diff --git a/Gemfile b/Gemfile
index 8ff21b104..70c29cd45 100644
--- a/Gemfile
+++ b/Gemfile
@@ -6,6 +6,7 @@ gem 'rails', '7.2.2.2'
 
 gem 'active_model_serializers'
 gem 'activerecord-session_store'
+gem 'addressable'
 gem 'ahoy_matey'
 gem 'auto_strip_attributes'
 gem 'bootsnap', require: false
diff --git a/Gemfile.lock b/Gemfile.lock
index ccc25b00d..793c350d3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -825,6 +825,7 @@ PLATFORMS
 DEPENDENCIES
   active_model_serializers
   activerecord-session_store
+  addressable
   ahoy_matey
   auto_strip_attributes
   better_errors
diff --git a/app/controllers/callbacks_controller.rb b/app/controllers/callbacks_controller.rb
index 2c3916d9e..3ab71ed5b 100644
--- a/app/controllers/callbacks_controller.rb
+++ b/app/controllers/callbacks_controller.rb
@@ -1,5 +1,6 @@
 # The controller for callback actions
 class CallbacksController < Devise::OmniauthCallbacksController
+  include SpaceRedirect
 
   Devise.omniauth_configs.each do |provider, config|
     define_method(provider) do
@@ -11,6 +12,9 @@ class CallbacksController < Devise::OmniauthCallbacksController
 
   def handle_callback(provider, config)
     @user = User.from_omniauth(request.env["omniauth.auth"])
+    if request.env['omniauth.params'] && request.env['omniauth.params']['space_id']
+      space = Space.find_by_id(request.env['omniauth.params']['space_id'])
+    end
 
     if @user.new_record?
       # new user
@@ -27,14 +31,15 @@ def handle_callback(provider, config)
 
         sign_in @user
         flash[:notice] = "#{I18n.t('devise.registrations.signed_up')} Please ensure your profile is correct."
-        redirect_to edit_user_path(@user)
+        redirect_to_space(edit_user_path(@user), space)
       rescue Exception => e
         flash[:notice] = "Login failed: #{e.message.to_s}"
-        redirect_to new_user_session_path
+        redirect_to_space(new_user_session_path, space)
       end
     else
-      sign_in_and_redirect @user
+      scope = Devise::Mapping.find_scope!(@user)
+      sign_in(scope, resource, {})
+      redirect_to_space(after_sign_in_path_for(@user), space)
     end
   end
-
 end
\ No newline at end of file
diff --git a/app/controllers/concerns/space_redirect.rb b/app/controllers/concerns/space_redirect.rb
new file mode 100644
index 000000000..24f6783e8
--- /dev/null
+++ b/app/controllers/concerns/space_redirect.rb
@@ -0,0 +1,16 @@
+module SpaceRedirect
+  extend ActiveSupport::Concern
+
+  private
+
+  def redirect_to_space(path, space)
+    if space&.is_subdomain?
+      port_part = ''
+      port_part = ":#{request.port}" if (request.protocol == "http://" && request.port != 80) ||
+        (request.protocol == "https://" && request.port != 443)
+      redirect_to URI.join("#{request.protocol}#{space.host}#{port_part}", path).to_s, allow_other_host: true
+    else
+      redirect_to path
+    end
+  end
+end
diff --git a/app/controllers/orcid_controller.rb b/app/controllers/orcid_controller.rb
index 485a1347a..a0332dbce 100644
--- a/app/controllers/orcid_controller.rb
+++ b/app/controllers/orcid_controller.rb
@@ -1,4 +1,6 @@
 class OrcidController < ApplicationController
+  include SpaceRedirect
+
   before_action :orcid_auth_enabled
   before_action :authenticate_user!
   before_action :set_oauth_client, only: [:authenticate, :callback]
@@ -9,12 +11,17 @@ class OrcidController < ApplicationController
   end
 
   def authenticate
-    redirect_to @oauth2_client.authorization_uri(scope: '/authenticate'), allow_other_host: true
+    params = Space.current_space&.default? ? {} : { state: "space_id:#{Space.current_space.id}" }
+    redirect_to @oauth2_client.authorization_uri(scope: '/authenticate', **params), allow_other_host: true
   end
 
   def callback
     @oauth2_client.authorization_code = params[:code]
     token = Rack::OAuth2::AccessToken::Bearer.new(access_token: @oauth2_client.access_token!)
+    if params[:state].present?
+      m = params[:state].match(/space_id:(\d+)/)
+      space = Space.find_by_id(m[1]) if m
+    end
     orcid = token.access_token&.raw_attributes['orcid']
     respond_to do |format|
       profile = current_user.profile
@@ -27,7 +34,7 @@ def callback
       else
         flash[:error] = t('orcid.authentication_failure')
       end
-      format.html { redirect_to current_user }
+      format.html { redirect_to_space(user_path(current_user), space) }
     end
   end
 
