Restrictions

Clerk provides restriction options that give you enhanced control over who can access your application. These options enable you to limit sign-ups, sign-ins, or prevent accounts with specific identifiers, such as email addresses, phone numbers, and even entire domains, from accessing your application.

Sign-up modes

Clerk supports multiple sign-up modes, giving you flexibility in managing user access to your application.

To configure sign-up modes:

1. In the Clerk Dashboard, navigate to the Restrictions page.
2. Under the Sign-up modes section, you can enable one of the following options:
   • Public
   • Restricted
   • Waitlist

Public

In Public mode, the sign-up process is open to anyone. This mode is ideal for applications that want broad user access.

Restricted

In Restricted mode, user access is controlled by the application admin(s). Users can be added to the application through invitations or manual user creation. This mode is ideal for applications that are in private beta or internal tools.

Additional features available in Restricted mode:

• The <SignIn /> component will keep the prompt to sign up hidden by default. This is to avoid confusion for users who don't have access.

• The <SignUp /> is accessible only to users who have been invited and have a valid invitation link. Users who don't have access will see a message indicating that they need an invitation to sign up.

Waitlist

In Waitlist mode, users can register their interest in your app by joining a waitlist. This mode is ideal for apps in early development stages or those wanting to generate interest before launch.

Additional features available in Waitlist mode:

• The <SignIn /> component will only be accessible to users who have been approved from the waitlist.

• The <SignUp /> is accessible only to users who have been invited and have a valid invitation link. Users who don't have access will see a message indicating that they need an invitation to sign up.

• The <Waitlist /> component provides a form where users can submit their details to join the waitlist. Once approved by admins, users will receive an email with access instructions.

• If you're using the <Waitlist /> component, you must provide the waitlistUrl prop either in the <ClerkProvider> or <SignIn /> component to ensure proper functionality.

Manage waitlist entries

To manage a user on your waitlist:

1. In the Clerk Dashboard, navigate to the Waitlist page.
2. On the right-side of the user's row, select the menu icon (...).
3. Select Invite to invite the user to your application. Select Deny to deny the user access to your application.

Allowlist

By adding specific identifiers to the allowlist, only users with those identifiers will be able to sign up or sign in to your application, while others will be blocked. This is useful for internal tools, where you want to allow only users with your company domain to have access to the application.

After creating an account, users cannot change their identifier to bypass the allowlist, making this feature a secure way to control who can access your application. For example, if you add clerk.dev as an allowed email domain, any user with a @clerk.dev email address can sign up for your application. Email addresses from different domains will not be able to sign up.

To enable this feature:

1. Navigate to the Clerk Dashboard.
2. In the top navigation, select Configure. Then in the sidebar, select Restrictions.
3. In the Allowlist section, toggle on Enable allowlist.

Blocklist

By adding specific identifiers to the blocklist, users with those identifiers will be blocked from signing up for your application. This is useful for attack prevention, such as when multiple spam accounts sign up for your application. For example, if you add clerk.dev as a blocked email domain, it means that anybody with a @clerk.dev email address will not be able to sign up for your application.

To enable this feature:

1. Navigate to the Clerk Dashboard.
2. In the top navigation, select Configure. Then in the sidebar, select Restrictions.
3. In the Blocklist section, toggle on Enable blocklist.

For additional security, adding an individual email address to the blocklist will also block any attempts to sign up with the email address modified to contain a subaddress. Subaddresses are identified by the presence of any of the following characters in the local part of the email address: +, #, =.

For example, if you add john.doe@clerk.dev as a blocked email address, it means that anybody with john.doe@clerk.dev email address will not be able to sign up for your application, including john.doe+anything@clerk.dev and any other subaddress.

Block email subaddresses

Block email subaddresses allows you to block all email addresses that contain the characters +, = or # from signing up or being added to existing accounts. For example, an email address like user+sub@clerk.com will be blocked.

To enable this feature:

1. Navigate to the Clerk Dashboard.
2. In the top navigation, select Configure. Then in the sidebar, select Restrictions.
3. In the Restrictions section, toggle on Block email subaddresses.

Block sign-ups that use disposable email addresses

Block disposable email addresses allows you to block all email addresses that are known to be disposable from signing up for your application. This is useful to prevent spam accounts from signing up.

To enable this feature:

1. Navigate to the Clerk Dashboard.
2. In the top navigation, select Configure. Then in the sidebar, select Restrictions.
3. In the Restrictions section, toggle on Block sign-ups that use disposable email addresses.