Hi @emy,
Thanks for reaching out to the Auth0 Community!
Firstly, there are a couple of ways to approach this.
To start, you could write an Auth0 Action script that allows users to log into your application only if you have accepted their application.
To do so, you could leverage the user_metadata property to set true or false whenever you have accepted their application by calling the Management API’s Update a user endpoint.
Then on login, use a Post-Login Action script to check the value of user_metadata.application to allow or deny access accordingly.
For example:
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.user_metadata.application) {
api.access.deny(`Access to ${event.client.name} is not allowed.`);
}
};
Alternatively, you could create a database with sign ups disabled and invite your users to your application. This way, you can skip the complexity of assessing which user you would like to allow or deny access to your application and guarantee the users you invite are only the users allowed to access your application.
I hope the explanation was clear!
Please let me know if you have any questions.
Thanks,
Rueben