Arcjet bot detection allows you to manage traffic by automated clients and bots.
What is Arcjet?
Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.Quick start
Section titled “Quick start”This guide will show you how to protect your entire
1. Install Arcjet
Section titled “1. Install Arcjet”In your project root, run the following command to install the SDK:
bun add @arcjet/bun @arcjet/inspectOur @arcjet/bun package is built for
Bun’s HTTP server. If your application relies
on Bun’s Node.js Compatiblity
(uses node:http or a Node.js framework like express) you should instead
follow our guide for Node.js.
deno add npm:@arcjet/deno npm:@arcjet/inspectnpm i @arcjet/nestpnpm add @arcjet/nestyarn add @arcjet/nestnpm i @arcjet/next @arcjet/inspectpnpm add @arcjet/next @arcjet/inspectyarn add @arcjet/next @arcjet/inspectnpm i @arcjet/node @arcjet/inspectpnpm add @arcjet/node @arcjet/inspectyarn add @arcjet/node @arcjet/inspectnpm i @arcjet/remix @arcjet/inspectpnpm add @arcjet/remix @arcjet/inspectyarn add @arcjet/remix @arcjet/inspectnpm i @arcjet/sveltekit @arcjet/inspectpnpm add @arcjet/sveltekit @arcjet/inspectyarn add @arcjet/sveltekit @arcjet/inspectnpx astro add @arcjet/astropnpm astro add @arcjet/astroyarn astro add @arcjet/astroThis automatically installs and configures the Arcjet Astro integration in your project. Learn more about how this works in the Astro docs . Alternatively, you can follow the manual installation instructions.
Manual installation instruction
In your project root, run the following command:
npm add @arcjet/astropnpm add @arcjet/astroyarn add @arcjet/astroUpdate your Astro configuration file:
import { defineConfig } from "astro/config";import node from "@astrojs/node";import arcjet from "@arcjet/astro";
// https://astro.build/configexport default defineConfig({ adapter: node({ mode: "standalone", }), env: { // We recommend enabling secret validation validateSecrets: true, }, integrations: [ // Add the Arcjet Astro integration arcjet(), ],});Next, run the following command to install the @arcjet/inspect
library, which provides a set of utilities to more easily interact with the
decision returned from an Arcjet SDK:
npm add @arcjet/inspectpnpm add @arcjet/inspectyarn add @arcjet/inspectnpx nuxt module add @arcjet/nuxtpnpm nuxt module add @arcjet/nuxtyarn nuxt module add @arcjet/nuxtThis automatically installs and configures the Arcjet Nuxt integration in your project. Learn more about how this works in the Nuxt docs. Alternatively, you can follow the manual installation instructions.
Manual installation instruction
In your project root, run the following command:
npm install @arcjet/nuxtpnpm add @arcjet/nuxtyarn add @arcjet/nuxtUpdate your Nuxt configuration file:
export default defineNuxtConfig({ arcjet: { key: process.env.ARCJET_KEY, }, compatibilityDate: "2025-07-15", devtools: { enabled: true }, modules: ["@arcjet/nuxt"],});Next, run the following command to install the @arcjet/inspect
library, which provides a set of utilities to more easily interact with the
decision returned from an Arcjet SDK:
npm add @arcjet/inspectpnpm add @arcjet/inspectyarn add @arcjet/inspect2. Set your key
Section titled “2. Set your key”Create a free Arcjet account then follow the instructions to add a site and get a key.
The Arcjet Astro integration reads your Arcjet key from the ARCJET_KEY
environment variable. During development, add your key to a .env.local file
in your project root. Astro will automatically load the environment
variables from this file, learn more in the
Astro docs.
# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyIP Address
Since Bun doesn’t set NODE_ENV for you, you also need to set ARCJET_ENV in
your environment file. This allows Arcjet to accept a local IP address for
development purposes.
