Skip to content
Arcjet Docs

Bot types

By default, Arcjet will not block any clients. You can choose which types you wish to block in the bots.block configuration option:

  • NOT_ANALYZED - We could not analyze the request, perhaps because of insufficient information or because the bot analysis can’t be executed in this environment. We do not recommend blocking these requests. Represented by a score of 0.
  • AUTOMATED - We are sure the request was made by an automated bot. We recommend blocking these requests for paths which are for humans only e.g. login or signup pages, but not blocking for API paths. Represented by a score of 1.
  • LIKELY_AUTOMATED - We have some evidence that the request was made by an automated bot. The degree of certainty is represented by a score range of 2-29 (higher = greater certainty).
  • LIKELY_NOT_A_BOT - We don’t think this request was made by an automated bot. The degree of certainty is represented by a score range of 30-99 (higher = greater certainty).
  • VERIFIED_BOT - We are sure the request was made by an automated bot and it is on our list of verified good bots. This is a list maintained by the Arcjet team and includes bots such as monitoring agents and friendly search engine crawlers. In most cases you can allow these requests on public pages, but you may wish to block them for internal or private paths. Represented by a score of 100.

Bot detection result

Arcjet returns more information about what type of client we think made the request:

  • botType (ArcjetBotType) and botScore (int) indicate the type of client we think it is and the degree of certainty as represented by the integer score.
  • ipHosting (bool): whether the IP address of the client is owned by a hosting provider. Requests originating from a hosting provider IP significantly increase the likelihood that this is an automated client.
  • ipVpn (bool): whether the IP address of the client is owned by a VPN provider. Many people use VPNs for privacy or work purposes, so by itself this is not an indicator of the client being automated. However, it does increase the risk score of the client and depending on your use case it may be a characteristic you wish to restrict.
  • ipProxy (bool): whether the IP address of the client is owned by a proxy provider. Similar to isVpn, but proxies are more likely to involve automated traffic.
  • ipTor (bool): whether the IP address of the client is known to be part of the Tor network. As with ipVpn, there are legitimate uses for hiding your identity through Tor, however it is also often a way to hide the origin of malicious traffic.
  • ipRelay (bool): whether the IP address of the client is owned by a relay service. The most common example is Apple iCloud Relay, which indicates the client is less likely to be automated because Apple requires a paid subscription linked to an Apple account in good standing.
  • userAgentMatch (bool): whether the client user agent matched one of our known bot user agents. Good bots identify themselves by user agent, but bad bots may masquerade as good bots. This is only useful when combined with our list of verified IPs to return the bot type of VERIFIED_BOT.

These are all available in the decision response. See the Next.js documentation for an example of accessing this.