This is possible through a pre-user registration hook and a rule. Here’s an example of how you’d implement it:
You would first create a pre-user registration hook that sets a flag in the user’s app_metadata. You’ll use this flag to determine whether they have been approved.
From within this hook you call your own web service that will send the email to your administrator(s) for approval. This email would then include a link that when clicked your site’s backend would perform a management API call to set the flag you defined earlier in the newly registered user’s app_metadata.
You would then have a rule that checks this flag is true, and if not, would deny the user access. Here’s an example:
if (user.app_metadata && user.app_metadata.approved) {
return callback(new UnauthorizedError('Your registration must be approved by an administrator.'));
}
callback(null, user, context);