Auth

Before User Created Hook

Prevent unwanted signups by inspecting and rejecting user creation requests

This hook runs before a new user is created. It allows developers to inspect the incoming user object and optionally reject the request. Use this to enforce custom signup policies that Supabase Auth does not handle natively - such as blocking disposable email domains, restricting access by region or IP, or requiring that users belong to a specific email domain.

You can implement this hook using an HTTP endpoint or a Postgres function. If the hook returns an error object, the signup is denied and the user is not created. If the hook responds successfully (HTTP 200 or 204 with no error), the request proceeds as usual. This gives you full control over which users are allowed to register — and the flexibility to apply that logic server-side.

Inputs

Supabase Auth will send a payload containing these fields to your hook:

FieldTypeDescription
metadataobjectMetadata about the request. Includes IP address, request ID, and hook type.
userobjectThe user record that is about to be created. Matches the shape of the auth.users table.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{  "metadata": {    "uuid": "8b34dcdd-9df1-4c10-850a-b3277c653040",    "time": "2025-04-29T13:13:24.755552-07:00",    "name": "before-user-created",    "ip_address": "127.0.0.1"  },  "user": {    "id": "ff7fc9ae-3b1b-4642-9241-64adb9848a03",    "aud": "authenticated",    "role": "",    "email": "valid.email@supabase.com",    "phone": "",    "app_metadata": {      "provider": "email",      "providers": ["email"]    },    "user_metadata": {},    "identities": [],    "created_at": "0001-01-01T00:00:00Z",    "updated_at": "0001-01-01T00:00:00Z",    "is_anonymous": false  }}

Outputs

Your hook must return a response that either allows or blocks the signup request.

FieldTypeDescription
errorobject(Optional) Return this to reject the signup. Includes a code, message, and optional HTTP status code.

Returning an empty object with a 200 or 204 status code allows the request to proceed. Returning a JSON response with an error object and a 4xx status code blocks the request and propagates the error message to the client. See the error handling documentation for more details.

Allow the signup

1
{}

or with a 204 No Content response:

1
HTTP/1.1 204 No Content

Reject the signup with an error

1
2
3
4
5
6
{  "error": {    "http_code": 400,    "message": "Only company emails are allowed to sign up."  }}

This response will block the user creation and return the error message to the client that attempted signup.

Examples

Each of the following examples shows how to use the before-user-created hook to control signup behavior. Each use case includes both a HTTP implementation (e.g. using an Edge Function) and a SQL implementation (Postgres function).

Allow signups only from specific domains like supabase.com or example.test. Reject all others. This is useful for private/internal apps, enterprise gating, or invite-only beta access.

The before-user-created hook solves this by:

  • Detecting that a user is about to be created
  • Providing the email address in the user.email field

Run the following snippet in your project's SQL Editor. This will create a signup_email_domains table with some sample data and a hook_restrict_signup_by_email_domain function to be called by the before-user-created auth hook.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
-- Create ENUM type for domain rule classificationdo $$ begin  create type signup_email_domain_type as enum ('allow', 'deny');exception  when duplicate_object then null;end $$;-- Create the signup_email_domains tablecreate table if not exists public.signup_email_domains (  id serial primary key,  domain text not null,  type signup_email_domain_type not null,  reason text default null,  created_at timestamptz not null default now(),  updated_at timestamptz not null default now());-- Create a trigger to maintain updated_atcreate or replace function update_signup_email_domains_updated_at()returns trigger as $$begin  new.updated_at = now();  return new;end;$$ language plpgsql;drop trigger if exists trg_signup_email_domains_set_updated_at on public.signup_email_domains;create trigger trg_signup_email_domains_set_updated_atbefore update on public.signup_email_domainsfor each rowexecute procedure update_signup_email_domains_updated_at();-- Seed example datainsert into public.signup_email_domains (domain, type, reason) values  ('supabase.com', 'allow', 'Internal signups'),  ('gmail.com', 'deny', 'Public email provider'),  ('yahoo.com', 'deny', 'Public email provider');-- Create the functioncreate or replace function public.hook_restrict_signup_by_email_domain(event jsonb)returns jsonblanguage plpgsqlas $$declare  email text;  domain text;  is_allowed int;  is_denied int;begin  email := event->'user'->>'email';  domain := split_part(email, '@', 2);  -- Check for allow match  select count(*) into is_allowed  from public.signup_email_domains  where type = 'allow' and lower(domain) = lower($1);  if is_allowed > 0 then    return '{}'::jsonb;  end if;  -- Check for deny match  select count(*) into is_denied  from public.signup_email_domains  where type = 'deny' and lower(domain) = lower($1);  if is_denied > 0 then    return jsonb_build_object(      'error', jsonb_build_object(        'message', 'Signups from this email domain are not allowed.',        'http_code', 403      )    );  end if;  -- No match, allow by default  return '{}'::jsonb;end;$$;-- Permissionsgrant execute  on function public.hook_restrict_signup_by_email_domain  to supabase_auth_admin;revoke execute  on function public.hook_restrict_signup_by_email_domain  from authenticated, anon, public;