SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

In the setup for password less login (only email) to control the email to a specific domain is there like access control list or should i just use emailDelivery to override the implementation to check for the email domain?

You can override either createCodePOST  api function in passwordless.init on the backend to check the input email and throw an error in case it’s not in your whitelist