Block disposable email signups in Firebase
Use a Firebase Cloud Function with the `beforeUserCreated` blocking trigger. The function runs synchronously before Firebase persists the user — throw `HttpsError` to reject.
The code
// functions/src/blockDisposable.ts
// Deploy: firebase deploy --only functions:blockDisposable
import { beforeUserCreated, HttpsError } from 'firebase-functions/v2/identity';
export const blockDisposable = beforeUserCreated(
{ secrets: ['CDE_KEY'] },
async (event) => {
const email = event.data.email;
if (!email) return;
try {
const r = await fetch(
`https://api.checkdisposable.email/v1/check?email=${encodeURIComponent(email)}`,
{ headers: { Authorization: `Bearer ${process.env.CDE_KEY}` } }
);
if (!r.ok) return; // fail open
const data = await r.json();
if (data.is_disposable) {
throw new HttpsError(
'invalid-argument',
'Please use a real email address.'
);
}
} catch (err) {
if (err instanceof HttpsError) throw err;
// network / parse error — fail open
}
}
);Notes
- Enable blocking functions
- Go to Firebase Console → Authentication → Settings → Blocking functions → enable. Without this toggle, your beforeUserCreated handler won't fire.
- Secret manager
- Run `firebase functions:secrets:set CDE_KEY` once. The value is stored in Google Secret Manager and injected at runtime.
- Works for every provider
- beforeUserCreated fires for password signup, Google OAuth, Apple, Facebook, email link — every Firebase auth provider. One function, full coverage.
Get a free API key
500 checks/month, no credit card. No credit card. 30 seconds.
Sign up free →