Docs

You are viewing an archived version of the docs.Go to latest version

Restrictions

Clerk provides restriction options that give you enhanced control over who can access your application. These options enable you to limit sign-ups or prevent accounts with specific identifiers, such as email address, from accessing your application.

There are two main types of restrictions available:

  • Allowlist - Allows only specific identifiers to sign up for your application.
  • Blocklist - Blocks specific identifiers from signing up for your application.

There is also the Block email subaddresses feature, which blocks email addresses that contain the characters +, = or # from signing up or being added to existing accounts.

All of these restrictions can be enabled and used together to provide a more secure and controlled environment for your application.

Allowlist

Note

Allowlist is a premium feature and is not available on the Free plan. Upgrade your plan to enable this feature.

By adding specific identifiers to the allowlist, only users with those identifiers will be able to sign up for your application, while others will be blocked. This is useful for internal tools, where you want to allow only users with your company domain to have access to the application.

After creating an account, users cannot change their identifier to bypass the allowlist, making this feature a secure way to control who can access your application. For example, if you add clerk.dev as an allowed email domain, any user with a @clerk.dev email address can sign up for your application. Email addresses from different domains will not be able to sign up.

To enable this feature:

  1. Navigate to the Clerk Dashboard.
  2. In the navigation sidebar, select User & Authentication > Restrictions.
  3. In the Allowlist section, toggle on Enable allowlist.

Caution

Enabling the Allowlist without adding any identifier exceptions blocks all sign-ups.

Note

Blocklist is a premium feature and is not available on the Free plan. Upgrade your plan to enable this feature.

By adding specific identifiers to the blocklist, users with those identifiers will be blocked from signing up for your application. This is useful for attack prevention, such as when multiple spam accounts sign up for your application. For example, if you add clerk.dev as a blocked email domain, it means that anybody with a @clerk.dev email address will not be able to sign up for your application.

To enable this feature:

  1. Navigate to the Clerk Dashboard.
  2. In the navigation sidebar, select User & Authentication > Restrictions.
  3. In the Blocklist section, toggle on Enable blocklist.

Warning

In the case that you have enabled the allowlist and the blocklist and have added the same identifier in both, the allowlist takes precedence.

For additional security, adding an individual email address to the blocklist will also block any attempts to sign up with the email address modified to contain a subaddress. Subaddresses are identified by the presence of any of the following characters in the local part of the email address: +, #, =.

For example, if you add john.doe@clerk.dev as a blocked email address, it means that anybody with john.doe@clerk.dev email address will not be able to sign up for your application, including john.doe+anything@clerk.dev and any other subaddress.

Block email subaddresses

Block email subaddresses allows you to block all email addresses that contain the characters +, = or # from signing up or being added to existing accounts. For example, an email address like user+sub@clerk.com will be blocked.

Note

Existing accounts with email subaddresses will not be affected by this restriction, and will still be allowed to sign in.

To enable this feature:

  1. Navigate to the Clerk Dashboard.
  2. In the navigation sidebar, select User & Authentication > Restrictions.
  3. In the Restrictions section, toggle on Block email subaddresses.

Block sign-ups that use disposable email addresses

Block disposable email addresses allows you to block all email addresses that are known to be disposable from signing up for your application. This is useful to prevent spam accounts from signing up.

To enable this feature:

  1. Navigate to the Clerk Dashboard.
  2. In the navigation sidebar, select User & Authentication > Restrictions.
  3. In the Restrictions section, toggle on Block sign-ups that use disposable email addresses.

Feedback

What did you think of this content?

Last updated on