Add your key to a .env file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyIP Address
Since Deno doesn’t set NODE_ENV for you, you also need to set ARCJET_ENV in
your environment file. This allows Arcjet to accept a local IP address for
development purposes.
Add your key to a .env.local file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyIP Address
Since NestJS doesn’t set NODE_ENV for you, you also need to set ARCJET_ENV
in your environment file. This allows Arcjet to accept a local IP address for
development purposes.
Add your key to a .env.local file in your project root.
ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyIP Address
Since Node.js doesn’t set NODE_ENV for you, you also need to set ARCJET_ENV
in your environment file. This allows Arcjet to accept a local IP address for
development purposes.
The Arcjet Nuxt integration reads your Arcjet key from the ARCJET_KEY
environment variable. During development, add your key to a .env file in your
project root. Nuxt will automatically load the environment variables from this
file, learn more in the
Nuxt docs.
# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
ARCJET_KEY=ajkey_yourkey3. Add bot protection
Section titled “3. Add bot protection”Create a new API route at /src/routes/api/arcjet/+server.js:
import { env } from "$env/dynamic/private";import arcjet, { detectBot } from "@arcjet/sveltekit";import { isSpoofedBot } from "@arcjet/inspect";import { error } from "@sveltejs/kit";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
export async function handle({ event, resolve }) { const decision = await aj.protect(event);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return error(403, "Forbidden"); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return error(403, "Forbidden"); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return error(403, "Forbidden"); }
return resolve(event);}Create a new API route at /src/routes/api/arcjet/+server.ts:
import { env } from "$env/dynamic/private";import arcjet, { detectBot } from "@arcjet/sveltekit";import { isSpoofedBot } from "@arcjet/inspect";import { error, type RequestEvent } from "@sveltejs/kit";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
export async function handle({ event, resolve,}: { event: RequestEvent; resolve: (event: RequestEvent) => Response | Promise<Response>;}): Promise<Response> { const decision = await aj.protect(event);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return error(403, "Forbidden"); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return error(403, "Forbidden"); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return error(403, "Forbidden"); }
return resolve(event);}For this quick start we will enable Arcjet Bot Protection across of all the dynamic routes in your Astro application using Astro middleware . Learn about how to protect static routes in our Astro SDK reference docs.
Create a file called middleware.ts in your project’s src directory.
import { defineMiddleware } from "astro:middleware";import arcjet, { detectBot } from "arcjet:client";import { isSpoofedBot } from "@arcjet/inspect";
const aj = arcjet.withRule( detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }),);
export const onRequest = defineMiddleware(async (context, next) => { // Arcjet can be run in your middleware; however, Arcjet can only be run // on requests that are not prerendered. if (context.isPrerendered) { return next(); }
const decision = await aj.protect(context.request);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return Response.json({ error: "Forbidden" }, { status: 403 }); }
// Arcjet paid plans verify the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return Response.json({ error: "Forbidden" }, { status: 403 }); }
return next();});Create a file called middleware.ts in your project’s src directory.
import { defineMiddleware } from "astro:middleware";import arcjet, { detectBot } from "arcjet:client";import { isSpoofedBot } from "@arcjet/inspect";
const aj = arcjet.withRule( detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }),);
export const onRequest = defineMiddleware(async (context, next) => { // Arcjet can be run in your middleware; however, Arcjet can only be run // on requests that are not prerendered. if (context.isPrerendered) { return next(); }
const decision = await aj.protect(context.request);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return Response.json({ error: "Forbidden" }, { status: 403 }); }
// Arcjet paid plans verify the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return Response.json({ error: "Forbidden" }, { status: 403 }); }
return next();});The example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
import arcjet, { detectBot } from "@arcjet/bun";import { isSpoofedBot } from "@arcjet/inspect";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
export default { port: 3000, fetch: aj.handler(async (req) => { const decision = await aj.protect(req);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return new Response("Forbidden", { status: 403 }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return new Response("Forbidden", { status: 403 }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),};import arcjet, { detectBot } from "@arcjet/bun";import { isSpoofedBot } from "@arcjet/inspect";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
export default { port: 3000, fetch: aj.handler(async (req) => { const decision = await aj.protect(req);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return new Response("Forbidden", { status: 403 }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return new Response("Forbidden", { status: 403 }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),};The example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
import "jsr:@std/dotenv/load";
import arcjet, { detectBot } from "@arcjet/deno";import { isSpoofedBot } from "@arcjet/inspect";
const aj = arcjet({ key: Deno.env.get("ARCJET_KEY")!, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
Deno.serve( { port: 3000 }, aj.handler(async (req) => { const decision = await aj.protect(req);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return new Response("Forbidden", { status: 403 }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return new Response("Forbidden", { status: 403 }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),);The example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
This creates a global guard that will be applied to all routes. In a real application, implementing guards or per-route protections would give you more flexibility. See the reference guide and the NestJS example app for how to do this.
