Eight Years and Eight Lines
In January 2018, we integrated Kickbox into walkinto.in to validate email addresses on contact form submissions. The code was standard callback-era Node.js — about twelve lines, clean enough, doing exactly what it said it would do. We set it up, tested it, moved on. Never thought about it again.
In March 2026, a routine GCP credentials security audit flagged KICKBOX_API_KEY sitting hardcoded in a configuration file. The kind of thing that appears on a report as a medium-severity finding: exposed credential, recommend rotation and secrets management. We started the cleanup. Someone looked at the key and asked the obvious question: what does this one do, exactly?
Ninety minutes later, the vendor was gone. Not after a sprint, not after a migration plan, not after a vendor review. After a question.
The replacement: eight lines of Node.js. No API key. No outbound calls. Faster than Kickbox by a factor of ten on latency. Zero data leaving the building on every form submission.
The story of how that happened is a small story. But it seems like it might be the prologue to something larger — a pattern that is beginning to work its way through the entire lower tier of the SaaS economy, one hardcoded key at a time.
What We Were Actually Paying For
It is worth being honest about what the 2018 integration was. It was not technical debt in the usual sense — not a shortcut we knew we'd regret, not expedient code we planned to fix. It was a rational decision, made well.
In 2018, the developer time required to build email validation from scratch had real cost. You would need to understand DNS MX record lookup semantics. You would need a source of truth for disposable email domains like Mailinator and Guerrilla Mail — services that let people create throwaway addresses to get past signup forms. Maintaining that list required ongoing attention. The callback patterns of Node.js at the time made async DNS resolution more involved than it is today. Building and validating the whole thing would take hours, maybe half a day. Kickbox charged per-verification and the math held up: at the volume walkinto.in was processing, the per-call cost was trivially small compared to the developer hours we were not spending.
This is what the SaaS economy of that era was actually selling. Not software, exactly. Developer time, abstracted away and billed monthly or per-use. The product Kickbox was offering was not the API — it was the decision we did not have to make in 2018. The freedom to write kickbox.verify(email, callback) and stop thinking about email infrastructure.
kickbox.verify(data.email, function(err, response) {
if (err || !response) return reject(`Invalid from Email ${data.email}`);
var kickdata = response.body;
if (kickdata.result == 'undeliverable' || kickdata.result == 'unknown')
return reject(`Invalid Email ${data.email} | ${kickdata.reason}`);
resolve();
});
That code is doing several things worth noting. It is written in callback style because async/await was not yet standard practice across the Node.js ecosystem. It is delegating to an external service to answer a question it does not know how to ask itself: does this email address lead anywhere real? And it is trusting the answer, blindly, across an HTTPS call that added 200 to 500 milliseconds to every form submission.
All of that was fine. All of that was reasonable. The conditions of 2018 made it the right call.
What Changed
The March 2026 audit did not discover that the 2018 decision was wrong. It discovered that it had become unnecessary.
When Claude Code removed the Kickbox dependency and asked whether we wanted a replacement, the answer to every sub-problem had already become trivial. MX record lookup is built into Node.js's core dns module — no package required, no configuration, the query goes to your local DNS resolver and comes back in tens of milliseconds. The list of disposable email domains is maintained as an open-source npm package, disposable-email-domains, by a community that has been keeping it current since at least 2015. There are no external dependencies. No API key. No outbound call on each form submission. The function is eight lines:
var disposableDomains = require('disposable-email-domains');
async function validateSenderEmail(email) {
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email))
throw new Error(`Invalid email: ${email}`);
const domain = email.split('@')[1].toLowerCase();
if (disposableDomains.includes(domain))
throw new Error(`Disposable email not allowed: ${email}`);
const records = await require('dns').promises.resolveMx(domain).catch(() => []);
if (!records.length)
throw new Error(`No mail server for domain: ${domain}`);
}
The comparison is stark enough to sit in a table:
| Dimension | Kickbox (2018) | Native (2026) |
|---|---|---|
| External API calls | One per form submission | None |
| API key required | Yes | No |
| Cost model | Per-verification | Zero |
| Outbound latency | ~200–500ms | ~10–50ms |
| Lines of code | ~15 | 8 |
| Data sent to third party | Email address, every time | Nothing |
The function was not written by a developer sitting down to architect email validation. It was written by an AI model during a security cleanup that was about something else entirely. The cost of answering the question "should we just build this ourselves?" had dropped to approximately zero, so the answer became obvious. The question had been artificially expensive to ask in 2018. Now it wasn't.
