Allow list
With Privy, you can enable an allow list for your application to gate access to specific email addresses, phone numbers, and/or wallet addresses. You can use the allow list feature to coordinate a beta launch of your product for early-access users, manage an ongoing waitlist, and more!
When you enable an allow list for your app:
- All existing users will still be permitted to login to your app
- New users must be added to the allow list by their email address, phone number, or wallet address to be permitted to login
- New users who have not been added to your allow list will not be permitted to login.
Enabling the allow list for your app
You can enable an allow list directly from the Privy developer dashboard. To do so, just navigate to the Users page > Access Control tab of the dashboard and toggle allow lists on.
Managing the allow list
There are two main ways to manage the allow list for your app:
- Using the API, you can easily add users, remove users, and get your current allow list.
- Using the developer dashboard, you can easily add and remove users from your app’s invite list page.
It’s easy to use the Privy API to manage your waitlist with a third party-tool. For instance, if you are using Airtable to manage your waitlist, you can easily integrate it with Privy.
Check out this guide for more!
Adding to the allow list
Privy allows you to easily add a user’s email address, phone number, or wallet address to the allow list for your app.
Use the ‘s method to add a user to your allow list.
As a parameter to the method, pass an object with the following fields:
The type of account to add to the allow list.
The identifier of the account to add to the allow list. Should be the corresponding email address, phone number, or wallet address.
If the invitation is successful, the method will return an . If the invitation fails, the method will throw an error.
Removing from the allow list
Privy allows you to easily remove a user’s email address, phone number, or wallet address to the allow list for your app.
Use the ‘s method to remove a user from your allow list.
As a parameter to the method, pass an object with the following fields:
The type of account to remove from the allow list.
The identifier of the account to remove from the allow list. Should be the corresponding email address, phone number, or wallet address.
If the invitation is successful, the method will return an that represents the now-deleted allow list entry. If the invitation fails, the method will throw an error.
If a user has successfully logged into your application (e.g. after having been added to the allow list), you must delete their user object, rather than deleting their allow list entry—to revoke their access.
Getting the allow list
Privy allows you to easily get the current allow list for your app.
Use the ‘s method to get your app’s current allow list. Pass no parameters to this method.
If the request is successful, the method will return an array of objects. These include a type
describing the type of entry ('email'
, 'phone'
, or 'wallet'
) and a value
with the corresponding account identifier (e.g. the email address).
Customizing allow list rejection
If your app has an allow list enabled, new users who attempt to login with an account not in your allow list will not be permitted to login to your app.
You can customize the screen shown to the user when they are denied permission to login, to help contextualize the allow list within your app.
To customize this screen, make a POST
request to
In the body of the request, include an field that contains a JSON with the following fields. All fields in this object are optional.
The primary text for the error message you’d like to show your user. Defaults to “You don’t have access to this app”.
The secondary text for the error message you’d like to show your user. Defaults to “Have you been invited?”
The text to show on the error confirmation button. Defaults to “Try another account”
The URL to navigate the user to, when they click the error CTA. Defaults to just closing the screen on click, instead of navigating the user to another URL.
Below is a sample cURL command for updating the allow list config:
Was this page helpful?