Hey 
, I just created a .NET API and followed the getting started guide. What I would like to add is allow specific people from my org to login with an specific email? Is that possible?
I have found this thread but the solution that gives the answer doesn’t show the email domain whitelist rule anymore: How can I only allow specific people to sign up
Cheers.
Hi there @maury welcome to the community!
This rule exists as a template if you navigate to Auth Pipeline → Rules → Create - You’ll see it under Access Control specifically. It looks like this:
function emailDomainWhitelist(user, context, callback) {
// Access should only be granted to verified users.
if (!user.email || !user.email_verified) {
return callback(new UnauthorizedError('Access denied.'));
}
const whitelist = ['example.com', 'example.org']; //authorized domains
const userHasAccess = whitelist.some(function (domain) {
const emailSplit = user.email.split('@');
return emailSplit[emailSplit.length - 1].toLowerCase() === domain;
});
if (!userHasAccess) {
return callback(new UnauthorizedError('Access denied.'));
}
return callback(null, user, context);
}
Is that what you are looking for? Let us know!
Thank you @tyf !
What I’m trying to do is protect my API and don’t let anyone to request it, just certain people. Also, on the frontend side I would like to just use only email option to log in. Is that possible?
If so, what do you recommend me to achieve this?
Once again, thanks for taking your time to reply 
No problem, happy to help where I can!
I’m not clear on whether you want anyone to be able to login, but then only a subset of users access an API, or only allow a subset of users to login/access the API. Typically, an application will use some sort of permissions for a subset of users to be able to access an API. Please see the following doc for a general outline of what this may look like:
When you say only email to login, are you referring to a passwordless solution or something else?
The more context you can provide about your use case the better!
First of all, Merry Christmas @tyf 
.
I’m not clear on whether you want anyone to be able to login, but then only a subset of users access an API, or only allow a subset of users to login/access the API. Typically, an application will use some sort of permissions for a subset of users to be able to access an API. Please see the following doc for a general outline of what this may look like:
Yeah, what I would like to do is only allow a subset of users to login/access the API. I’m creating a table with the specifics emails (i don’t know if its necessary at all, but I think so).
When you say only email to login, are you referring to a passwordless solution or something else?
I didn’t even know that exists!
The more context you can provide about your use case the better!
My bad, sry! 
. I have an API in .NET and what I would like to do is protect the endpoints so that way specific people can fetch it. In the other hand (here its where it gets cloudly to me) I would like my front-app (here comes auth0, I think?) to have some auth(login option) when you enter it and the only access to pass through it is with a specific email (what I don’t really know is if I need to send some JWT through my back or not)
Sry if that doesn’t make sense.
This topic was automatically closed after 2 days. New replies are no longer allowed.
Re-visiting this as we comb through our backlog and hope this helps someone in the future 
There are a couple of ways you can go about this - You could simply create an Action to “allow list” specific emails:
exports.onExecutePostLogin = async (event, api) => {
// Define your allowlist of emails
const allowlist = [
'alloweduser1@example.com',
'alloweduser2@example.com',
'alloweduser3@example.com'
];
// Check if the user's email is in the allowlist
if (!allowlist.includes(event.user.email)) {
// If the email is not in the allowlist, deny access
api.access.deny('Access denied: Your email is not in the allowlist.');
}
};
The 2nd and more scaleable approach is to implement Role Based Access Control - At a high level this includes assigning roles (and subsequently API permissions) to users. In your registered API settings, you will want to enable RBAC and most likely the option to include permissions in access tokens. When a user logs in they will receive an access token, and if permissions are included in the token these are what your API, after verifying the access token, will use to make authorization decisions. Alternatively or in addition to permissions, you can add roles to your user’s access tokens as well using a Post Login Action:
exports.onExecutePostLogin = async (event, api) => {
// Get the user's roles from the event object
const roles = event.authorization.roles;
// Add the roles to the access token as a custom claim
api.accessToken.setCustomClaim('https://your-domain.com/roles', roles);
};