Arcjet is the runtime security platform that ships with your AI code. Stop bots and automated attacks from burning your AI budget, leaking data, or misusing tools with Arcjet's AI security building blocks.
This is the monorepo containing various Arcjet open source packages for JS.
- Get your API key — Sign up at
app.arcjet.com. - Install the SDK for your framework: Every feature works with any JavaScript application.
| Framework | Package | Install |
|---|---|---|
| Next.js | @arcjet/next |
npm i @arcjet/next |
| Node.js | @arcjet/node |
npm i @arcjet/node |
| Bun | @arcjet/bun |
bun add @arcjet/bun |
| Deno | @arcjet/deno |
deno add npm:@arcjet/deno |
| Express | @arcjet/node |
npm i @arcjet/node |
| Fastify | @arcjet/fastify |
npm i @arcjet/fastify |
| Hono | @arcjet/node or @arcjet/bun |
npm i @arcjet/node |
| NestJS | @arcjet/nest |
npm i @arcjet/nest |
| Nuxt | @arcjet/nuxt |
npm i @arcjet/nuxt |
| Remix | @arcjet/remix |
npm i @arcjet/remix |
| React Router | @arcjet/react-router |
npm i @arcjet/react-router |
| SvelteKit | @arcjet/sveltekit |
npm i @arcjet/sveltekit |
| Astro | @arcjet/astro |
npm i @arcjet/astro |
- Set your environment variable:
# .env.local (or your framework's env file)
ARCJET_KEY=ajkey_yourkey- Protect a route — see the AI protection example or individual feature examples below.
Join our Discord server or reach out for support.
- Documentation — full reference and guides
- Example apps — working starter projects for every framework
- Blueprints — recipes for common security patterns
- 🔒 Prompt Injection Detection — detect and block prompt injection attacks before they reach your LLM.
- 🤖 Bot Protection — stop scrapers, credential stuffers, and AI crawlers from abusing your endpoints.
- 🛑 Rate Limiting — token bucket, fixed window, and sliding window algorithms; model AI token budgets per user.
- 🕵️ Sensitive Information Detection — block PII, credit cards, and custom patterns from entering your AI pipeline.
- 🛡️ Shield WAF — protect against SQL injection, XSS, and other common web attacks.
- 📧 Email Validation — block disposable, invalid, and undeliverable addresses at signup.
- 📝 Signup Form Protection — combines bot protection, email validation, and rate limiting to protect your signup forms.
- 🎯 Request Filters — expression-based rules on IP, path, headers, and custom fields.
- 🌐 IP Analysis — geolocation, ASN, VPN, proxy, Tor, and hosting detection included with every request.
- Astro
- Deno
- Express
- FastAPI
- Fastify
- NestJS
- Next.js (try live)
- Nuxt
- React Router
- Remix
- SvelteKit
- Tanstack Start
- AI quota control
- Cookie banner
- Custom rule
- IP geolocation
- Feedback form
- Malicious traffic
- Payment form
- Sampling traffic
- VPN & proxy
Read the docs at docs.arcjet.com.
Note: Examples below use
@arcjet/nextfor illustration. Replace with the SDK for your runtime —@arcjet/node,@arcjet/bun,@arcjet/sveltekit, etc. The API is identical across all SDKs.
This example protects a Next.js AI chat route using the Vercel AI SDK: blocking automated clients that inflate costs, enforcing per-user token budgets, detecting sensitive information in messages, and blocking prompt injection attacks before they reach the model.
// app/api/chat/route.ts
import { openai } from "@ai-sdk/openai";
import arcjet, {
detectBot,
detectPromptInjection,
sensitiveInfo,
shield,
tokenBucket,
} from "@arcjet/next";
import type { UIMessage } from "ai";
import { convertToModelMessages, isTextUIPart, streamText } from "ai";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
// Track budgets per user — replace "userId" with any stable identifier
characteristics: ["userId"],
rules: [
// Shield protects against common web attacks e.g. SQL injection
shield({ mode: "LIVE" }),
// Block all automated clients — bots inflate AI costs
detectBot({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
allow: [], // Block all bots. See https://arcjet.com/bot-list
}),
// Enforce budgets to control AI costs. Adjust rates and limits as needed.
tokenBucket({
mode: "LIVE",
refillRate: 2_000, // Refill 2,000 tokens per hour
interval: "1h",
capacity: 5_000, // Maximum 5,000 tokens in the bucket
}),
// Block messages containing sensitive information to prevent data leaks
sensitiveInfo({
mode: "LIVE",
// Block PII types that should never appear in AI prompts.