@@ -38,7 +45,7 @@ def set_oauth_client
     @oauth2_client ||= Rack::OAuth2::Client.new(
       identifier: config[:client_id],
       secret: config[:secret],
-      redirect_uri: config[:redirect_uri].presence || orcid_callback_url,
+      redirect_uri: config[:redirect_uri].presence || orcid_callback_url(host: TeSS::Config.base_uri.host),
       authorization_endpoint: '/oauth/authorize',
       token_endpoint: '/oauth/token',
       host: config[:host].presence || (Rails.env.production? ? 'orcid.org' : 'sandbox.orcid.org')
diff --git a/app/controllers/tess_devise/sessions_controller.rb b/app/controllers/tess_devise/sessions_controller.rb
new file mode 100644
index 000000000..c208f33b5
--- /dev/null
+++ b/app/controllers/tess_devise/sessions_controller.rb
@@ -0,0 +1,35 @@
+class TessDevise::SessionsController < Devise::SessionsController
+
+  def create
+    clear_legacy_cookie
+
+    super
+  end
+
+  def destroy
+    super
+
+    clear_legacy_cookie
+  end
+
+  private
+
+  def clear_legacy_cookie
+    # Clean up legacy host-only session cookie
+    key = Rails.application.config.session_options[:key]
+    append_set_cookie("#{key}=; path=/; Max-Age=0; HttpOnly; SameSite=Lax")
+  end
+
+  def append_set_cookie(value)
+    existing = response.headers['Set-Cookie']
+
+    case existing
+    when nil
+      response.headers['Set-Cookie'] = value
+    when String
+      response.headers['Set-Cookie'] = [existing, value]
+    when Array
+      existing << value
+    end
+  end
+end
\ No newline at end of file
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 9cc2a3718..79db6327a 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -700,11 +700,12 @@ def theme_path
   end
 
   def omniauth_login_link(provider, config)
+    params = Space.current_space&.default? ? {} : { space_id: Space.current_space.id }
     link_to(
       t('authentication.omniauth.log_in_with',
         provider: config.options[:label] ||
                   t("authentication.omniauth.providers.#{provider}", default: provider.to_s.titleize)),
-      omniauth_authorize_path('user', provider),
+      omniauth_authorize_path('user', provider, **params),
       method: :post
     )
   end
diff --git a/app/helpers/spaces_helper.rb b/app/helpers/spaces_helper.rb
index 9317ade62..4a57101f3 100644
--- a/app/helpers/spaces_helper.rb
+++ b/app/helpers/spaces_helper.rb
@@ -11,4 +11,8 @@ def space_feature_options
       [t("features.#{f}.short"), f]
     end
   end
+
+  def space_supports_omniauth?(space = current_space)
+    space.nil? || space.default? || space.is_subdomain?(TeSS::Config.base_uri.domain)
+  end
 end
diff --git a/app/models/space.rb b/app/models/space.rb
index 45dabfaba..277c0ff49 100644
--- a/app/models/space.rb
+++ b/app/models/space.rb
@@ -16,6 +16,10 @@ class Space < ApplicationRecord
   has_many :administrator_roles, -> { where(key: :admin) }, class_name: 'SpaceRole'
   has_many :administrators, through: :administrator_roles, source: :user, class_name: 'User'
 
+  auto_strip_attributes :title, :description, :host
+
+  validates :title, presence: true
+  validates :host, presence: true, uniqueness: true, format: /\A[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)*\z/i
   validates :theme, inclusion: { in: TeSS::Config.themes.keys, allow_blank: true }
   validate :disabled_features_valid?
 
