Restrictions
Clerk provides restriction options that give you enhanced control over who can access your application. These options enable you to limit sign-ups or prevent accounts with specific identifiers, such as email address, from accessing your application.
There are two main types of restrictions available:
- Allowlist - Allows only specific identifiers to sign up for your application.
- Blocklist - Blocks specific identifiers from signing up for your application.
There is also the Block email subaddresses feature, which blocks email addresses that contain the characters +
, =
or #
from signing up or being added to existing accounts.
All of these restrictions can be enabled and used together to provide a more secure and controlled environment for your application.
Allowlist
By adding specific identifiers to the allowlist, only users with those identifiers will be able to sign up for your application, while others will be blocked. This is useful for internal tools, where you want to allow only users with your company domain to have access to the application.
After creating an account, users cannot change their identifier to bypass the allowlist, making this feature a secure way to control who can access your application. For example, if you add clerk.dev
as an allowed email domain, any user with a @clerk.dev
email address can sign up for your application. Email addresses from different domains will not be able to sign up.
To enable this feature:
- Navigate to the Clerk Dashboard.
- In the navigation sidebar, select User & Authentication > Restrictions.
- In the Allowlist section, toggle on Enable allowlist.
By adding specific identifiers to the blocklist, users with those identifiers will be blocked from signing up for your application. This is useful for attack prevention, such as when multiple spam accounts sign up for your application. For example, if you add clerk.dev
as a blocked email domain, it means that anybody with a @clerk.dev
email address will not be able to sign up for your application.
To enable this feature:
- Navigate to the Clerk Dashboard.
- In the navigation sidebar, select User & Authentication > Restrictions.
- In the Blocklist section, toggle on Enable blocklist.
For additional security, adding an individual email address to the blocklist will also block any attempts to sign up with the email address modified to contain a subaddress. Subaddresses are identified by the presence of any of the following characters in the local part of the email address: +
, #
, =
.
For example, if you add john.doe@clerk.dev
as a blocked email address, it means that anybody with john.doe@clerk.dev
email address will not be able to sign up for your application, including john.doe+anything@clerk.dev
and any other subaddress.
Block email subaddresses
Block email subaddresses allows you to block all email addresses that contain the characters +
, =
or #
from signing up or being added to existing accounts. For example, an email address like user+sub@clerk.com
will be blocked.
To enable this feature:
- Navigate to the Clerk Dashboard.
- In the navigation sidebar, select User & Authentication > Restrictions.
- In the Restrictions section, toggle on Block email subaddresses.
Block sign-ups that use disposable email addresses
Block disposable email addresses allows you to block all email addresses that are known to be disposable from signing up for your application. This is useful to prevent spam accounts from signing up.
To enable this feature:
- Navigate to the Clerk Dashboard.
- In the navigation sidebar, select User & Authentication > Restrictions.
- In the Restrictions section, toggle on Block sign-ups that use disposable email addresses.
Feedback
Last updated on