// Remove types your app legitimately handles (e.g. EMAIL for a support bot).
deny: ["CREDIT_CARD_NUMBER", "EMAIL"],
}),
// Detect prompt injection attacks before they reach your AI model
detectPromptInjection({
mode: "LIVE",
}),
],
});
export async function POST(req: Request) {
const userId = "user-123"; // Replace with your session/auth lookup
const { messages }: { messages: UIMessage[] } = await req.json();
const modelMessages = await convertToModelMessages(messages);
// Estimate token cost: ~1 token per 4 characters of text (rough heuristic)
const totalChars = modelMessages.reduce((sum, m) => {
const content =
typeof m.content === "string" ? m.content : JSON.stringify(m.content);
return sum + content.length;
}, 0);
const estimate = Math.ceil(totalChars / 4);
// Extract the most recent user message to scan for injection and PII
const lastMessage: string = (messages.at(-1)?.parts ?? [])
.filter(isTextUIPart)
.map((p) => p.text)
.join(" ");
const decision = await aj.protect(req, {
userId,
requested: estimate,
sensitiveInfoValue: lastMessage,
detectPromptInjectionMessage: lastMessage,
});
if (decision.isDenied()) {
if (decision.reason.isBot()) {
return new Response("Automated clients are not permitted", {
status: 403,
});
} else if (decision.reason.isRateLimit()) {
return new Response("AI usage limit exceeded", { status: 429 });
} else if (decision.reason.isSensitiveInfo()) {
return new Response("Sensitive information detected", { status: 400 });
} else if (decision.reason.isPromptInjection()) {
return new Response(
"Prompt injection detected — please rephrase your message",
{ status: 400 },
);
} else {
return new Response("Forbidden", { status: 403 });
}
}
const result = await streamText({
model: openai("gpt-4o"),
messages: modelMessages,
});
return result.toUIMessageStreamResponse();
}Detect and block prompt injection attacks — attempts to override your AI
model's instructions — before they reach your model. Pass the user's message
via detectPromptInjectionMessage on each protect() call. Tune sensitivity
with the threshold parameter (0.0–1.0, default 0.5) — higher values are more
conservative.
import arcjet, { detectPromptInjection } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
detectPromptInjection({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
threshold: 0.5, // Score above which requests are blocked (default: 0.5)
}),
],
});
export async function POST(request: Request) {
const { message } = await request.json();
const decision = await aj.protect(request, {
detectPromptInjectionMessage: message,
});
if (decision.isDenied() && decision.reason.isPromptInjection()) {
return new Response(
"Prompt injection detected — please rephrase your message",
{ status: 400 },
);
}
// Forward to your AI model...
}Arcjet allows you to configure a list of bots to allow or deny. Specifying
allow means all other bots are denied. An empty allow list blocks all bots.
Available categories: CATEGORY:ACADEMIC, CATEGORY:ADVERTISING,
CATEGORY:AI, CATEGORY:AMAZON, CATEGORY:APPLE, CATEGORY:ARCHIVE,
CATEGORY:BOTNET, CATEGORY:FEEDFETCHER, CATEGORY:GOOGLE,
CATEGORY:META, CATEGORY:MICROSOFT, CATEGORY:MONITOR,
CATEGORY:OPTIMIZER, CATEGORY:PREVIEW, CATEGORY:PROGRAMMATIC,
CATEGORY:SEARCH_ENGINE, CATEGORY:SLACK, CATEGORY:SOCIAL,
CATEGORY:TOOL, CATEGORY:UNKNOWN, CATEGORY:VERCEL,
CATEGORY:WEBHOOK, CATEGORY:YAHOO. You can also allow or deny
specific bots by name.
import arcjet, { detectBot } from "@arcjet/next";
import { isSpoofedBot } from "@arcjet/inspect";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
detectBot({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
allow: [
"CATEGORY:SEARCH_ENGINE", // Google, Bing, etc
// Uncomment to allow these other common bot categories:
// "CATEGORY:MONITOR", // Uptime monitoring services
// "CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
// See the full list at https://arcjet.com/bot-list
],
}),
],
});
export async function GET(request: Request) {
const decision = await aj.protect(request);
if (decision.isDenied() && decision.reason.isBot()) {
return new Response("No bots allowed", { status: 403 });
}
// Arcjet verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so check the results separately.
