Skip to main content

Restrictions

Clerk provides restriction options that give you enhanced control over who can access your application. These options enable you to limit sign-ups, sign-ins, or prevent accounts with specific identifiers, such as email addresses, phone numbers, and even entire domains, from accessing your application.

Sign-up modes

Clerk supports multiple sign-up modes, giving you flexibility in managing user access to your application:

Public

In Public mode, the sign-up process is open to anyone. This mode is the default and is ideal for applications that want broad user access.

Restricted

In Restricted mode, user access is controlled by the application admin(s). Users can be added to the application through invitations, enterprise connections or manual user creation. This mode is ideal for applications that are in private beta or internal tools.

To enable this mode:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. Toggle on Enable restricted mode and select Save.

Additional features available in Restricted mode:

  • The <SignIn /> component will keep the prompt to sign up hidden by default. This is to avoid confusion for users who don't have access.

  • The <SignUp /> is accessible only to users who have been invited and have a valid invitation link. Users who don't have access will see a message indicating that they need an invitation to sign up.

Waitlist

<Waitlist /> component

Note

If you're using Next.js, the <Waitlist /> component is available in @clerk/nextjs@6.2.0 and above.

In Waitlist mode, users can register their interest in your app by joining a waitlist. Existing users and users who have been approved from the waitlist will be able to sign in to your app, while new users will need to join the waitlist to access your app. This mode is ideal for apps in early development stages or those wanting to generate interest before launch.

When a user joins the waitlist, they receive the Waitlist confirmation email acknowledging their request.

Once approved, they receive the Waitlist invitation email with instructions on how to join your app. By default, this email includes an Accept invitation button that redirects them to your app's Account Portal sign-up page, which hosts Clerk's <SignUp /> component. What happens next depends on the settings configured in the Clerk Dashboard. If your app only requires an email address, the Account Portal creates the user's account and signs them in. If your app requires more information, the <SignUp /> component collects that additional information before creating the account and signing the user in.

You can customize both waitlist emails to match your brand.

Warning

Email must be enabled in the Clerk Dashboard to allow waitlist invitation emails to be sent to users after they are approved. Support for sending waitlist invitations when Email is disabled is actively being worked on.

To enable Waitlist mode:

  1. In the Clerk Dashboard, navigate to the Waitlist page.
  2. Toggle on Enable waitlist and select Save.

Additional features available in Waitlist mode:

  • The <SignIn /> component will only be accessible to users who have been approved from the waitlist or already have an account.

  • The <SignUp /> is accessible only to users who have been invited and have a valid invitation link. Users who don't have access will see a message indicating that they need to join the waitlist to access your app.

  • The <SignIn /> and <SignUp /> components handle the waitlist flow for you. If you'd like to build a custom waitlist page, you can use the <Waitlist /> component. See the guide on building a custom waitlist page for more information.

Manage users on your waitlist

Once users join your waitlist, you can manage their access from the Clerk Dashboard. You can approve, deny, or re-invite users.

To manage a user on your waitlist:

  1. In the Clerk Dashboard, navigate to the Waitlist page.
  2. On the right-side of the user's row, select the menu icon (...).
  3. If the user's invitation status is Waitlist, you can select Invite or select Revoke to deny their invitation. To re-invite a user, you must first revoke their existing invitation. Once their invitation is Revoked, select the menu icon (...) and select Re-invite.

Customize waitlist emails

To configure the waitlist emails:

  1. In the Clerk Dashboard, navigate to the Emails page.
  2. Select the Waitlist tab.
  3. In Available templates, enable or disable a template, or select a template to edit. For detailed information on the customization options, see the guide on customizing email templates.

Allowlist

Warning

This feature requires a paid plan for production use, but all features are free to use in development mode so that you can try out what works for you. See the pricing page for more information.

By adding specific identifiers to the allowlist, only users with those identifiers will be able to sign up to your application, while others will be blocked. This is useful for internal tools, where you want to allow only users with your company domain to have access to the application.

After creating an account, users cannot change their identifier to bypass the allowlist, making this feature a secure way to control who can access your application. For example, if you add clerk.dev as an allowed email domain, any user with a @clerk.dev email address can sign up for your application. Email addresses from different domains will not be able to sign up.

Note

Allowlist identifiers are case-insensitive. For example, allowing JOHN.DOE@clerk.dev has the same effect as allowing john.doe@clerk.dev, since identifiers are normalized to lowercase.

To enable this feature:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. In the Allowlist tab, toggle on Enable allowlist and select Save.

Caution

Enabling the Allowlist without adding any identifier exceptions blocks all sign-ups.

Blocklist

Warning

This feature requires a paid plan for production use, but all features are free to use in development mode so that you can try out what works for you. See the pricing page for more information.

By adding specific identifiers to the blocklist, you can prevent users with those identifiers from signing up. This helps protect your application from attacks, such as scripts creating multiple spam accounts. For example, adding clerk.dev to the blocked email domains list prevents anyone with an email address ending in @clerk.dev from signing up.

Note

Blocklist identifiers are case-insensitive. For example, blocking JOHN.DOE@clerk.dev has the same effect as blocking john.doe@clerk.dev, since identifiers are normalized to lowercase.

You can also block email addresses from all subdomains by using *@*.clerk.dev. This prevents sign-ups from email addresses such as @subdomain.clerk.dev or @subdomain2.clerk.dev, and deeper subdomains like @subdomain.subdomain2.clerk.dev.

To enable this feature:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. In the Blocklist tab, toggle on Enable blocklist and select Save.

Warning

In the case that you have enabled the allowlist and the blocklist and have added the same identifier in both, the allowlist takes precedence.

For additional security, adding an individual email address to the blocklist will also block any attempts to sign up or sign in with the email address modified to contain a subaddress. Subaddresses are identified by the presence of any of the following characters in the local part of the email address: +, #, =.

For example, if you add john.doe@clerk.dev as a blocked email address, it means that anybody with john.doe@clerk.dev email address will not be able to sign up for your application, including john.doe+anything@clerk.dev and any other subaddress.

Block email subaddresses

Block email subaddresses allows you to block all email addresses that contain the characters +, = or # from signing up or being added to existing accounts. For example, an email address like user+sub@clerk.com will be blocked. It also blocks email addresses that contain dots in the local part of a Gmail address if the equivalent address without dots already has an account. For example, if jsmith@gmail.com already has an account, j.smith@gmail.com will be blocked.

Note

Existing accounts with email subaddresses will not be affected by this restriction, and will still be allowed to sign in.

This feature is designed to prevent malicious sign-in attempts. The first email containing a subaddress will be allowed, but any subsequent sign-ins using additional subaddresses will be blocked.

To enable this feature:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. Toggle on Block email subaddresses and select Save.

Block sign-ups that use disposable email addresses

Block disposable email addresses allows you to block all email addresses that are known to be disposable from signing up for your application. This is useful to prevent spam accounts from signing up.

To enable this feature:

  1. In the Clerk Dashboard, navigate to the Restrictions page.
  2. Toggle on Block sign-ups that use disposable email addresses and select Save.

Tip

The restrictions on this page control who can sign up. If you want to prevent existing users from changing their email, phone, or username after sign-up, see restrict identifier changes.

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub