Manually authorise signups

We don’t currently have an out-of-the-box solution for this scenario. There are 2 options that may be suitable:

1. Invite-only application

This will allow you invite specific users to use your application, however it does require additional setup and handling email sending on your end.

2. Using app_metadata and Rules

You can extend the Force Email verification rule to also check for another flag in the user’s app_metadata. E.g.

  function (user, context, callback) {
      if (!user.email_verified) {
        return callback(new UnauthorizedError('Please verify your email before logging in.'));
      } else if(!user.app_metadata.isBetaAuthorized) { // check the isBetaAuthorized app_metadata
        return callback(new UnauthorizedError('You are not yet authorized to access the beta.'));    
      }else {
        return callback(null, user, context);
      }
    }

This will prevent users without the isBetaAuthorized app_metadata to login to your application. You can then manually set this flag to true for any users you wish to authorize.