import { ArcjetGuard, ArcjetModule, detectBot, fixedWindow, shield,} from "@arcjet/nest";import { Module } from "@nestjs/common";import { ConfigModule } from "@nestjs/config";import { APP_GUARD, NestFactory } from "@nestjs/core";
@Module({ imports: [ ConfigModule.forRoot({ isGlobal: true, }), ArcjetModule.forRoot({ isGlobal: true, key: process.env.ARCJET_KEY!, rules: [ // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ], }), ], controllers: [], providers: [ { provide: APP_GUARD, useClass: ArcjetGuard, }, ],})class AppModule { }
async function bootstrap() { const app = await NestFactory.create(AppModule); await app.listen(3000);}bootstrap();import { ArcjetGuard, ArcjetModule, detectBot, fixedWindow, shield,} from "@arcjet/nest";import { Module } from "@nestjs/common";import { ConfigModule } from "@nestjs/config";import { APP_GUARD, NestFactory } from "@nestjs/core";
@Module({ imports: [ ConfigModule.forRoot({ isGlobal: true, }), ArcjetModule.forRoot({ isGlobal: true, key: process.env.ARCJET_KEY, rules: [ // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ], }), ], controllers: [], providers: [ { provide: APP_GUARD, useClass: ArcjetGuard, }, ],})class AppModule {}
async function bootstrap() { const app = await NestFactory.create(AppModule); await app.listen(3000);}bootstrap();For this quick start we will enable Arcjet Bot Protection across your entire Next.js application. Next.js middleware runs before every request, allowing Arcjet to protect your entire application before your code runs.
The basic option exports the middleware directly whereas the advanced option allows you to customize the response based on the Arcjet decision.
Create a file called middleware.ts in your project root (at the same level as
pages or app or inside src).
import arcjet, { createMiddleware, detectBot } from "@arcjet/next";export const config = { // matcher tells Next.js which routes to run the middleware on. // This runs the middleware on all routes except for static assets. matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],};const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});// Pass any existing middleware with the optional existingMiddleware propexport default createMiddleware(aj);Create a file called middleware.js in your project root (at the same level as
pages or app or inside src):
import arcjet, { createMiddleware, detectBot } from "@arcjet/next";export const config = { // matcher tells Next.js which routes to run the middleware on. // This runs the middleware on all routes except for static assets. matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],};const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});// Pass any existing middleware with the optional existingMiddleware propexport default createMiddleware(aj);Create a file called middleware.ts in your project root (at the same level as
pages or app or inside src).
