user.isRestricted === true and provides a user.restrictedReason explaining why.
By default, Hexclave treats restricted users like unauthenticated users in most SDK calls. This prevents accounts that still need verification, review, or conversion from accidentally getting access to protected product flows.
When users are restricted
Users can be restricted for a few reasons:- Email not verified: the project requires email verification before full access.
- Anonymous user: anonymous users can interact with the app, but are always restricted until converted.
- Restricted by administrator: the user was restricted manually or by a sign-up rule.
my-app.ts
restrictedReason.type values are:
| Type | Meaning |
|---|---|
email_not_verified | The user still needs to verify their email address. |
anonymous | The user is an anonymous user. |
restricted_by_administrator | The user was restricted manually or by a sign-up rule. |
Loading restricted users
Most calls exclude restricted users unless you explicitly opt in. UseincludeRestricted: true when you are building onboarding, email verification, account review, or anonymous-user conversion flows.
my-app.ts
Anonymous users are restricted by definition. Passing
{ or: "anonymous" } automatically includes restricted users, and cannot be combined with { includeRestricted: false }.Handling restricted users
Treat restricted users as a separate state from both “signed out” and “fully signed in”. A good default is to show a page that tells the user what they need to do next.restricted-user-message.tsx
Restricted users in JWTs
Restricted users receive tokens withis_restricted and restricted_reason claims. If your backend verifies Hexclave JWTs directly, make sure you reject restricted users unless the endpoint intentionally supports them.
When fetching Hexclave’s JWKS, restricted-user signing keys are excluded by default. Include them only for services that intentionally accept restricted users:
jwks-url.txt
include_anonymous=true; anonymous keys imply restricted-user keys.