Arcjet bot detection allows you to manage traffic by automated clients and bots.
What is Arcjet? Arcjet helps developers protect their apps
in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.
Quick start
This guide will show you how to protect your entire
application from bots and automated clients.
1. Install Arcjet
In your project root, run the following command to install the SDK:
deno add npm:@arcjet/deno
pnpm add @arcjet/sveltekit
yarn add @arcjet/sveltekit
2. Set your key
Create a free Arcjet account then follow the
instructions to add a site and get a key.
Add your key to a .env.local
file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
Add your key to a .env
file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
Add your key to a .env.local
file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
Add your key to a .env.local
file in your project root.
Add your key to a .env.local
file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
Add your key to a .env.local
file in your project root.
# Get your site key from https://app.arcjet.com
Add your key to a .env
file in your project root.
3. Add bot protection
Create a new API route at /src/routes/api/arcjet/+server.js
:
import { env } from " $env/dynamic/private " ;
import arcjet , { detectBot } from " @arcjet/sveltekit " ;
import { error } from " @sveltejs/kit " ;
key : env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
export async function handle ({ event , resolve }) {
const decision = await aj . protect ( event ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
return error ( 403 , " Forbidden " ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
return error ( 403 , " Forbidden " ) ;
Create a new API route at /src/routes/api/arcjet/+server.ts
:
import { env } from " $env/dynamic/private " ;
import arcjet , { ArcjetRuleResult , detectBot } from " @arcjet/sveltekit " ;
import { error , type RequestEvent } from " @sveltejs/kit " ;
key : env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result : ArcjetRuleResult ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
export async function handle ({
resolve : ( event : RequestEvent ) => Response | Promise < Response >;
const decision = await aj . protect ( event ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
return error ( 403 , " Forbidden " ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
return error ( 403 , " Forbidden " ) ;
The example below will return a 403 Forbidden response for all requests from
clients we are sure are automated.
import arcjet , { ArcjetRuleResult , detectBot } from " @arcjet/bun " ;
import { env } from " bun " ;
key : env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result : ArcjetRuleResult ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
fetch : aj . handler ( async ( req ) => {
const decision = await aj . protect ( req ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
return new Response ( " Forbidden " , { status : 403 } ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
return new Response ( " Forbidden " , { status : 403 } ) ;
return new Response ( " Hello world " ) ;
import arcjet , { detectBot } from " @arcjet/bun " ;
import { env } from " bun " ;
key : env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
fetch : aj . handler ( async ( req ) => {
const decision = await aj . protect ( req ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
return new Response ( " Forbidden " , { status : 403 } ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
return new Response ( " Forbidden " , { status : 403 } ) ;
return new Response ( " Hello world " ) ;
The example below will return a 403 Forbidden response for all requests from
clients we are sure are automated.
This creates a global guard that will be
applied to all routes. In a real application, implementing guards or per-route
protections would give you more flexibility. See the reference
guide and the NestJS example
app for how to do this.
import { Module } from " @nestjs/common " ;
import { ConfigModule } from " @nestjs/config " ;
import { APP_GUARD , NestFactory } from " @nestjs/core " ;
key : process . env . ARCJET_KEY ! ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
async function bootstrap () {
const app = await NestFactory . create ( AppModule ) ;
import { Module } from " @nestjs/common " ;
import { ConfigModule } from " @nestjs/config " ;
import { APP_GUARD , NestFactory } from " @nestjs/core " ;
key : process . env . ARCJET_KEY ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
async function bootstrap () {
const app = await NestFactory . create ( AppModule ) ;
The example below will return a 403 Forbidden response for all requests from
clients we are sure are automated.
import " jsr:@std/dotenv/load " ;
import arcjet , { ArcjetRuleResult , detectBot } from " @arcjet/deno " ;
key : Deno . env . get ( " ARCJET_KEY " ) ! , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result : ArcjetRuleResult ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
aj . handler ( async ( req ) => {
const decision = await aj . protect ( req ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
return new Response ( " Forbidden " , { status : 403 } ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
return new Response ( " Forbidden " , { status : 403 } ) ;
return new Response ( " Hello world " ) ;
For this quick start we will enable Arcjet Bot Protection across your entire
Next.js application. Next.js
middleware
runs before every request, allowing Arcjet to protect your entire application
before your code runs.
The basic option exports the middleware directly whereas the advanced
option allows you to customize the response based on the Arcjet
decision .
