Privy allows your app to enable a deny list to block specific users from logging in to your app and creating accounts. You can use the deny list to block users who have previously been malicious in your application or who violate your terms of service. Currently, Privy deny lists support blocking users based on their email address, phone number, EVM wallet address or Solana wallet address. You can choose to either block a specific email address (e.g. [email protected]) or an email domain (e.g. @wayneenterprises.com).
Deny lists apply to email, SMS, wallet, and OAuth methods with verified emails only. Login methods like Telegram and Farcaster are not supported.

Enabling the deny list for your app

You can enable an deny list directly from the Privy developer dashboard. To do so, just navigate to the Users page > Access Control tab of the dashboard and toggle deny lists on. images/Deny.png

Managing the deny list

There are two main ways to manage the deny list for your app:

Adding to the deny list

If you do not have a deny list enabled for your app, this request will fail.
Privy allows you to easily add an individual email address, phone number, EVM wallet address or Solana wallet address to your deny list. To add an entry to the deny list, make a POST request to: 
https://auth.privy.io/api/v1/apps/<your-privy-app-id>/denylist
In the body of the request, include the following fields:
type
'email' | 'emailDomain' | 'phoneNumber' | 'ethereumAddress' | 'solanaAddress'
required
Specifies that the request adds an email address, email domain, phone number, EVM wallet address or Solana wallet address to the deny list.
value
string
required
The email address, email domain, phone number, EVM wallet address or Solana wallet address to add to the deny list.
Below is a sample cURL command for adding an email to the deny list: 
curl --request POST 'https://auth.privy.io/api/v1/apps/<your-privy-app-id>/denylist' \
-u "<your-privy-app-id>:<your-privy-app-secret>" \
-H "privy-app-id: <your-privy-app-id>" \
-H "Content-Type: application/json" \
--data-raw '{
  "type": "email",
  "value": "[email protected]"
}'
A successful response will include the new deny list entry, like below 
{
  "id": "denylist-entry-ID",
  "rule_type": "email",
  "value": "[email protected]"
}

Removing from the deny list

If you do not have a deny list enabled for your app, this request will fail. Please reach out if you’d like to configure a deny list.
To delete an entry from the deny list, make a DELETE request to: 
https://auth.privy.io/api/v1/apps/<your-privy-app-id>/denylist
In the body of the request, include the following fields:
id
string
required
The ID of the deny list entry to be removed. You can obtain this ID by getting your current deny list.
Below is a sample cURL command for deleting an email from the deny list: 
curl --request DELETE 'https://auth.privy.io/api/v1/apps/<your-privy-app-id>/denylist' \
-u "<your-privy-app-id>:<your-privy-app-secret>" \
-H "privy-app-id: <your-privy-app-id>" \
-H "Content-Type: application/json" \
--data-raw '{
  "id": "clpa828s4001hl90f6dxoksrg",
}'
A successful request will return response code 204. If there is no corresponding deny list entry, the response will include an error.

Getting the deny list

To get your current deny list, make a GET request to: 
https://auth.privy.io/api/v1/apps/<your-privy-app-id>/denylist
This is a paginated query, and the API will return up to 1000 deny list entries for a single request.

Parameters

In the request query parameters, specify the following fields:
cursor
string
When you request a batch of deny list entries from Privy, the API will return a cursor for the next batch of deny list entries in the next_cursor field of the response. This will be a deny list ID, which is a string.If you are requesting the first batch of deny list entries for your app, do not include a cursor in your request parameters.If you have already requested a batch of deny list entries and want to request the next batch, set the cursor in your request parameters to be the next_cursor returned by the API in your previous query. If the provided cursor is not a valid deny list ID, the API will return an error.
limit
number
The number of users you would like the API to return. Defaults to 1000.
As an example, to get the first 1000 deny list entries for your app, you should include no URL query parameters: 
curl --request GET https://auth.privy.io/api/v1/apps/<your-privy-app-id>/denylist \
-u "<your-privy-app-id>:<your-privy-app-secret>" \
-H "privy-app-id: <your-privy-app-id>"
Then, to get the next 1000 deny list entries for your app, you should pass the next_cursor field of the last response as the cursor in your request query parameters: 
# Replace <insert-cursor> below with the `next_cursor` returned by the last query
curl --request GET https://auth.privy.io/api/v1/apps/<your-privy-app-id>/denylist?cursor=<insert-cursor> \
-u "<your-privy-app-id>:<your-privy-app-secret>" \
-H "privy-app-id: <your-privy-app-id>"

Response

A successful response will include:
The deny list entries as an array
The cursor to be used in your next request to this API
Below is an example: If you need to remove an entry from your deny list, you will need the id field returned in this API response.