The Privacy Line in the Table
It would be easy to pass over the last row in that comparison. It deserves more attention.
For eight years, every time someone filled out a contact form on walkinto.in, their email address was sent to Kickbox. This was not a secret — it was the product's stated function. It was disclosed in a privacy policy. It was fine.
And yet, until the audit, we had not thought about it in exactly those terms. The mental model was: we check the email address. The more accurate model, in retrospect, was: we send the email address to Kickbox, and Kickbox checks it for us, and Kickbox keeps a record of having seen it. That is a different thing. Not sinister — Kickbox is a legitimate company, and SMTP verification is a legitimate service. But it is a different thing.
What strikes me about this is less the privacy dimension specifically and more what it reveals about the texture of delegation. When you offload a function to a SaaS API, you are doing something more than buying convenience. You are extending your system's boundary. Every tool in your stack with a live network connection is an entity with its own data practices, its own uptime, its own infrastructure you are depending on. We had extended that boundary to include Kickbox, and then we had stopped thinking about it, because that is exactly what good SaaS integration is supposed to feel like.
The audit forced us to trace the boundary again. To ask: what are all the places data is going, and why? And for this particular vendor, the answer turned out to be: because it was 2018, and we had not thought to ask since.
The Moat Was Always the Friction
What makes this worth examining beyond the specifics of walkinto.in is the question of what category of product Kickbox represents — and how many other products share that category.
The email validation market is not small. Kickbox competes with ZeroBounce, NeverBounce, BriteVerify, Hunter.io, and several others, all offering variations of the same core service. The collective revenue of that category runs into tens of millions of dollars annually. And the core technical value proposition of every company in it — at the level we were using — is: DNS MX record lookup plus a community-maintained list of disposable domains. That is it. The rest is documentation, a clean API, a dashboard, reasonable uptime, and the comfort of having someone else responsible for maintaining the list.
Until recently, that was enough to constitute a business. The integration friction — the work of building the alternative — was real, and companies were rationally paying to avoid it. The moat was not a technical secret. It was not proprietary data. It was not a network effect. It was friction. The effort required to replicate the function was higher than the cost of the subscription.
AI coding tools have been quietly zeroing out that friction for two years. Not by being smarter about email validation, but by making the cost of writing the code effectively negligible. The question "should we just build this ourselves?" has been getting cheaper to answer with every month that models have improved. For an entire class of SaaS products — single-function APIs built on commodity data — that question is now functionally free to ask. And when the question is free to ask, the answer is usually obvious.
The parallel examples are not hard to find. IP geolocation services charged $25 to $50 a month for data that CDNs now expose as a free request header — Cloudflare has been returning CF-IPCountry for years. Currency conversion APIs have charged monthly subscriptions for data the European Central Bank and Federal Reserve publish freely every day. Phone number formatting libraries, timezone lookup services, postal code validation APIs — the same pattern runs through all of them. The core function was always achievable from public data; what you were paying for was the aggregation and the decision not to build it yourself.
What strikes me most is how long that logic held, and how quickly it didn't. The year-over-year math on developer time, integration effort, and available open-source tooling had been shifting for a long time before AI accelerated it to a threshold. The community-maintained disposable domains list existed. The DNS module existed. What did not exist, or not in a practically useful form, was the agent that could observe the current state of a codebase, understand what a particular vendor was doing, and produce a working replacement in the course of doing something else.