@@ -65,6 +69,10 @@ def enabled_features
     (FEATURES - disabled_features)
   end
 
+  def is_subdomain?(domain = TeSS::Config.base_uri.domain)
+    (host == domain || host.ends_with?(".#{domain}"))
+  end
+
   private
 
   def disabled_features_valid?
diff --git a/app/views/layouts/_login_menu.html.erb b/app/views/layouts/_login_menu.html.erb
index f857983a5..f216f5b2e 100644
--- a/app/views/layouts/_login_menu.html.erb
+++ b/app/views/layouts/_login_menu.html.erb
@@ -9,8 +9,10 @@
     <strong>Log In</strong> <span class="caret"></span>
   </a>
   <ul class="dropdown-menu dropdown-menu-right">
-    <% Devise.omniauth_configs.each do |provider, config| -%>
-      <li class="dropdown-item"><%= omniauth_login_link(provider, config) %></li>
+    <% if space_supports_omniauth? %>
+      <% Devise.omniauth_configs.each do |provider, config| -%>
+        <li class="dropdown-item"><%= omniauth_login_link(provider, config) %></li>
+      <% end %>
     <% end %>
 
     <li class="dropdown-item">
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index 954413f39..e63eb9ab8 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -51,7 +51,10 @@
         <% else %>
           <%= orcid_link(@user.profile) %>
         <% end %>
-        <% if TeSS::Config.orcid_authentication_enabled? && current_user == @user && !@user.profile.orcid_authenticated? %>
+        <% if TeSS::Config.orcid_authentication_enabled? &&
+            current_user == @user &&
+            !@user.profile.orcid_authenticated? &&
+            space_supports_omniauth? %>
           <%= button_to t(@user.profile.orcid.blank? ? 'orcid.link' : 'orcid.authenticate'), authenticate_orcid_path, class: 'btn btn-default' %>
         <% end %>
       </p>
diff --git a/config/application.rb b/config/application.rb
index 7faab17b1..27b7e7b28 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -176,6 +176,10 @@ def orcid_authentication_enabled?
         Rails.application.config.secrets.orcid[:client_id].present? &&
         Rails.application.config.secrets.orcid[:secret].present?
     end
+
+    def base_uri
+      @base_uri ||= Addressable::URI.parse(base_url)
+    end
   end
 
   Config = TessConfig.new(tess_config)
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 8f7289407..b3db12830 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,8 +1,10 @@
 # Be sure to restart your server when you modify this file.
-opts = {}
+opts = {
+  domain: :all
+}
 
 if Rails.env.production?
-  opts = { same_site: :lax, secure: true }
+  opts.merge!(same_site: :lax, secure: true)
   expiry_time = TeSS::Config.login_expires_after
   opts[:expire_after] = expiry_time unless expiry_time.blank?
 end
diff --git a/config/routes.rb b/config/routes.rb
index 60ca008c6..770eda18f 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -31,9 +31,10 @@
   # to happen when precompiling assets in the docker build script.
   unless Rake.try(:application)&.top_level_tasks&.include? 'assets:precompile'
     devise_for :users, :controllers => {
-      :registrations => 'tess_devise/registrations',
-      :invitations => 'tess_devise/invitations',
-      :omniauth_callbacks => 'callbacks'
+      registrations: 'tess_devise/registrations',
+      invitations: 'tess_devise/invitations',
+      sessions: 'tess_devise/sessions',
+      omniauth_callbacks: 'callbacks'
     }
   end
   #Redirect to users index page after devise user account update
diff --git a/test/controllers/orcid_controller_test.rb b/test/controllers/orcid_controller_test.rb
index e7f8c86e7..f7b1d4795 100644
--- a/test/controllers/orcid_controller_test.rb
+++ b/test/controllers/orcid_controller_test.rb
@@ -9,6 +9,23 @@ class OrcidControllerTest < ActionController::TestCase
     post :authenticate
 
     assert_redirected_to /https:\/\/sandbox\.orcid\.org\/oauth\/authorize\?.+/
+    params = Rack::Utils.parse_query(URI.parse(response.location).query)
+    assert_equal "#{TeSS::Config.base_url}/orcid/callback", params['redirect_uri']
+    assert_nil params['state']
+  end
+
+  test 'authenticating orcid in space uses root app redirect URI and sets space state' do
+    plant_space = spaces(:plants)
+    with_host(plant_space.host) do
+      sign_in users(:regular_user)
+
+      post :authenticate
+
+      assert_redirected_to /https:\/\/sandbox\.orcid\.org\/oauth\/authorize\?.+/
+      params = Rack::Utils.parse_query(URI.parse(response.location).query)
+      assert_equal "#{TeSS::Config.base_url}/orcid/callback", params['redirect_uri']
+      assert_equal "space_id:#{plant_space.id}", params['state']
+    end
   end
 