import arcjet, { detectBot } from "@arcjet/next";import { isSpoofedBot } from "@arcjet/inspect";import { NextRequest, NextResponse } from "next/server";
export const config = { // matcher tells Next.js which routes to run the middleware on. // This runs the middleware on all routes except for static assets. matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],};const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
export default async function middleware(request: NextRequest) { const decision = await aj.protect(request);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); }
return NextResponse.next();}Create a file called middleware.js in your project root (at the same level as
pages or app or inside src):
import arcjet, { detectBot } from "@arcjet/next";import { isSpoofedBot } from "@arcjet/inspect";import { NextResponse } from "next/server";
export const config = { // matcher tells Next.js which routes to run the middleware on. // This runs the middleware on all routes except for static assets. matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],};const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
export default async function middleware(request) { const decision = await aj.protect(request);
// Bots not in the allow list will be blocked if (decision.isDenied()) { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); }
return NextResponse.next();}The example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
Create a new server route at server/api/protected.get.ts:
// The `#arcjet` virtual module is created created when using @arcjet/nuxtimport arcjetNuxt, { detectBot } from "#arcjet";import { isSpoofedBot } from "@arcjet/inspect";
const arcjet = arcjetNuxt({ rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
export default defineEventHandler(async (event) => { const decision = await arcjet.protect(event);
// Bots not in the allow list will be blocked if (decision.isDenied()) { throw createError({ statusCode: 403, statusMessage: "Forbidden", }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { throw createError({ statusCode: 403, statusMessage: "Forbidden", }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { throw createError({ statusCode: 403, statusMessage: "Forbidden", }); }
return { message: "Hello world" };});Create a new server route at server/api/protected.get.js:
// The `#arcjet` virtual module is created created when using @arcjet/nuxtimport arcjetNuxt, { detectBot } from "#arcjet";import { isSpoofedBot } from "@arcjet/inspect";
const arcjet = arcjetNuxt({ rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
export default defineEventHandler(async (event) => { const decision = await arcjet.protect(event);
// Bots not in the allow list will be blocked if (decision.isDenied()) { throw createError({ statusCode: 403, statusMessage: "Forbidden", }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { throw createError({ statusCode: 403, statusMessage: "Forbidden", }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { throw createError({ statusCode: 403, statusMessage: "Forbidden", }); }
return { message: "Hello world" };});The example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
import arcjet, { detectBot } from "@arcjet/node";import { isSpoofedBot } from "@arcjet/inspect";import http from "node:http";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
const server = http.createServer(async function (req, res) { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
// Bots not in the allow list will be blocked if (decision.isDenied()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); return; }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); return; }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); return; }
res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" }));});
server.listen(8000);import arcjet, { detectBot } from "@arcjet/node";import { isSpoofedBot } from "@arcjet/inspect";import http from "node:http";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ detectBot({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
const server = http.createServer(async function ( req: http.IncomingMessage, res: http.ServerResponse,) { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
// Bots not in the allow list will be blocked if (decision.isDenied()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); return; }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); return; }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); return; }
res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" }));});
server.listen(8000);The example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
Create a new route at app/routes/arcjet.tsx with the contents:
import arcjet, { detectBot } from "@arcjet/remix";import { isSpoofedBot } from "@arcjet/inspect";import type { LoaderFunctionArgs } from "@remix-run/node";
const aj = arcjet({ key: process.env.ARCJET_KEY!, rules: [ // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
// The loader function is called for every request to the app, but you could// also protect an actionexport async function loader(args: LoaderFunctionArgs) { const decision = await aj.protect(args); console.log("Arcjet decision", decision);
// Bots not in the allow list will be blocked if (decision.isDenied()) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// We don't need to use the decision elsewhere, but you could return it to // the component return null;}
export default function Index() { return ( <> <h1>Hello world</h1> </> );}import arcjet, { detectBot } from "@arcjet/remix";import { isSpoofedBot } from "@arcjet/inspect";
const aj = arcjet({ key: process.env.ARCJET_KEY, rules: [ // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), ],});
// The loader function is called for every request to the app, but you could// also protect an actionexport async function loader(args) { const decision = await aj.protect(args); console.log("Arcjet decision", decision);
// Bots not in the allow list will be blocked if (decision.isDenied()) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the results // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// We don't need to use the decision elsewhere, but you could return it to // the component return null;}
export default function Index() { return ( <> <h1>Hello world</h1> </> );}4. Start app
Start your Astro app:
npm run devpnpm run devyarn run devMake a curl request from your terminal to your application. You should see a
403 Forbidden response because curl is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:43214. Start server
Start your Bun server:
bun run --hot index.tsbun run --hot index.jsMake a curl request from your terminal. You should see a 403 Forbidden
response because curl is considered an automated client by default.
