{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-ciam/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["Notification"]},"type":"markdown"},"seo":{"title":"Country restrictions","siteUrl":"https://developers.frontegg.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"country-restrictions","__idx":0},"children":["Country restrictions"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Country restrictions help you reduce exposure from regions that should not access your application. Use them to enforce compliance requirements, lower the risk of suspicious sign-up and login activity from high-risk geographies, and control where users can sign up and authenticate from."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Notification","attributes":{"title":"Prerequisites","type":"info"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["There are no prerequisites for configuring country restrictions."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"configure-country-restrictions","__idx":1},"children":["Configure country restrictions"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"in-the-frontegg-portal","__idx":2},"children":["In the Frontegg portal"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can choose from the following actions when a sign-up or login attempt from a restricted country is detected:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allow"]}," - Let the user continue when the resolved country matches the configured allow list."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Block"]}," - Block the sign-up or login when the resolved country matches the configured block list."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Country restrictions do not support challenge or lock actions."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"notification-email","__idx":3},"children":["Notification email"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Country restrictions can mark blocked sign-up and login events for restriction email handling when the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Notify end user by email"]}," option is enabled. This setting is stored on the country restriction policy and is included in country restriction events so downstream notification flows can decide whether to send an email."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When both environment-level and account-level policies are evaluated, the email flag is enabled if either policy has ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Send restriction email"]}," enabled."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"how-it-works","__idx":4},"children":["How it works"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If no country restriction policy exists, sign-up and login attempts are allowed by this rule."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If country restriction is disabled, sign-up and login attempts are allowed by this rule and no country restriction event is emitted."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the configured country list is empty, sign-up and login attempts are allowed by this rule."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Country codes are normalized by trimming whitespace and converting valid two-letter codes to uppercase."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the country cannot be resolved from the provided country code or IP address, Frontegg applies the policy fail strategy. The default fail strategy is ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allow"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["When both environment-level and account-level policies exist, both policies must allow the sign-up or login attempt. A block result from either policy blocks the sign-up or login."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"analyzing-country-restrictions-in-your-app","__idx":5},"children":["Analyzing country restrictions in your app"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"security-events","__idx":6},"children":["Security events"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you want to see how often country restriction sign-up and login events occur in your app, view them over time in ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"/ciam/guides/security-center/overview"},"children":["Security Events"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Country restriction events include the engine action, user ID when available, IP address when available, resolved country code when available, and whether restriction email handling was requested."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"logs","__idx":7},"children":["Logs"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When country restriction is detected, a new log entry appears under the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Security"]}," event type. Go to [ENVIRONMENT] → Monitoring → Logs to view these events, or see ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"/ciam/guides/monitoring/events-overview#security-events"},"children":["Logged events"]}," for the full event reference."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["security.country_restriction.detected"]}," log includes the engine action, user ID when available, IP address when available, resolved country code when available, and whether restriction email handling was requested."]}]},"headings":[{"value":"Country restrictions","id":"country-restrictions","depth":2},{"value":"Configure country restrictions","id":"configure-country-restrictions","depth":3},{"value":"In the Frontegg portal","id":"in-the-frontegg-portal","depth":4},{"value":"Notification email","id":"notification-email","depth":3},{"value":"How it works","id":"how-it-works","depth":3},{"value":"Analyzing country restrictions in your app","id":"analyzing-country-restrictions-in-your-app","depth":3},{"value":"Security events","id":"security-events","depth":4},{"value":"Logs","id":"logs","depth":4}],"frontmatter":{"seo":{"title":"Country restrictions"}},"lastModified":"2026-05-27T09:17:30.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/ciam/guides/security-center/security-rules/country-restrictions","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}