'
 import { autoDropBolt11s } from './autoDropBolt11'
 import { postToSocial } from './socialPoster'
+import {
+  domainVerification,
+  deleteCertificateExternal,
+  clearLongHeldDomains
+} from './domainVerification.js'
 
 // WebSocket polyfill
 import ws from 'isomorphic-ws'
@@ -123,6 +128,11 @@ async function work () {
     await boss.work('imgproxy', jobWrapper(imgproxy))
     await boss.work('deleteUnusedImages', jobWrapper(deleteUnusedImages))
   }
+  if (isServiceEnabled('domains')) {
+    await boss.work('domainVerification', jobWrapper(domainVerification))
+    await boss.work('deleteDomainCertificate', jobWrapper(deleteCertificateExternal))
+    await boss.work('clearLongHeldDomains', jobWrapper(clearLongHeldDomains))
+  }
   await boss.work('expireBoost', jobWrapper(expireBoost))
   await boss.work('weeklyPost-*', jobWrapper(weeklyPost))
   await boss.work('payWeeklyPostBounty', jobWrapper(payWeeklyPostBounty))