← All guidesAuth0 guide · JavaScript (Action)

Block disposable email signups in Auth0

Use an Auth0 Pre User Registration Action. The Action runs synchronously before Auth0 creates the user — return `api.access.deny()` and the signup is rejected at the auth layer.

The code

// Auth0 Dashboard → Actions → Library → Build Custom
// Trigger: pre-user-registration
// Add 'CDE_KEY' to the Action's Secrets.

exports.onExecutePreUserRegistration = async (event, api) => {
  const email = event.user.email;
  if (!email) return;

  let isDisposable = false;
  try {
    const r = await fetch(
      `https://api.checkdisposable.email/v1/check?email=${encodeURIComponent(email)}`,
      { headers: { Authorization: `Bearer ${event.secrets.CDE_KEY}` } }
    );
    if (r.ok) {
      const data = await r.json();
      isDisposable = data.is_disposable === true;
    }
  } catch {
    // fail open — let the registration proceed
    return;
  }

  if (isDisposable) {
    api.access.deny('disposable_email', 'Please use a real email address.');
  }
};

Notes

Action timeout: Pre-registration Actions have a 10-second budget. The API call typically returns in 50ms but always wrap it in try/catch and fail-open so an Auth0-side timeout never blocks real users.
Secret management: Use the Action editor's Secrets tab — never paste the key into the code. Secrets are encrypted at rest and only the Action runtime can read them.
Error surfacing: The string passed to `api.access.deny()` becomes the error message Auth0 returns to your app. Universal Login renders it directly, so write it for end-users.

Get a free API key

500 checks/month, no credit card. No credit card. 30 seconds.