Skip to Content
Clerk logo

Clerk Docs

Ctrl + K
Go to clerk.com

Restrictions

Clerk provides restriction options that give you enhanced control over who can access your application. These options enable you to limit sign-ups or prevent accounts with specific identifiers, such as email address, from accessing your application.

There are two main types of restrictions available:

  • Allowlist - Allows only specific identifiers to sign up for your application.
  • Blocklist - Blocks specific identifiers from signing up for your application.

There is also the Block email subaddresses feature, which blocks email addresses that contain the characters +, = or # from signing up or being added to existing accounts.

All of these restrictions can be enabled and used together to provide a more secure and controlled environment for your application.

Allowlist

Allowlist is a premium feature and is not available on the Free plan. Upgrade your plan(opens in a new tab) to enable this feature.

By adding specific identifiers to the allowlist, only users with those identifiers will be able to sign up for your application, while others will be blocked. This is useful for internal tools, where you want to allow only users with your company domain to have access to the application.

After creating an account, users cannot change their identifier to bypass the allowlist, making this feature a secure way to control who can access your application. For example, if you add clerk.dev as an allowed email domain, any user with a @clerk.dev email address can sign up for your application. Email addresses from different domains will not be able to sign up.

To enable this feature:

  1. Navigate to the Clerk Dashboard(opens in a new tab).
  2. In the navigation sidebar, select User & Authentication > Restrictions(opens in a new tab).
  3. In the Allowlist section, toggle on Enable allowlist.

Enabling the Allowlist without adding any identifier exceptions blocks all sign-ups.

Blocklist

Blocklist is a premium feature and is not available on the Free plan. Upgrade your plan(opens in a new tab) to enable this feature.

By adding specific identifiers to the blocklist, users with those identifiers will be blocked from signing up for your application. This is useful for attack prevention, such as when multiple spam accounts sign up for your application. For example, if you add clerk.dev as a blocked email domain, it means that anybody with a @clerk.dev email address will not be able to sign up for your application.

To enable this feature:

  1. Navigate to the Clerk Dashboard(opens in a new tab).
  2. In the navigation sidebar, select User & Authentication > Restrictions(opens in a new tab).
  3. In the Blocklist section, toggle on Enable blocklist.

In the case that you have enabled the allowlist and the blocklist and have added the same identifier in both, the allowlist takes precedence.

For additional security, adding an individual email address to the blocklist will also block any attempts to sign up with the email address modified to contain a subaddress. Subaddresses are identified by the presence of any of the following characters in the local part of the email address: +, #, =.

For example, if you add john.doe@clerk.dev as a blocked email address, it means that anybody with john.doe@clerk.dev email address will not be able to sign up for your application, including john.doe+anything@clerk.dev and any other subaddress.

Block email subaddresses

Block email subaddresses allows you to block all email addresses that contain the characters +, = or # from signing up or being added to existing accounts. For example, an email address like user+sub@clerk.com will be blocked.

Existing accounts with email subaddresses will not be affected by this restriction, and will still be allowed to sign in.

To enable this feature:

  1. Navigate to the Clerk Dashboard(opens in a new tab).
  2. In the navigation sidebar, select User & Authentication > Restrictions(opens in a new tab).
  3. In the Restrictions section, toggle on Block email subaddresses.

Block sign-ups that use disposable email addresses

Block disposable email addresses allows you to block all email addresses that are known to be disposable from signing up for your application. This is useful to prevent spam accounts from signing up.

To enable this feature:

  1. Navigate to the Clerk Dashboard(opens in a new tab).
  2. In the navigation sidebar, select User & Authentication > Restrictions(opens in a new tab).
  3. In the Restrictions section, toggle on Block sign-ups that use disposable email addresses.

Last updated on March 28, 2024

What did you think of this content?

Clerk © 2024