diff --git a/docs/customization/account-portal/getting-started.mdx b/docs/customization/account-portal/getting-started.mdx index 7a657908ec..b695c7cb86 100644 --- a/docs/customization/account-portal/getting-started.mdx +++ b/docs/customization/account-portal/getting-started.mdx @@ -20,6 +20,7 @@ For development environments, Clerk will issue you a randomly generated domain o https://accounts..com/sign-in https://accounts..com/sign-up https://accounts..com/user +https://accounts..com/unauthorized-sign-in https://accounts..com/organization https://accounts..com/create-organization ``` diff --git a/docs/customization/account-portal/overview.mdx b/docs/customization/account-portal/overview.mdx index 79fee3b8d6..f5287b11f9 100644 --- a/docs/customization/account-portal/overview.mdx +++ b/docs/customization/account-portal/overview.mdx @@ -52,6 +52,14 @@ The user profile page hosts the prebuilt [``](/docs/components/us Redirect your authenticated users to their user profile page using the [``](/docs/components/control/redirect-to-userprofile) control component. +### Unauthorized sign-in + +The unauthorized sign-in page doesn't host any prebuilt Clerk component. It displays a UI confirming that a session from an unrecognized device was successfully revoked. For more information, see the [Unauthorized sign-in](/docs/security/unauthorized-sign-in) feature. + +The unauthorized sign-in page displays a UI confirming that a session from an unrecognized device was successfully revoked. For more information, refer to [the reference.](/docs/security/unauthorized-sign-in) + +![Clerk's Account Portal unauthorized sign-in page](/docs/images/account-portal/unauthorized-sign-in.png) + ### Create organization The create organization page hosts the prebuilt [``](/docs/components/organization/create-organization) component, which provides a streamlined interface for users to create new organizations within your application. diff --git a/docs/manifest.json b/docs/manifest.json index 2528ecbe33..59ae6a3087 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -1616,6 +1616,10 @@ { "title": "Protect email link sign-ins and sign-ups", "href": "/docs/security/email-link-protection" + }, + { + "title": "Unauthorized sign-in", + "href": "/docs/security/unauthorized-sign-in" } ] ] diff --git a/docs/security/unauthorized-sign-in.mdx b/docs/security/unauthorized-sign-in.mdx new file mode 100644 index 0000000000..b24a90dc29 --- /dev/null +++ b/docs/security/unauthorized-sign-in.mdx @@ -0,0 +1,41 @@ +--- +title: Unauthorized sign-in +description: Notify users of unauthorized sign-ins to their accounts +--- + +Clerk detects sign-in attempts from unrecognized devices to protect users from unauthorized access to their accounts. This security feature helps identify potentially malicious sign-in activity. + +## Email notification for unauthorized access + +When a sign-in attempt is made from an unfamiliar device, Clerk notifies the account owner by email with details about the newly created session. The email notification varies depending on the instance's configuration and the application's billing plan. + +By default, the email includes information about the unauthorized sign-in attempt, such as device type, operating system, IP address, location, and the sign-in method used. If you've set a support email for your app, Clerk will add instructions for the user to contact the app administrator. + +For supported instances, the email might also include a button that allows users to sign out from the unrecognized device. Selecting this button immediately revokes the session. + +To customize the unauthorized sign-in email notification: + +1. In the Clerk Dashboard, navigate to the [**Emails**](https://dashboard.clerk.com/last-active?path=customization/email) page. +1. Select **Sign in from new device**. You'll be redirected to the template settings page. +1. Edit the email template. +1. Select **Apply changes**. + +## Revoke sessions for unauthorized sign-ins + +> [!WARNING] +> This feature isn't available in production for free plans but can be tested for free in development mode. For more information, see the [pricing](/pricing){{ target: '_blank' }} page. + +For apps that support this feature, users can immediately revoke unauthorized sign-ins directly from the email notification. With a single click, the suspicious session is revoked and the user is redirected to a confirmation page. + +The confirmation page depends on the instance configuration: + +- [Account Portal](/docs/customization/account-portal/overview) enabled: The user is redirected to the [unauthorized sign-in](/docs/customization/account-portal/overview#unauthorized-sign-in) page, where content can be customized based on the app's theme. +- Account Portal disabled: The user sees a plain text confirmation of the successful session revocation. + +In either case, after revoking the session, users must sign in again unless they have an active session on their device. + +To customize the URL path of the unauthorized sign-in page: + +1. In the Clerk Dashboard, navigate to the [**Paths**](https://dashboard.clerk.com/last-active?path=paths) page. +1. Under **Application paths**, enter the **Unauthorized sign in URL** path. +1. Select **Save**. diff --git a/public/images/account-portal/unauthorized-sign-in.png b/public/images/account-portal/unauthorized-sign-in.png new file mode 100644 index 0000000000..456dd2c0ae Binary files /dev/null and b/public/images/account-portal/unauthorized-sign-in.png differ