Best practices for second-stage authorization

We have an application consisting of a NestJS backend and two different NextJS clients. The clients call Auth0 to handle login. I would like to add an additional check which only permits specific users (identified by their email), with the exact users differing for each client.

Is the best practice for doing this to add an action? I have tried doing this within the NextJS clients by writing a custom login function, but have not yet succeeded.

One further question, assuming rules are the right way to do this. Is there any way I can set up the rules so they come from a GitHub repo? I’m uneasy about having part of our codebase in a hidden location.

Hi @david36 , welcome to the Auth0 Community!

Yes, we would recommend taking a look at utilizing Actions for this desired flow. You can find an example here that denies access based on the users email as a post-login action.

If you want to manage these actions by code, you can use the Management API, Action Endpoints
Hope this information helps, thanks!