Email Verification Before Stripe Checkout
Fake and disposable email addresses are a common vector for fraudulent Stripe transactions. This tutorial adds Mailbeam verification before creating a stripe.customers.create call, blocking invalid emails before any Stripe resource is created.
Prerequisites
- Stripe account with API keys
- Node.js 18+ project
- A Mailbeam API key (sign up free)
Setup
npm install @mailbeam/sdk stripe# .env
MAILBEAM_KEY=mb_live_xxxxxxxxxxxxxxxxxxxx
STRIPE_SECRET_KEY=sk_test_xxxxxxxxxxxxxxxxxxxxThe checkout endpoint
// server/routes/checkout.ts
import Stripe from "stripe";
import Mailbeam from "@mailbeam/sdk";
import { Router } from "express";
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
const mb = new Mailbeam({ apiKey: process.env.MAILBEAM_KEY! });
const router = Router();
router.post("/api/checkout/create-session", async (req, res) => {
const { email, priceId } = req.body;
if (!email || !priceId) {
return res.status(400).json({ error: "email and priceId are required" });
}
// Step 1: Verify email before touching Stripe
try {
const { valid, score, reason } = await mb.verify(email);
if (!valid || score < 60) {
return res.status(422).json({
error:
reason === "disposable_domain"
? "Please use a permanent email address to complete your purchase."
: "Please provide a valid email address.",
code: reason,
});
}
} catch {
// Fail open — don't block payment on Mailbeam error
console.error("[Mailbeam] verification failed, proceeding with checkout");
}
// Step 2: Create or retrieve the Stripe Customer
let customerId: string;
const existingCustomers = await stripe.customers.list({
email,
limit: 1,
});
if (existingCustomers.data.length > 0) {
customerId = existingCustomers.data[0].id;
} else {
const customer = await stripe.customers.create({ email });
customerId = customer.id;
}
// Step 3: Create the Checkout Session
const session = await stripe.checkout.sessions.create({
customer: customerId,
payment_method_types: ["card"],
line_items: [{ price: priceId, quantity: 1 }],
mode: "subscription",
success_url: `${req.headers.origin}/success?session_id={CHECKOUT_SESSION_ID}`,
cancel_url: `${req.headers.origin}/pricing`,
});
res.json({ url: session.url });
});
export default router;Frontend integration
// components/CheckoutButton.tsx
"use client";
import { useState } from "react";
export function CheckoutButton({ email, priceId }: { email: string; priceId: string }) {
const [error, setError] = useState<string | null>(null);
const [loading, setLoading] = useState(false);
async function handleCheckout() {
setLoading(true);
setError(null);
const res = await fetch("/api/checkout/create-session", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ email, priceId }),
});
const data = await res.json();
if (!res.ok) {
setError(data.error);
setLoading(false);
return;
}
// Redirect to Stripe Checkout
window.location.href = data.url;
}
return (
<div>
{error && (
<p className="mb-3 text-sm text-destructive" role="alert">{error}</p>
)}
<button
onClick={handleCheckout}
disabled={loading}
className="rounded-lg bg-primary px-4 py-2 text-sm font-medium text-primary-foreground disabled:opacity-60"
>
{loading ? "Redirecting…" : "Subscribe →"}
</button>
</div>
);
}Best practices
- Verify email before
stripe.customers.create— avoid creating orphaned Stripe customers - Fail open on Mailbeam errors — don't block revenue on API issues
- Check for existing Stripe customers by email to avoid duplicates
- Use the
reasonfield to give users specific error messages