Hi @skatanski,
To answer your question straight away, it’s a Yes.
This is exactly what i was referring to earlier, meaning that you can also set up an array of allowed clientIDs for each user inside app_metadata, since this type of metadata can not be modified by the user. This can also be accomplished using a PostLogin Action, as you are mentioning as well.
Kind regards,
Remus