Auth0 Home Blog Docs

Manually authorise signups



I want to be able to manually authorise users who signup to our beta platform as well as the force email verification rule in order to control access.

What is the best way to achieve this?




We don’t currently have an out-of-the-box solution for this scenario. There are 2 options that may be suitable:

1. Invite-only application

This will allow you invite specific users to use your application, however it does require additional setup and handling email sending on your end.

2. Using app_metadata and Rules

You can extend the Force Email verification rule to also check for another flag in the user’s app_metadata. E.g.

  function (user, context, callback) {
      if (!user.email_verified) {
        return callback(new UnauthorizedError('Please verify your email before logging in.'));
      } else if(!user.app_metadata.isBetaAuthorized) { // check the isBetaAuthorized app_metadata
        return callback(new UnauthorizedError('You are not yet authorized to access the beta.'));    
      }else {
        return callback(null, user, context);

This will prevent users without the isBetaAuthorized app_metadata to login to your application. You can then manually set this flag to true for any users you wish to authorize.


That worked great, thanks.

Is there a function to blacklist email domains such as hotmail, yahoo gmail etc. when someone tries to signup?


I have been working on something similar for blacklisting domains. You can use a rule eg.

function (user, context, callback) {
    var whitelist = '', '']; //authorized domains
    var userHasAccess = whitelist.some(
      function (domain) {
        var emailSplit ='@');
        return emailSplit[emailSplit.length - 1].toLowerCase() === domain;

    if (!userHasAccess) {
      return callback(new UnauthorizedError('Access denied.'));

    return callback(null, user, context);

to whitelist domains. But this for some reason does not work until after the user signs up! Trying to create a workaround that automatically deletes the blacklisted email user and does not send a verification email on signup, but I am not having much luck.


I’ve just found this, hopefully that will do the trick.


It seems as if hooks are the “new solution”, thanks for the link I will look into this today


I implemented the hook similar to the rule and it works. Unfortunately the output error is just a standard “something went wrong”. Let me know if you want to see the code for a webhook that whitelists domains


I will let you know how we get on, hopefully we can grab that error message and display our own on the registration page. If we decide to whitelist in the future I will definitely tap you up for the code.