Block disposable email signups in Next.js (App Router)
Drop a single Route Handler into your Next.js 15 / App Router project. Calls CheckDisposable Email server-side so the API key never reaches the browser. Works with any auth library (Better Auth, NextAuth, Clerk, Supabase).
The code
// app/api/signup/route.ts
import { NextResponse } from 'next/server';
async function isDisposable(email: string) {
try {
const r = await fetch(
`https://api.checkdisposable.email/v1/check?email=${encodeURIComponent(email)}`,
{ headers: { Authorization: `Bearer ${process.env.CDE_KEY!}` }, cache: 'no-store' }
);
if (!r.ok) return false; // fail open
const data = await r.json();
return data.is_disposable === true;
} catch {
return false; // fail open on network / timeout
}
}
export async function POST(req: Request) {
const { email, password } = await req.json();
if (await isDisposable(email)) {
return NextResponse.json(
{ error: 'Please use a real email address.' },
{ status: 400 }
);
}
// ...your existing signup logic (create user, send verification, etc.)
return NextResponse.json({ ok: true });
}Notes
- Where to put the API key
- Add `CDE_KEY=cde_live_...` to `.env.local` and `CDE_KEY=` to `.env.example`. Never expose the key in client-side code — keep it server-only.
- Fail-open vs fail-closed
- The example fails open (lets signup through on API error). For most consumer SaaS this is the right call. For high-fraud verticals (crypto, gambling) you may prefer to fail closed and surface a temporary error to the user.
- Pair with email verification
- Disposable detection rejects the address before sending the verification email. The two layers compound — disposable detection stops 95% of the bad signups, double opt-in stops what slips through.
Get a free API key
500 checks/month, no credit card. No credit card. 30 seconds.
Sign up free →