   test 'do not authenticate orcid if user not logged-in' do
@@ -148,4 +165,61 @@ class OrcidControllerTest < ActionController::TestCase
       end
     end
   end
+
+  test 'redirect to subdomain space in callback' do
+    space = spaces(:astro)
+    space.update!(host: 'space.example.com')
+    mock_images
+    user = users(:regular_user)
+    assert user.profile.orcid.blank?
+    sign_in user
+
+    VCR.use_cassette('orcid/get_token_free_orcid') do
+      get :callback, params: { code: '123xyz', state: "space_id:#{space.id}" }
+    end
+
+    profile = user.profile.reload
+    assert_equal '0009-0006-0987-5702', profile.orcid
+    assert profile.orcid_authenticated?
+    assert_redirected_to user_url(user, host: 'space.example.com')
+    assert response.headers['Location'].starts_with?('http://space.example.com/users/')
+    assert flash[:error].blank?
+  end
+
+  test 'do not redirect to non-subdomain space in callback' do
+    space = spaces(:astro)
+    space.update!(host: 'space.golf.com')
+    mock_images
+    user = users(:regular_user)
+    assert user.profile.orcid.blank?
+    sign_in user
+
+    VCR.use_cassette('orcid/get_token_free_orcid') do
+      get :callback, params: { code: '123xyz', state: "space_id:#{space.id}" }
+    end
+
+    profile = user.profile.reload
+    assert_equal '0009-0006-0987-5702', profile.orcid
+    assert profile.orcid_authenticated?
+    assert_redirected_to user
+    refute response.headers['Location'].starts_with?('http://space.golf.com/users/')
+    assert flash[:error].blank?
+  end
+
+  test 'ignore bad space when redirecting in callback' do
+    mock_images
+    user = users(:regular_user)
+    assert user.profile.orcid.blank?
+    sign_in user
+
+    VCR.use_cassette('orcid/get_token_free_orcid') do
+      get :callback, params: { code: '123xyz', state: "space_id:banana🍌" }
+    end
+
+    profile = user.profile.reload
+    assert_equal '0009-0006-0987-5702', profile.orcid
+    assert profile.orcid_authenticated?
+    assert_redirected_to user
+    assert flash[:error].blank?
+  end
 end
diff --git a/test/controllers/static_controller_test.rb b/test/controllers/static_controller_test.rb
index 266208138..59ff679ef 100644
--- a/test/controllers/static_controller_test.rb
+++ b/test/controllers/static_controller_test.rb
@@ -712,7 +712,7 @@ class StaticControllerTest < ActionController::TestCase
       end
     end
   end
-
+        
   test 'disabled features do not show as counters on space front page' do
     space = spaces(:plants)
     space.disabled_features = ['materials']
@@ -739,4 +739,26 @@ class StaticControllerTest < ActionController::TestCase
       end
     end
   end
+
+  test 'show omniauth login options when on subdomain space' do
+    space = spaces(:plants)
+    space.update!(host: 'plants.example.com')
+    with_host(space.host) do
+      get :home
+      assert_select 'ul.user-options.nav.navbar-nav.navbar-right' do
+        assert_select "a[href=\"/users/auth/oidc?space_id=#{space.id}\"]", count: 1
+      end
+    end
+  end
+
+  test 'do not show omniauth login options when on non-subdomain space' do
+    space = spaces(:plants)
+    space.update!(host: 'other-host.com')
+    with_host(space.host) do
+      get :home
+      assert_select 'ul.user-options.nav.navbar-nav.navbar-right' do
+        assert_select "a[href=\"/users/auth/oidc?space_id=#{space.id}\"]", count: 0
+      end
+    end
+  end
 end
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index c0f051493..0360e5fa1 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -531,6 +531,7 @@ class UsersControllerTest < ActionController::TestCase
 
       assert_response :success
       assert_select '#sidebar button', text: 'Authenticate your ORCID', count: 0
+      assert_select '#sidebar button', text: 'Link your ORCID', count: 0
     end
   end
 