What Survives
It would be a mistake to read this as a general indictment of SaaS, or as a prediction that all of it is going away. The picture is more discriminating than that.
Stripe cannot be replaced by eight lines of code. Not because the problem is technically harder — it is — but because Stripe's core value is not an algorithm. It is a banking relationship. It is a fraud network built from billions of transactions. It is the regulatory relationships and PCI compliance infrastructure that took a decade to build. None of that exists in Node.js core or on npm. The moat is real, and it is made of things AI cannot simply aggregate.
Twilio is the same story. The value is not in routing a phone call — that is a protocol, and the protocol is public. The value is in the carrier relationships, the short-code approvals, the compliance framework, the deliverability reputation built over years of high-volume SMS. That is a network effect, not an algorithm. You cannot open-source your way to Twilio's position in the carrier ecosystem.
Datadog, similarly, is doing something qualitatively different from what Kickbox was doing. Observability at scale is not a function that produces a boolean. The value compounds as the data accumulates — the more infrastructure you instrument, the richer the context, the more useful the anomaly detection. The moat is made of your own operational history. No open-source package contains it.
Fraud detection with live signals is the same. The insight comes from real-time transaction graph data that requires millions of merchants and hundreds of millions of transactions to be meaningful. You cannot synthesize that from public sources.
The distinguishing question seems to be: is the core value an algorithm operating on public data, or is it data that only exists because of the company that built it? If the answer is the former — if what you are paying for is essentially aggregation plus integration convenience — then the economic logic that sustains the product is vulnerable. If the answer is the latter — if the company's value is the proprietary data itself, the network it sits in, or the regulated relationship it embodies — then AI does not threaten it in the same way.
The Kickbox replacement was not clever. It was not innovative. It was not even particularly interesting as code. What it was, was obvious — once the cost of asking the question dropped to zero.
The People in This Story
There is a thing it seems important not to skip over, and that is the human question at the far end of this.
Somewhere, there are engineers who spent real time building Kickbox. Who thought carefully about the SMTP verification logic, about edge cases in internationalized email addresses, about how to handle greylisting and catch-all domains. Who maintained the disposable-email detection, triaged the reports, pushed the updates. Who built the API wrapper, wrote the documentation, made the SDK feel clean enough that integrations like ours took twelve lines in 2018 instead of a hundred.
That work was real. The craft in it was real. The problem it solved was real. And it now finds itself in a category where the primary competitive threat is not another company with a better product — it is a developer with an AI that can write the replacement in the margin of a security cleanup.
This is a different kind of displacement than most technology disruptions produce. The usual pattern — the Christensen pattern — is that a scrappy new entrant starts at the low end, gets good enough, and works its way up until it has taken the market. The disrupted companies can at least understand that. They can track the competitor. They can respond. What is happening now to single-function API SaaS is stranger: the market is not being taken. It is being made optional. The question "should we pay for this?" is collapsing into "should we need this?" — and for an entire stratum of products, the answer is proving to be no.
The engineers who built in this category are not being replaced by AI directly. They are being displaced by the same thing that has displaced craftspeople in every technological transition: the mechanization of the particular judgment call they were being paid to save others from having to make.
What does craft mean when the function it produces can be replicated, during a routine security audit, by an AI working on something else? I do not think the answer is that the craft never mattered. The disposable-email domains list exists because someone maintained it. The DNS module in Node.js exists because engineers built it. The open-source ecosystem that makes the eight-line replacement possible is itself a monument to accumulated technical judgment. The craft went somewhere. It became infrastructure.
But the companies and the subscriptions built on top of that infrastructure — on the friction of accessing it, on the integration effort that once stood between a developer and a working solution — those are in a different position. And the transition is happening, as these transitions tend to, much faster and quieter than anyone expected.
A security audit found a hardcoded API key. Ninety minutes later, the vendor was gone. The forms still work.
walkinto.in is a virtual tour platform that lets businesses create interactive 3D experiences for remote exploration. The replacement email validation function has been in production since March 15, 2026, with zero regressions.
