We don’t currently have an out-of-the-box solution for this scenario. There are 2 options that may be suitable:
1. Invite-only application
This will allow you invite specific users to use your application, however it does require additional setup and handling email sending on your end.
2. Using app_metadata and Rules
You can extend the Force Email verification rule to also check for another flag in the user’s app_metadata. E.g.
function (user, context, callback) {
if (!user.email_verified) {
return callback(new UnauthorizedError('Please verify your email before logging in.'));
} else if(!user.app_metadata.isBetaAuthorized) { // check the isBetaAuthorized app_metadata
return callback(new UnauthorizedError('You are not yet authorized to access the beta.'));
}else {
return callback(null, user, context);
}
}
This will prevent users without the isBetaAuthorized app_metadata to login to your application. You can then manually set this flag to true for any users you wish to authorize.