Docs

Unauthorized sign-in

Clerk detects sign-in attempts from unrecognized devices to protect users from unauthorized access to their accounts. This security feature helps identify potentially malicious sign-in activity.

Email notification for unauthorized access

When a sign-in attempt is made from an unfamiliar device, Clerk notifies the account owner by email with details about the newly created session. The email notification varies depending on the instance's configuration and the application's billing plan.

By default, the email includes information about the unauthorized sign-in attempt, such as device type, operating system, IP address, location, and the sign-in method used. If you've set a support email for your app, Clerk will add instructions for the user to contact the app administrator.

For supported instances, the email might also include a button that allows users to sign out from the unrecognized device. Selecting this button immediately revokes the session.

To customize the unauthorized sign-in email notification:

  1. In the Clerk Dashboard, navigate to the Emails page.
  2. Select Sign in from new device. You'll be redirected to the template settings page.
  3. Edit the email template.
  4. Select Apply changes.

Revoke sessions for unauthorized sign-ins

Warning

This feature isn't available in production for free plans but can be tested for free in development mode. For more information, see the pricing page.

For apps that support this feature, users can immediately revoke unauthorized sign-ins directly from the email notification. With a single click, the suspicious session is revoked and the user is redirected to a confirmation page.

The confirmation page depends on the instance configuration:

  • Account Portal enabled: The user is redirected to the unauthorized sign-in page, where content can be customized based on the app's theme.
  • Account Portal disabled: The user sees a plain text confirmation of the successful session revocation.

In either case, after revoking the session, users must sign in again unless they have an active session on their device.

To customize the URL path of the unauthorized sign-in page:

  1. In the Clerk Dashboard, navigate to the Paths page.
  2. Under Application paths, enter the Unauthorized sign in URL path.
  3. Select Save.

Feedback

What did you think of this content?
Edit this page on GitHub

Last updated on