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if (decision.results.some(isSpoofedBot)) {
return new Response("Forbidden", { status: 403 });
}
return new Response("Hello world");
}Bots can be configured by category and/or by specific bot name. For example, to allow search engines and the OpenAI crawler, but deny all other bots:
detectBot({
mode: "LIVE",
allow: ["CATEGORY:SEARCH_ENGINE", "OPENAI_CRAWLER_SEARCH"],
});Arcjet supports token bucket, fixed window, and sliding window algorithms.
Token buckets are ideal for controlling AI token budgets — set capacity to
the max tokens a user can spend, refillRate to how many tokens are restored
per interval, and deduct tokens per request via requested in protect().
The interval accepts strings ("1s", "1m", "1h", "1d") or seconds as
a number. Use characteristics to track limits per user instead of per IP.
import arcjet, { tokenBucket } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
characteristics: ["userId"], // Track per user
rules: [
tokenBucket({
mode: "LIVE",
refillRate: 2_000, // Refill 2,000 tokens per hour
interval: "1h",
capacity: 5_000, // Maximum 5,000 tokens in the bucket
}),
],
});
const decision = await aj.protect(request, {
userId: "user-123",
requested: estimate, // Number of tokens to deduct
});
if (decision.isDenied() && decision.reason.isRateLimit()) {
return new Response("AI usage limit exceeded", { status: 429 });
}Detect and block PII in request content. Pass the content to scan via
sensitiveInfoValue on each protect() call. Built-in entity types:
CREDIT_CARD_NUMBER, EMAIL, PHONE_NUMBER, IP_ADDRESS. You can also
provide a custom detect callback for additional patterns.
import arcjet, { sensitiveInfo } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
sensitiveInfo({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
deny: ["CREDIT_CARD_NUMBER", "EMAIL", "PHONE_NUMBER"],
}),
],
});
const decision = await aj.protect(request, {
sensitiveInfoValue: userMessage,
});
if (decision.isDenied() && decision.reason.isSensitiveInfo()) {
return new Response("Sensitive information detected", { status: 400 });
}Protect your application against common web attacks, including the OWASP Top 10.
import arcjet, { shield } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
shield({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
}),
],
});Validate and verify email addresses. Deny types: DISPOSABLE, FREE,
NO_MX_RECORDS, NO_GRAVATAR, INVALID.
import arcjet, { validateEmail } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
validateEmail({
mode: "LIVE",
deny: ["DISPOSABLE", "INVALID", "NO_MX_RECORDS"],
}),
],
});
const decision = await aj.protect(request, {
email: "user@example.com",
});
if (decision.isDenied() && decision.reason.isEmail()) {
return new Response("Invalid email address", { status: 400 });
}Filter requests using expression-based rules against request properties (IP, headers, path, method, etc.).
import arcjet, { filter } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
filter({
mode: "LIVE",
deny: ['ip.src == "1.2.3.4"', 'http.request.uri.path contains "/admin"'],
}),
],
});Restrict access to specific countries — useful for licensing, compliance, or
regional rollouts. The allow list denies all countries not listed:
filter({
mode: "LIVE",
// Allow only US traffic — all other countries are denied
allow: ['ip.src.country == "US"'],
});Prevent anonymized traffic from accessing sensitive endpoints — useful for fraud prevention, enforcing geo-restrictions, and reducing abuse:
filter({
mode: "LIVE",
deny: [
"ip.src.vpn", // VPN services
"ip.src.proxy", // Open proxies
"ip.src.tor", // Tor exit nodes
],
});For more nuanced handling, use decision.ip helpers after calling protect():
const decision = await aj.protect(request);
if (decision.ip.isVpn() || decision.ip.isTor()) {
return new Response("VPN traffic not allowed", { status: 403 });
}See the Request Filters docs, IP Geolocation blueprint, and VPN/Proxy Detection blueprint for more details.
Arcjet enriches every request with IP metadata. Use these helpers to make policy decisions based on network signals:
const decision = await aj.protect(request);
if (decision.ip.isHosting()) {
// Requests from cloud/hosting providers are often automated.
// https://docs.arcjet.com/blueprints/vpn-proxy-detection
return new Response("Forbidden", { status: 403 });
}
if (decision.ip.isVpn() || decision.ip.isProxy() || decision.ip.isTor()) {
// Handle VPN/proxy traffic according to your policy
}
// Access geolocation and network details
console.log(decision.ip.country, decision.ip.city, decision.ip.asn);Track and limit requests by any stable identifier — user ID, API key, session, etc. — rather than IP address alone.
const aj = arcjet({
key: process.env.ARCJET_KEY!,
characteristics: ["userId"], // Declare at the SDK level
rules: [
tokenBucket({
mode: "LIVE",
refillRate: 2_000,
interval: "1h",
capacity: 5_000,
}),
],
});
// Pass the characteristic value at request time
const decision = await aj.protect(request, {
userId: "user-123",
requested: estimate,
});See the Arcjet best practices for detailed guidance. Key recommendations:
Create a single client instance and reuse it across your app using
withRule() to attach route-specific rules. The SDK caches decisions and
configuration, so creating a new instance per request wastes that work.