# Will show the response status, which should be 403 forbiddencurl -I http://localhost:30004. Start server
Start your Deno server:
deno run --watch index.tsDeno permissions
Deno will prompt you for various permissions. You can also start Deno with the
appropriate permission flags (--allow-read --allow-env --allow-net) to skip
the prompt.
Make a curl request from your terminal. You should see a 403 Forbidden
response because curl is considered an automated client by default.
curl http://localhost:30004. Start app
npm run startpnpm run startyarn run startMake a curl request from your terminal to your application. You should see a
403 Forbidden response because curl is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:30004. Start app
Start your Next.js app:
npm run devpnpm run devyarn run devMake a curl request from your terminal to your application. You should see a
403 Forbidden response because curl is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:30004. Start server
Start your Node.js server:
npx tsx --env-file .env.local index.tsnode --env-file .env.local index.jsMake a curl request from your terminal to your application. You should see a
403 Forbidden response because curl is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:80004. Start app
npm run devpnpm run devyarn run devMake a curl request from your terminal to your application. You should see a
403 Forbidden response because curl is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:3000/api/protected4. Start app
npm run devpnpm run devyarn run devMake a curl request from your terminal to your application. You should see a
403 Forbidden response because curl is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:5173/arcjet4. Start app
Start your SvelteKit app:
npm run devpnpm run devyarn run devMake a curl request from your terminal to your application. You should see a
403 Forbidden response because curl is considered an automated client by
default. See the reference guide to learn about
configuring this.
# Will show the response status, which should be 403 forbiddencurl -I http://localhost:5173The requests will also show in the Arcjet dashboard.
5. Choose bots to allow or deny
Section titled “5. Choose bots to allow or deny”Arcjet maintains a list of known bots so you can choose to either only allow specific bots or only deny specific bots.
Check out our full list of bots.
Do I need to run any infrastructure e.g. Redis?
No, Arcjet handles all the infrastructure for you so you don't need to worry about deploying global Redis clusters, designing data structures to track rate limits, or keeping security detection rules up to date.
What is the performance overhead?
Arcjet SDK tries to do as much as possible asynchronously and locally to minimize latency for each request. Where decisions can be made locally or previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Cloud API is required, such as when tracking a rate limit in a serverless environment, there is some additional latency before a decision is made. The Cloud API has been designed for high performance and low latency, and is deployed to multiple regions around the world. The SDK will automatically use the closest region which means the total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable?
Where a decision has been cached locally e.g. blocking a client, Arcjet will continue to function even if the service is unavailable.
If a call to the Cloud API is needed and there is a network problem or Arcjet is unavailable, the default behavior is to fail open and allow the request. You have control over how to handle errors, including choosing to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks?
Network layer attacks tend to be generic and high volume, so these are best handled by your hosting platform. Most cloud providers include network DDoS protection by default.
Arcjet sits closer to your application so it can understand the context. This is important because some types of traffic may not look like a DDoS attack, but can still have the same effect. For example, a customer making too many API requests and affecting other customers, or large numbers of signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against this type of traffic because they don't understand the structure of your application. Arcjet can help you to identify and block this traffic by integrating with your codebase and understanding the context of the request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider. Application level attacks need to be handled by the application. That's where Arcjet helps.
What next?
Section titled “What next?”Explore
Section titled “Explore”Arcjet can be used with specific rules on individual routes or as general protection on your entire application. You can setup rate limiting for your API, minimize fraudulent registrations with the signup form protection and more.
Get help
Section titled “Get help”Need help with anything? Email support@arcjet.com to get support from our engineering team.