Create a file called middleware.ts
in your project root (at the same level as
pages
or app
or inside src
).
import arcjet , { createMiddleware , detectBot } from " @arcjet/next " ;
// matcher tells Next.js which routes to run the middleware on.
// This runs the middleware on all routes except for static assets.
matcher : [ " /((?!_next/static|_next/image|favicon.ico).*) " ] ,
key : process . env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
// Pass any existing middleware with the optional existingMiddleware prop
export default createMiddleware ( aj ) ;
Create a file called middleware.js
in your project root (at the same level as
pages
or app
or inside src
):
import arcjet , { createMiddleware , detectBot } from " @arcjet/next " ;
// matcher tells Next.js which routes to run the middleware on.
// This runs the middleware on all routes except for static assets.
matcher : [ " /((?!_next/static|_next/image|favicon.ico).*) " ] ,
key : process . env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
// Pass any existing middleware with the optional existingMiddleware prop
export default createMiddleware ( aj ) ;
Create a file called middleware.ts
in your project root (at the same level as
pages
or app
or inside src
).
import arcjet , { ArcjetRuleResult , detectBot } from " @arcjet/next " ;
import { NextRequest , NextResponse } from " next/server " ;
// matcher tells Next.js which routes to run the middleware on.
// This runs the middleware on all routes except for static assets.
matcher : [ " /((?!_next/static|_next/image|favicon.ico).*) " ] ,
key : process . env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result : ArcjetRuleResult ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
export default async function middleware ( request : NextRequest ) {
const decision = await aj . protect ( request ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
return NextResponse . json ( { error : " Forbidden " }, { status : 403 } ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
return NextResponse . json ( { error : " Forbidden " }, { status : 403 } ) ;
return NextResponse . next () ;
Create a file called middleware.js
in your project root (at the same level as
pages
or app
or inside src
):
import arcjet , { detectBot } from " @arcjet/next " ;
import { NextResponse } from " next/server " ;
// matcher tells Next.js which routes to run the middleware on.
// This runs the middleware on all routes except for static assets.
matcher : [ " /((?!_next/static|_next/image|favicon.ico).*) " ] ,
key : process . env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
export default async function middleware ( request ) {
const decision = await aj . protect ( request ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
return NextResponse . json ( { error : " Forbidden " }, { status : 403 } ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
return NextResponse . json ( { error : " Forbidden " }, { status : 403 } ) ;
return NextResponse . next () ;
The example below will return a 403 Forbidden response for all requests from
clients we are sure are automated.
import arcjet , { detectBot } from " @arcjet/node " ;
import http from " node:http " ;
key : process . env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
const server = http . createServer ( async function ( req , res ) {
const decision = await aj . protect ( req ) ;
console . log ( " Arcjet decision " , decision ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Forbidden " } )) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Forbidden " } )) ;
res . writeHead ( 200 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { message : " Hello world " } )) ;
import arcjet , { ArcjetRuleResult , detectBot } from " @arcjet/node " ;
import http from " node:http " ;
key : process . env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
mode : " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result : ArcjetRuleResult ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
const server = http . createServer ( async function (
req : http . IncomingMessage ,
res : http . ServerResponse ,
const decision = await aj . protect ( req ) ;
console . log ( " Arcjet decision " , decision ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Forbidden " } )) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Forbidden " } )) ;
res . writeHead ( 200 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { message : " Hello world " } )) ;
The example below will return a 403 Forbidden response for all requests from
clients we are sure are automated.
