# The Users & Permissions plugin's register.allowedFields configuration option defaults to []

> Source: https://docs.strapi.io/cms/migration/v4-to-v5/breaking-changes/register-allowed-fields

In Strapi 5, the Users & Permissions plugin's `register.allowedFields` defaults to an empty array, requiring explicit field allowlisting instead of accepting all fields by default.

In Strapi 5, the Users & Permissions plugin's `register.allowedFields` configuration option defaults to `[]`.

This page is part of the [breaking changes database](/cms/migration/v4-to-v5/breaking-changes) and provides information about the breaking change and additional instructions to migrate from Strapi v4 to Strapi 5.

- Is this breaking change affecting plugins? No
- Is this breaking change automatically handled by a codemod? Yes
  - Codemod: [use-uid-for-config-namespace](https://github.com/strapi/strapi/blob/develop/packages/utils/upgrade/resources/codemods/5.0.0/use-uid-for-config-namespace.code.ts)

## Breaking change description

**In Strapi v4**

Any new fields added to the User content type would be accepted by the registration form by default, and Strapi would warn about each field on startup.

The users have the option to set `users-permissions.register.allowedFields` in the `config/plugins.js` file to an array of the fields they wanted to accept on their registration endpoint. For example, `[’picture’]` to accept a picture attribute on registration. Or an empty array `[]` if they do not want to accept anything else.

However, if users did not set any value, that is, when `allowedFields` is undefined, all user fields are accepted.

**In Strapi 5**

An undefined `allowedFields` is treated as an empty array, and no fields are accepted by default. Users must explicitly choose to allow extra fields on registration.

### How it works in Strapi 5

The fields `username`, `email`, and `password` are always accepted by the registration endpoint. They are hardcoded as `alwaysAllowedKeys` in the Users & Permissions feature source. Any other field on the User content-type must be explicitly listed in `allowedFields` or the request will be rejected with a `400` status and an error message like `"Invalid parameters: fieldName"`.

## Migration

This section regroups useful notes and procedures about the introduced breaking change.

### Manual procedure

A codemod should handle this migration. If not, please refer to the documentation on how to [register allowed fields for the Users & Permissions plugin](/cms/features/users-permissions#registration-configuration).

To allow additional fields on registration, update your plugin configuration:

```js title="config/plugins.js"
module.exports = {
  'users-permissions': {
    config: {
      register: {
        allowedFields: ['firstName', 'lastName'],
      },
    },
  },
};
```

If you relied on the Strapi v4 behavior (all fields accepted by default), list every extra field in `allowedFields`. Fields not listed will be silently dropped or rejected.