How to block disposable emails in Next.js

May 19, 2026 · 7 min read

Disposable email addresses — the ones from services like mailinator.com or 10minutemail.com — let users sign up without ever giving you a real inbox. They inflate your metrics, break re-engagement emails, and are a common vector for trial abuse. This guide shows three ways to block them in a Next.js app, from a one-line check to middleware.

1. Install the package

@isdisposable/js bundles a list of 160,000+ disposable domains and runs entirely offline — no API key, no network call, no latency.

Terminalbash
npm install @isdisposable/js

2. Block disposable emails in a Server Action

Most modern Next.js signup forms submit through a Server Action. Add the check before you create the user — it's synchronous, so there is no await and no failure mode to handle.

app/actions.tstypescript
'use server';

import { isDisposable } from '@isdisposable/js';

export async function signup(formData: FormData) {
  const email = String(formData.get('email'));

  if (isDisposable(email)) {
    return { error: 'Please use a permanent email address.' };
  }

  // ...create the user
}

3. Block them in a Route Handler

If your signup goes through an API route instead, the pattern is the same — reject early with a 422.

app/api/signup/route.tstypescript
import { isDisposable } from '@isdisposable/js';

export async function POST(req: Request) {
  const { email } = await req.json();

  if (isDisposable(email)) {
    return Response.json(
      { error: 'Disposable email addresses are not allowed.' },
      { status: 422 },
    );
  }

  // ...continue signup
}

4. Validate on the client for instant feedback

Server-side validation is the security boundary and must stay. But you can also run the same check in the browser to show an error before the user submits — the package works in both environments.

components/signup-form.tsxtypescript
'use client';

import { isDisposable } from '@isdisposable/js';

function onBlur(email: string) {
  if (isDisposable(email)) {
    setError('That looks like a temporary email address.');
  }
}

When to use the hosted API instead

The offline package catches every known disposable domain, and new domains ship in regular updates. If you need to catch brand-new domains the moment they appear — or want MX-record validation and a risk score — the isDisposable API adds live checks on top. Both share the same blocklist, so you can start offline and upgrade later without changing your logic.

Summary

Blocking disposable emails in Next.js is a one-line change: call isDisposable(email) in your Server Action or Route Handler and reject the signup if it returns true. It runs offline, adds no latency, and costs nothing. For brand-new domains and deeper signals, layer the API on top.

Block disposable emails today

isDisposable is free and open source — add it to your signup flow in one line.

Read the quickstartGet a free API key

Keep reading

Detect temporary email addresses in Node.jsFree disposable email API: the open-source option