Defining custom rules
The Arcjet SDK can be augmented with custom rules written by users, as long as
they match the format defined by our @arcjet/protocol
package. These rules
will only be run locally since the Arcjet service doesn’t know about them;
however, they can still be useful for some use cases.
The structure of a local rule is:
For example, you may want to validate form input as part of your Arcjet protections before a request reaches your route handler, such as via Next.js middleware.
Local rule: Zod + Body validation
If we want to run Zod schema validation against the request body, we need to create a new local rule:
As long as it conforms to the local rule interface, this rule can be consumed by the Arcjet SDK like any other rule!
When aj.protect()
is called, inside middleware or directly inside a route,
this custom local rule will be executed and deny the request if the body doesn’t
pass validation.