Create a new route at app/routes/arcjet.tsx
with the contents:
import arcjet , { ArcjetRuleResult , detectBot } from " @arcjet/remix " ;
import type { LoaderFunctionArgs } from " @remix-run/node " ;
key : process . env . ARCJET_KEY ! ,
characteristics : [ " ip.src " ] , // Track requests by IP
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result : ArcjetRuleResult ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
// The loader function is called for every request to the app, but you could
// also protect an action
export async function loader ( args : LoaderFunctionArgs ) {
const decision = await aj . protect ( args ) ;
console . log ( " Arcjet decision " , decision ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
throw new Response ( " Forbidden " , { status : 403 , statusText : " Forbidden " } ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
throw new Response ( " Forbidden " , { status : 403 , statusText : " Forbidden " } ) ;
// We don't need to use the decision elsewhere, but you could return it to
export default function Index () {
import arcjet , { detectBot } from " @arcjet/remix " ;
key : process . env . ARCJET_KEY ,
characteristics : [ " ip.src " ] , // Track requests by IP
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except the following
" CATEGORY:SEARCH_ENGINE " , // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
function isSpoofed ( result ) {
// You probably don't want DRY_RUN rules resulting in a denial
// since they are generally used for evaluation purposes but you
result . state !== " DRY_RUN " &&
result . reason . isSpoofed ()
// The loader function is called for every request to the app, but you could
// also protect an action
export async function loader ( args ) {
const decision = await aj . protect ( args ) ;
console . log ( " Arcjet decision " , decision ) ;
// Bots not in the allow list will be blocked
if ( decision . isDenied ()) {
throw new Response ( " Forbidden " , { status : 403 , statusText : " Forbidden " } ) ;
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if ( decision . results . some ( isSpoofed )) {
throw new Response ( " Forbidden " , { status : 403 , statusText : " Forbidden " } ) ;
// We don't need to use the decision elsewhere, but you could return it to
export default function Index () {
4. Start server
Start your Bun server:
Make a curl
request from your terminal. You should see a 403 Forbidden
response because curl
is considered an automated client by default.
# Will show the response status, which should be 403 forbidden
curl -I http://localhost:3000
4. Start server
Start your Deno server:
deno run --watch index.ts
Make a curl
request from your terminal. You should see a 403 Forbidden
response because curl
is considered an automated client by default.
curl http://localhost:3000
4. Start app
Make a curl
request from your terminal to your application. You should see a
403 Forbidden
response because curl
is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:3000
4. Start app
Start your Next.js app:
Make a curl
request from your terminal to your application. You should see a
403 Forbidden
response because curl
is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:3000
4. Start server
Start your Node.js server:
npx tsx --env-file .env.local index.ts
node --env-file .env.local index.js
Make a curl
request from your terminal to your application. You should see a
403 Forbidden
response because curl
is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:8000
4. Start app
Make a curl
request from your terminal to your application. You should see a
403 Forbidden
response because curl
is considered an automated client by
default. See the reference guide to learn about
configuring this.
curl -I http://localhost:5173/arcjet
4. Start app
Start your SvelteKit app:
Make a curl
request from your terminal to your application. You should see a
403 Forbidden
response because curl
is considered an automated client by
default. See the reference guide to learn about
configuring this.
# Will show the response status, which should be 403 forbidden
curl -I http://localhost:5173
The requests will also show in the Arcjet dashboard .
5. Choose bots to allow or deny
Arcjet maintains a list of known bots so you can choose to either only allow
specific bots or only deny
specific bots .
Check out our full list of bots .
FAQs
Do I need to run any infrastructure e.g. Redis? No, Arcjet handles all the infrastructure for you so you don't need to
worry about deploying global Redis clusters, designing data structures to
track rate limits, or keeping security detection rules up to date.
What is the performance overhead? Arcjet SDK tries to do as much as possible asynchronously and locally to
minimize latency for each request. Where decisions can be made locally or
previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Arcjet API is required, such as when tracking a
rate limit in a serverless environment, there is some additional latency
before a decision is made. The Arcjet API has been designed for high
performance and low latency, and is deployed to multiple regions around the
world. The SDK will automatically use the closest region which means the
total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable? Where a decision has been cached locally e.g. blocking a client, Arcjet
will continue to function even if the service is unavailable.
If a call to the Arcjet API is needed and there is a network problem or
Arcjet is unavailable, the default behavior is to fail open and allow
the request. You have control over how to handle errors, including choosing
to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks? Network layer attacks tend to be generic and high volume, so these are
best handled by your hosting platform. Most cloud providers include network
DDoS protection by default.
Arcjet sits closer to your application so it can understand the context.
This is important because some types of traffic may not look like a DDoS
attack, but can still have the same effect. For example, a customer making
too many API requests and affecting other customers, or large numbers of
signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against
this type of traffic because they don't understand the structure of your
application. Arcjet can help you to identify and block this traffic by
integrating with your codebase and understanding the context of the
request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider.
Application level attacks need to be handled by the application. That's
where Arcjet helps.
What next?
Testing Write tests for your rules.
Explore
Arcjet can be used with specific rules on individual routes or as general
protection on your entire application. You can setup rate limiting for your
API, minimize fraudulent registrations with the signup form protection and more.
Get help
Need help with anything? Email support@arcjet.com to get support from our
engineering team.
Discussion