@@ -543,6 +544,7 @@ class UsersControllerTest < ActionController::TestCase
 
     assert_response :success
     assert_select '#sidebar button', text: 'Authenticate your ORCID', count: 0
+    assert_select '#sidebar button', text: 'Link your ORCID', count: 0
   end
 
   test 'should not show authenticate orcid button if already authenticated' do
@@ -554,6 +556,7 @@ class UsersControllerTest < ActionController::TestCase
 
     assert_response :success
     assert_select '#sidebar button', text: 'Authenticate your ORCID', count: 0
+    assert_select '#sidebar button', text: 'Link your ORCID', count: 0
   end
 
   test 'should show material and event in trainer page as bioschemas JSON-LD' do
@@ -600,4 +603,39 @@ class UsersControllerTest < ActionController::TestCase
     assert_not_nil external_resource
     assert_equal external_resource.url, json_event['mentions'].first['url']
   end
+
+  test 'should show authenticate orcid button on subdomain space' do
+    space = spaces(:astro)
+    space.update!(host: 'space.example.com')
+    with_host(space.host) do
+      user = users(:private_user)
+      assert user.profile.orcid.present?
+      refute user.profile.orcid_authenticated?
+
+      sign_in user
+
+      get :show, params: { id: user }
+
+      assert_response :success
+      assert_select '#sidebar button', text: 'Authenticate your ORCID'
+    end
+  end
+
+  test 'should not show authenticate orcid button on non-subdomain space' do
+    space = spaces(:astro)
+    space.update!(host: 'space.golf.com')
+    with_host(space.host) do
+      user = users(:private_user)
+      assert user.profile.orcid.present?
+      refute user.profile.orcid_authenticated?
+
+      sign_in user
+
+      get :show, params: { id: user }
+
+      assert_response :success
+      assert_select '#sidebar button', text: 'Authenticate your ORCID', count: 0
+      assert_select '#sidebar button', text: 'Link your ORCID', count: 0
+    end
+  end
 end
diff --git a/test/integration/login_test.rb b/test/integration/login_test.rb
index 6d65ce1da..ba7edd4ed 100644
--- a/test/integration/login_test.rb
+++ b/test/integration/login_test.rb
@@ -47,6 +47,29 @@ class LoginTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'clears legacy cookie (without domain) on login' do
+    user = users(:regular_user)
+    post '/users/sign_in', params: { 'user[login]' => user.username, 'user[password]' => 'hello' }
+    cookies = response.headers['Set-Cookie'].split("\n")
+    assert cookies.any? do |cookie|
+      parts = cookie.split(';').map(&:strip)
+      parts.any? { |p| p == 'Max-Age=0' } &&
+        parts.none? { |p| p.include?('domain') }
+    end
+  end
+
+  test 'clears legacy cookie on logout' do
+    user = users(:regular_user)
+    login_user(user.username, user.username, 'hello')
+    logout_user
+    cookies = response.headers['Set-Cookie'].split("\n")
+    assert cookies.any? do |cookie|
+      parts = cookie.split(';').map(&:strip)
+      parts.any? { |p| p == 'Max-Age=0' } &&
+        parts.none? { |p| p.include?('domain') }
+    end
+  end
+
   private
 
   def login_user(username, identifier, password)
diff --git a/test/integration/omniauth_test.rb b/test/integration/omniauth_test.rb
index 5cff3849d..a3356987b 100644
--- a/test/integration/omniauth_test.rb
+++ b/test/integration/omniauth_test.rb
@@ -399,4 +399,64 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     assert_response :not_found
   end
 
