Skip to main content

Restrictions

Clerk provides restriction options that give you enhanced control over who can access your application. These options enable you to limit sign-ups, sign-ins, or prevent accounts with specific identifiers, such as email addresses, phone numbers, and even entire domains, from accessing your application.

Sign-up modes

Clerk supports multiple sign-up modes, giving you flexibility in managing user access to your application:

Public

In Public mode, the sign-up process is open to anyone. This mode is the default and is ideal for applications that want broad user access.

Restricted

In Restricted mode, user access is controlled by the application admin(s). Users can be added to the application through invitations, enterprise connections or manual user creation. This mode is ideal for applications that are in private beta or internal tools.

To enable this mode:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. Toggle on Enable restricted mode and select Save.

Additional features available in Restricted mode:

  • The <SignIn /> component will keep the prompt to sign up hidden by default. This is to avoid confusion for users who don't have access.

  • The <SignUp /> is accessible only to users who have been invited and have a valid invitation link. Users who don't have access will see a message indicating that they need an invitation to sign up.

Waitlist

<Waitlist /> component

Note

If you're using Next.js, the <Waitlist /> component is available in @clerk/nextjs@6.2.0 and above.

In Waitlist mode, users can register their interest in your app by joining a waitlist. Existing users and users who have been approved from the waitlist will be able to sign in to your app, while new users will need to join the waitlist to access your app. This mode is ideal for apps in early development stages or those wanting to generate interest before launch.

Warning

Email must be enabled in the Clerk Dashboard to allow waitlist invitation emails to be sent to users after they are approved. Support for sending waitlist invitations when Email is disabled is actively being worked on.

To enable Waitlist mode:

  1. In the Clerk Dashboard, navigate to the Waitlist page.
  2. Toggle on Enable waitlist and select Save.

Additional features available in Waitlist mode:

  • The <SignIn /> component will only be accessible to users who have been approved from the waitlist or already have an account.

  • The <SignUp /> is accessible only to users who have been invited and have a valid invitation link. Users who don't have access will see a message indicating that they need to join the waitlist to access your app.

  • The <Waitlist /> component provides a form where users can submit their details to join the waitlist. Once approved, users will receive an email with instructions on how to join your app.

  • If you're using the <Waitlist /> component, you must provide the waitlistUrl prop either in the <ClerkProvider> or <SignIn /> component to ensure proper functionality.

Manage users on your waitlist

Once users join your waitlist, you can manage their access from the Clerk Dashboard. You can approve, deny, or re-invite users.

To manage a user on your waitlist:

  1. In the Clerk Dashboard, navigate to the Waitlist page.
  2. On the right-side of the user's row, select the menu icon (...).
  3. If the user's invitation status is Waitlist, you can select Invite or select Revoke to deny their invitation. To re-invite a user, you must first revoke their existing invitation. Once their invitation is Revoked, select the menu icon (...) and select Re-invite.

Customize waitlist emails

Users receive an email confirming their request to join the waitlist (the Waitlist confirmation email). Once approved, they receive an email with instructions on how to join your app (the Waitlist invitation email).

You can disable the Waitlist confirmation email, but you can't disable the Waitlist invitation email. By default, both emails are enabled. You can also customize the emails to better match your brand.

To configure the waitlist emails:

  1. In the Clerk Dashboard, navigate to the Emails page.
  2. Select the Waitlist tab.
  3. In Available templates, enable or disable a template, or select a template to edit. For detailed information on the customization options, see the guide on customizing email templates.

Allowlist

Warning

This feature requires a paid plan for production use, but all features are free to use in development mode so that you can try out what works for you. See the pricing page for more information.

By adding specific identifiers to the allowlist, only users with those identifiers will be able to sign up to your application, while others will be blocked. This is useful for internal tools, where you want to allow only users with your company domain to have access to the application.

After creating an account, users cannot change their identifier to bypass the allowlist, making this feature a secure way to control who can access your application. For example, if you add clerk.dev as an allowed email domain, any user with a @clerk.dev email address can sign up for your application. Email addresses from different domains will not be able to sign up.

Note

Allowlist identifiers are case-insensitive. For example, allowing JOHN.DOE@clerk.dev has the same effect as allowing john.doe@clerk.dev, since identifiers are normalized to lowercase.

To enable this feature:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. In the Allowlist tab, toggle on Enable allowlist and select Save.

Caution

Enabling the Allowlist without adding any identifier exceptions blocks all sign-ups.

Blocklist

Warning

This feature requires a paid plan for production use, but all features are free to use in development mode so that you can try out what works for you. See the pricing page for more information.

By adding specific identifiers to the blocklist, you can prevent users with those identifiers from signing up. This helps protect your application from attacks, such as scripts creating multiple spam accounts. For example, adding clerk.dev to the blocked email domains list prevents anyone with an email address ending in @clerk.dev from signing up.

Note

Blocklist identifiers are case-insensitive. For example, blocking JOHN.DOE@clerk.dev has the same effect as blocking john.doe@clerk.dev, since identifiers are normalized to lowercase.

You can also block email addresses from all subdomains by using *@*.clerk.dev. This prevents sign-ups from email addresses such as @subdomain.clerk.dev or @subdomain2.clerk.dev, and deeper subdomains like @subdomain.subdomain2.clerk.dev.

To enable this feature:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. In the Blocklist tab, toggle on Enable blocklist and select Save.

Warning

In the case that you have enabled the allowlist and the blocklist and have added the same identifier in both, the allowlist takes precedence.

For additional security, adding an individual email address to the blocklist will also block any attempts to sign up or sign in with the email address modified to contain a subaddress. Subaddresses are identified by the presence of any of the following characters in the local part of the email address: +, #, =.

For example, if you add john.doe@clerk.dev as a blocked email address, it means that anybody with john.doe@clerk.dev email address will not be able to sign up for your application, including john.doe+anything@clerk.dev and any other subaddress.

Block email subaddresses

Block email subaddresses allows you to block all email addresses that contain the characters +, = or # from signing up or being added to existing accounts. For example, an email address like user+sub@clerk.com will be blocked. It also blocks email addresses that contain dots in the local part of a Gmail address if the equivalent address without dots already has an account. For example, if jsmith@gmail.com already has an account, j.smith@gmail.com will be blocked.

Note

Existing accounts with email subaddresses will not be affected by this restriction, and will still be allowed to sign in.

This feature is designed to prevent malicious sign-in attempts. The first email containing a subaddress will be allowed, but any subsequent sign-ins using additional subaddresses will be blocked.

To enable this feature:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. Toggle on Block email subaddresses and select Save.

Block sign-ups that use disposable email addresses

Block disposable email addresses allows you to block all email addresses that are known to be disposable from signing up for your application. This is useful to prevent spam accounts from signing up.

To enable this feature:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. Toggle on Block sign-ups that use disposable email addresses and select Save.

Tip

The restrictions on this page control who can sign up. If you want to prevent existing users from changing their email, phone, or username after sign-up, see restrict identifier changes.

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub