Block or Deny User Sign-up by Email Domain

Last Updated: Dec 9, 2024

Overview

Users can register with email domains that are not allowed by the company’s policy. This article details whether it is possible to automatically deny signups based on email domain.

Applies To

  • User Sign Up
  • Email Domains
  • Deny email domains

Cause

If there is nothing blocking or denying, Auth0 databases will allow any valid email address.

Solution

Using a Pre-User Registration Action, it is possible to parse the email or use a RegEx to filter domains.

See below for an example of how to deny sign-up based on a list of allowed domains. NOTE: this is not a complete solution but an idea to help get started. Be sure to test before deploying in production.

exports.onExecutePreUserRegistration = async (event, api) => {
  const allowedDomains = ["mydomain.com", "yourdomain.com"]
  
  let currentEmail = event.user.email || "default.com";
  let currentDomain = currentEmail.split('@')[1];

  if (!allowedDomains.includes(currentDomain)) {
    api.validation.error("invalid-domain", "Invalid Domain")
  }
};

This would produce the following on Universal Login:

Related References

1 Like