+  test 'authentication redirects users back to origin space on subdomain' do
+    space = spaces(:astro)
+    space.update!(host: 'space.example.com')
+
+    OmniAuth.config.mock_auth[:oidc] = OmniAuth::AuthHash.new(
+      {
+        provider: 'oidc',
+        uid: '0123456789abcdcef',
+        info: {
+          email: 'aai@example.com',
+          nickname: 'aaf_user',
+          first_name: 'AAF',
+          last_name: 'User'
+        }
+      })
+
+    post user_oidc_omniauth_authorize_url(space_id: space.id)
+    follow_redirect! # OmniAuth redirect
+    assert_equal "http://space.example.com/users/aaf_user/edit", response.headers['Location']
+  end
+
+  test 'authentication does not redirect user to entirely different domain' do
+    space = spaces(:astro)
+    space.update!(host: 'my-cool-space-host.com')
+
+    OmniAuth.config.mock_auth[:oidc] = OmniAuth::AuthHash.new(
+      {
+        provider: 'oidc',
+        uid: '0123456789abcdcef',
+        info: {
+          email: 'aai@example.com',
+          nickname: 'aaf_user',
+          first_name: 'AAF',
+          last_name: 'User'
+        }
+      })
+
+    post user_oidc_omniauth_authorize_url(space_id: space.id)
+    follow_redirect! # OmniAuth redirect
+    assert_equal "http://www.example.com/users/aaf_user/edit", response.headers['Location']
+  end
+
+  test 'invalid space is ignored when redirecting' do
+    OmniAuth.config.mock_auth[:oidc] = OmniAuth::AuthHash.new(
+      {
+        provider: 'oidc',
+        uid: '0123456789abcdcef',
+        info: {
+          email: 'aai@example.com',
+          nickname: 'aaf_user',
+          first_name: 'AAF',
+          last_name: 'User'
+        }
+      })
+
+    post user_oidc_omniauth_authorize_url(space_id: 'ufhgfsdkhgskdjfhsdkjfhsdkjfhsd')
+    follow_redirect! # OmniAuth redirect
+    assert_equal "http://www.example.com/users/aaf_user/edit", response.headers['Location']
+  end
+
 end
diff --git a/test/models/space_test.rb b/test/models/space_test.rb
index 785bfe833..d9a2b3477 100644
--- a/test/models/space_test.rb
+++ b/test/models/space_test.rb
@@ -5,6 +5,42 @@ class SpaceTest < ActiveSupport::TestCase
     @space = spaces(:plants)
   end
 
+  test 'validate' do
+    space = Space.new
+    refute space.valid?
+    assert space.errors.added?(:title, :blank)
+    assert space.errors.added?(:user, :blank)
+
+    user = users(:curator)
+
+    no_host = Space.new(user: user, title: 'hello')
+    refute no_host.valid?
+    assert no_host.errors.added?(:host, :blank)
+
+    duplicate_host = Space.create(user: user, title: 'hello', host: spaces(:plants).host)
+    refute duplicate_host.valid?
+    assert duplicate_host.errors.added?(:host, :taken, value: spaces(:plants).host)
+
+    invalid_host = Space.create(user: user, title: 'hello', host: '...')
+    refute invalid_host.valid?
+    assert invalid_host.errors.added?(:host, :invalid, value: '...')
+
+    invalid_host2 = Space.create(user: user, title: 'hello', host: 'hello world')
+    refute invalid_host2.valid?
+    assert invalid_host2.errors.added?(:host, :invalid, value: 'hello world')
+
+    invalid_host3 = Space.create(user: user, title: 'hello', host: 'website,com')
+    refute invalid_host3.valid?
+    assert invalid_host3.errors.added?(:host, :invalid, value: 'website,com')
+
+    invalid_theme = Space.create(user: user, title: 'hello', host: 'space.host', theme: 'disco')
+    refute invalid_theme.valid?
+    assert invalid_theme.errors.added?(:theme, :inclusion, value: 'disco')
+
+    valid = Space.new(user: user, title: 'hello', host: 'space.host')
+    assert valid.valid?
+  end
+
   test 'get administrators' do
     admins = @space.administrators
     assert_equal 1, admins.length
@@ -128,4 +164,14 @@ class SpaceTest < ActiveSupport::TestCase
     @space.enabled_features = Space::FEATURES
     assert_equal [], @space.disabled_features
   end
+
+  test 'is_subdomain?' do
+    assert @space.is_subdomain?('mytess.training')
+    refute @space.is_subdomain?('amytess.training')
+    refute @space.is_subdomain?('mytess.com')
+    refute @space.is_subdomain?('mytess.training.com')
+    refute @space.is_subdomain?('space.mytess.training')
+    refute @space.is_subdomain?
+    assert Space.new(host: 'test.example.com').is_subdomain?
+  end
 end
diff --git a/test/unit/config_test.rb b/test/unit/config_test.rb
index 3157c437f..226f7bdd3 100644
--- a/test/unit/config_test.rb
+++ b/test/unit/config_test.rb
@@ -27,4 +27,8 @@ class ConfigTest < ActiveSupport::TestCase
           end
     assert_equal exp, TeSS::Config.redis_url
   end
+
+  test 'base_uri' do
+    assert_equal 'example.com', TeSS::Config.base_uri.domain
+  end
 end