Restrictions
Clerk provides a set of restriction options designed to provide you with enhanced control over who can gain access to your application. Through these restriction settings, you can limit sign-ups or prevent accounts with specific identifiers from accessing your application. These identifiers can be email addresses, phone numbers, and even entire domains. To get started, in the Clerk Dashboard, go to User & Authentication > Restrictions(opens in a new tab).
Allowlist
Allowlist is a premium feature and is not available on the Free plan. Upgrade your plan(opens in a new tab) to enable this feature.
The Allowlist feature allows you to control who can get access to your application. It can restrict sign-ups to only a certain set of email addresses or phone numbers that you define. This can be used in a way that acts as a reverse blocklist, only allowing the users added to sign-up for your application and blocking all others.
To enable this feature, in the Clerk Dashboard, go to User & Authentication > Restrictions(opens in a new tab) and go to the Allowlist section. Turn on the Enable allowlist toggle.
Be aware that turning on the Allowlist feature without adding any identifier exceptions blocks all sign-ups.
After turning on the Allowlist feature, you can add individual email addresses and phone numbers, or allowlist entire email domains.
For example, if you add "clerk.dev" as an allowed email domain, it means that anybody with a "@clerk.dev" email address can sign up for your application. Email addresses from different domains will not be able to sign up.
In the case you have enabled the Allowlist and the Blocklist and have added the same identifier in both, the Allowlist takes precedence.
Blocklist
Blocklist is a premium feature and is not available on the Free plan. Upgrade your plan(opens in a new tab) to enable this feature.
The Blocklist feature allows you to control who can get access to your application. It can restrict sign ups for a certain set of email addresses or phone numbers that you define.
To enable this feature, in the Clerk Dashboard, go to User & Authentication > Restrictions(opens in a new tab) and go to the Blocklist section. Turn on the Enable blocklist toggle.
After turning on the Blocklist feature, you can add individual email addresses and phone numbers, or blocklist entire email domains.
For example, if you add "clerk.dev" as a blocked email domain, it means that anybody with a "@clerk.dev" email address will not be able to sign up for your application. Email addresses from different domains will not be affected.
In the case you have enabled the Allowlist and the Blocklist and have added the same identifier in both, the Allowlist takes precedence.
For additional security, adding an individual email address to the Blocklist will also block any attempts to sign up with the email address modified to contain a subaddress.
For example, if you add "john.doe@clerk.dev" as a blocked email address, it means that anybody with "john.doe@clerk.dev" email address will not be able to sign up for your application but in addition "john.doe+anything@clerk.dev" will be blocked as well.
Subaddresses are identified by the presense of any of the following characters in the local part of the email address: +, #, =.
Other restrictions
Block email subaddresses
The Block email subaddresses feature allows you to control who can get access to your application. It can restrict email addresses that contain the characters +, = or # from signing up or being added to existing accounts.
Existing accounts with email subaddresses will not be affected by this restriction, and will still be allowed to sign in.
To enable this feature, in the Clerk Dashboard, go to User & Authentication > Restrictions(opens in a new tab) and go to the Restrictions section. Turn on the Block email subaddresses toggle.
After turning on the Block email subaddresses feature, any sign ups with an email address that contains a subaddress will be blocked.
For example, an email address like user+sub@clerk.com will be blocked.