diff --git a/README.md b/README.md
index e4edce0..cf96e99 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,15 @@ Please head over to the
 [ORY Hydra 5 Minute Tutorial](https://www.ory.sh/docs/hydra/5min-tutorial) to
 see how this works.
 
+### Allowing login from multiple email addresses
+
+If desired, instead of logging in with email foo@bar.com and password foobar,
+you may set the `ALLOWED_LOGIN_DOMAIN` environment variable to any domain.
+This will cause the application to accept logins from any address from that domain
+with password foobar. For example, if you set it to `domain.com`, this
+application will accept logins from any email address ending in `@domain.com`
+with password foobar.
+
 ## FAQ
 
 ### TLS Termination
diff --git a/src/config.ts b/src/config.ts
index f0708ee..ca22faa 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -17,4 +17,8 @@ const configuration = new Configuration({
 
 const hydraAdmin = new V0alpha2Api(configuration)
 
-export { hydraAdmin }
+const options: { allowedLoginDomain?: string } = {
+  allowedLoginDomain: process.env.ALLOWED_LOGIN_DOMAIN,
+}
+
+export { hydraAdmin, options }
diff --git a/src/routes/login.ts b/src/routes/login.ts
index bdf2805..cc490b1 100644
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@@ -1,11 +1,11 @@
 // Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
+import csrf from "csurf"
 import express from "express"
 import url from "url"
 import urljoin from "url-join"
-import csrf from "csurf"
-import { hydraAdmin } from "../config"
+import { hydraAdmin, options } from "../config"
 import { oidcConformityMaybeFakeAcr } from "./stub/oidc-cert"
 
 // Sets up csrf protection
@@ -83,9 +83,16 @@ router.post("/", csrfProtection, (req, res, next) => {
     )
   }
 
+  const hasAllowedLoginDomain = options.allowedLoginDomain !== undefined
+
   // Let's check if the user provided valid credentials. Of course, you'd use a database or some third-party service
   // for this!
-  if (!(req.body.email === "foo@bar.com" && req.body.password === "foobar")) {
+  if (
+    (hasAllowedLoginDomain &&
+      !req.body.email.endsWith("@" + options.allowedLoginDomain)) ||
+    (!hasAllowedLoginDomain && req.body.email !== "foo@bar.com") ||
+    req.body.password !== "foobar"
+  ) {
     // Looks like the user provided invalid credentials, let's show the ui again...
 
     res.render("login", {
@@ -105,7 +112,7 @@ router.post("/", csrfProtection, (req, res, next) => {
       hydraAdmin
         .adminAcceptOAuth2LoginRequest(challenge, {
           // Subject is an alias for user ID. A subject can be a random string, a UUID, an email address, ....
-          subject: "foo@bar.com",
+          subject: req.body.email,
 
           // This tells hydra to remember the browser and automatically authenticate the user in future requests. This will
           // set the "skip" parameter in the other route to true on subsequent requests!