Deny User Access Based on Auth0 Form Input

auth0.knowledge2 · August 11, 2025, 10:34pm

Overview

This article provides a method for denying user access based on form input. The solution outlines the use of a Post-Login Action to render a form and then deny access if the input does not meet the specified validation criteria.

Applies To

Auth0 Actions
Auth0 Forms
Post-Login trigger

Cause

This issue occurs because Auth0 Forms do not have a built-in function to deny user access. The primary purpose of Forms is to collect user input, and the access control logic must be implemented separately within a Post-Login Action.

Solution

The following steps explain how to deny user access using a Post-Login Action to validate the input submitted through a form:

Render the form in the onExecutePostLogin function of an Auth0 Action. The login flow pauses at this step, waiting for user input.
Implement the validation logic in the onContinuePostLogin function.
Access the data from the form using event.prompt.fields.
Use api.access.deny() to terminate the login if the validation criteria are not met.
To prevent the form from being rendered on subsequent logins, use api.user.setAppMetadata() to set a flag after the form has been successfully submitted. Subsequent logins can then check for this flag and skip the form and validation logic.

The following is an example of an Action that implements this logic. This example renders a form and then denies access if the user’s role ID from the form input does not match the expected role ID.

exports.onExecutePostLogin = async (event, api) => {
  const FORM_ID = 'YOUR_FORM_ID';
  api.prompt.render(FORM_ID);
}

exports.onContinuePostLogin = async (event, api) => {
  const expectedRoleId = 'Expected_Role_ID'; 

  if (event.prompt && event.prompt.fields && event.prompt.fields.ROLE_ID !== expectedRoleId) {
    api.access.deny('Access denied: Unauthorized role.');
  }
}

Please Note: We strongly recommend testing any custom code thoroughly in a development environment before deploying it to production. The provided code is an example and might need adjustments to fit specific use-cases.

For additional information on how form data is passed to Actions, refer to the related references below.

Topic		Replies	Views
Custom Action: user stays logged into Auth0 after api.access.deny Get Help login-experience , new-universal-login-experience	10	203	September 25, 2024
Can't control access to pages using actions? Get Help	6	2653	December 22, 2022
Behaviour auth0-react and PostLogin access denied Get Help login-experience , login-prompt-new-experience	4	1036	May 30, 2024
Disable login before email verification Get Help email-verification , user-management	6	4968	January 24, 2023
Force email verification using Actions Get Help verification-email , actions	3	9367	January 26, 2022

Deny User Access Based on Auth0 Form Input

Overview

Applies To

Cause

Solution

Related References

Related topics