Opinion on how to set up a invite-only access.

Hi there, I have a web app (react) that uses a self-hosted zitael IDP. It's currently configured, that anyone can login or register a new account and join my webapp. However, especially at the beginning I would like to offer a closed beta to a defined user group. At least I want to prevent that anyone can register for my webapp trough the idp. Best case would be to invite my beta-tester group via an invite link. Is this or something similar possible with zitadel? I use the legacy built-in login form.

Ask Inkeep•10/7/25, 7:40 PM

Hi @ladon.space, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/7/25, 7:40 PM

Answer

I wasn't able to find a direct answer about invite-only access or invite links, here are some relevant sources:

Onboard Users : This covers manual user creation and invitation methods, including how to disable self-registration by controlling the "register allowed" setting in login behavior.
Login users into your application with a hosted login UI : This explains how the hosted login UI works and mentions settings that control user registration prompts.

Ask Inkeep•10/7/25, 7:40 PM

Feel free to tag @Ask Inkeep with additional questions.

ladon.spaceOP•10/7/25, 7:53 PM

okey I've solved one of two things that registration is not allow. However, It should be possible to login with an external login if the user with the specified email-address is allowed to login. Currently there is only the option ON or completely OFF.

Rajat•10/8/25, 12:44 PM

hey @ladon.space thanks for your question, I will take a look at it.

Rajat•10/8/25, 12:48 PM

hey @ladon.space there isn't a granular permission system that allows external login for specific individual email addresses while blocking others within the same orgs or domain afaiu. You need to write a custom logic to prevent that.

Rajat•10/8/25, 1:00 PM

I just confirmed internally on this
you could also implement an email domain (or email specific) allow list with Actions. Depending on the IdP (Google Workspace, Entra ID) they use, you can also enforce login only from certain domains or for a given group of authorized users by setting this up on the IdP side instead of Zitadel