// lib/arcjet.ts — create once, import everywhere
import arcjet, { shield } from "@arcjet/next";
// Replace @arcjet/next with @arcjet/node, @arcjet/bun, etc. for your runtime
export default arcjet({
key: process.env.ARCJET_KEY!,
rules: [
shield({ mode: "LIVE" }), // base rules applied to every request
],
});// app/api/chat/route.ts — extend per-route with withRule()
import aj from "@/lib/arcjet";
import { detectBot, tokenBucket } from "@arcjet/next";
const routeAj = aj.withRule(detectBot({ mode: "LIVE", allow: [] })).withRule(
tokenBucket({
mode: "LIVE",
refillRate: 2_000,
interval: "1h",
capacity: 5_000,
}),
);
export async function POST(req: Request) {
const decision = await routeAj.protect(req, { requested: 500 });
// ...
}Other recommendations:
- Call
protect()in route handlers, not middleware. Middleware lacks route context, making it hard to apply route-specific rules or customize responses. - Call
protect()once per request. Calling it in both middleware and a handler doubles the work and can produce unexpected results. - Start rules in
DRY_RUNmode to observe behavior before switching toLIVE. This lets you tune thresholds without affecting real traffic. - Configure proxies if your app runs behind a load balancer or reverse
proxy so Arcjet resolves the real client IP:
arcjet({ key: process.env.ARCJET_KEY!, rules: [], proxies: ["100.100.100.100"], });
- Handle errors explicitly.
protect()never throws — on error it returns anERRORresult. Fail open by logging and allowing the request:if (decision.isErrored()) { console.error("Arcjet error", decision.reason.message); // allow the request to proceed }
We provide the source code for various packages in this repository, so you can find a specific one through the categories and descriptions below.
@arcjet/astro: SDK for Astro.@arcjet/bun: SDK for Bun.@arcjet/deno: SDK for Deno.@arcjet/fastify: SDK for Fastify.@arcjet/nest: SDK for NestJS.@arcjet/next: SDK for Next.js.@arcjet/node: SDK for Node.js.@arcjet/nuxt: SDK for Nuxt.@arcjet/react-router: SDK for React Router.@arcjet/remix: SDK for Remix.@arcjet/sveltekit: SDK for SvelteKit.
See the docs for details.
@nosecone/next: Protect your Next.js application with secure headers.@nosecone/sveltekit: Protect your SvelteKit application with secure headers.nosecone: Protect yourResponsewith secure headers.
@arcjet/analyze: Local analysis engine.@arcjet/body: Extract the body from a stream.@arcjet/cache: Basic cache interface and implementations.@arcjet/decorate: Decorate responses with info.@arcjet/duration: Parse duration strings.@arcjet/env: Environment detection.@arcjet/headers: Extension of the Headers class.@arcjet/inspect: Inspect decisions made by an SDK.@arcjet/ip: Find the originating IP of a request.@arcjet/logger: Lightweight logger which mirrors the Pino structured logger interface.@arcjet/protocol: JS interface into the protocol.@arcjet/redact: Redact & unredact sensitive info from strings.@arcjet/runtime: Runtime detection.@arcjet/sprintf: Platform-independent replacement forutil.format.@arcjet/stable-hash: Stable hashing.@arcjet/transport: Transport mechanisms for the Arcjet protocol.arcjet: JS SDK core.
@arcjet/eslint-config: Custom eslint config for our projects.@arcjet/rollup-config: Custom rollup config for our projects.
This repository follows the Arcjet Support Policy.
This repository follows the Arcjet Security Policy.
This is a monorepo managed with npm workspaces and
Turborepo. Each package lives in its own directory at the repo
root (e.g. arcjet-next/, analyze/).
If you want to use Arcjet then you should install a specific package for your
runtime (e.g. @arcjet/next for Next.js). If you want to contribute to the
development of the SDKs see CONTRIBUTING.md.
Packages maintained in this repository are compatible with LTS versions of Node.js and the current minor release of TypeScript.
Licensed under the Apache License, Version 2.0.