Arcjet CLI
Arcjet is the runtime security platform that ships with your code. Enforce budgets, stop prompt injection, detect bots, and protect personal information with Arcjet’s AI security building blocks.
The Arcjet CLI is one of two ways to connect Arcjet skills to the Arcjet API — the other being the MCP server. Both transports expose the same management-plane surface (teams, sites, rules, traffic analysis, request inspection, live monitoring); the CLI is the right choice when you are working in a terminal and the MCP server is the right choice when you are working in an online client without shell access.
The CLI is the lowest-friction path when:
- You are already in a shell (Claude Code, Codex, plugin tasks, CI).
- You need to answer questions about the user’s Arcjet environment without standing up an MCP server.
- The user has not yet configured an MCP connection or the Arcjet plugin.
See Install for installation paths.
Install
Section titled “Install”The CLI requires Node.js. With Node.js available, every command works with no install via npx -y @arcjet/cli@latest <command>.
The simplest way to run the CLI is npx. It works on macOS, Linux, and Windows with no install step:
npx -y @arcjet/cli@latest <command>For example:
npx -y @arcjet/cli@latest auth loginnpx -y @arcjet/cli@latest versionThe rest of this page uses arcjet in command examples for readability. Substitute npx -y @arcjet/cli@latest if you have not installed the binary.
For frequent or interactive use, install the binary so commands can be invoked as arcjet:
npm install -g @arcjet/clibrew install arcjet/tap/arcjetAvailable for macOS (Apple Silicon, Intel) and Linux (x86_64, arm64).
curl -sSfL https://arcjet.com/cli/install.sh | bashDownloads the appropriate release archive from
github.com/arcjet/cli/releases
and installs the arcjet binary onto your PATH. Available for macOS
(Apple Silicon, Intel) and Linux (x86_64, arm64).
Download the latest archive for your platform from
github.com/arcjet/cli/releases,
extract it, and place the arcjet binary somewhere on your PATH. Useful
for internal redistribution and air-gapped environments.
Available for macOS (Apple Silicon, Intel), Linux (x86_64, arm64), and Windows (x86_64, arm64).
Verify the install:
arcjet versionAuthentication
Section titled “Authentication”Most users will not have ARCJET_TOKEN set in their shell. The default path is the browser-based device authorization flow, which works the same way as gh auth login, fly auth login, or vercel login:
arcjet auth loginThe CLI prints a one-time code and opens a URL. The user confirms the code in their browser, and the CLI stores the resulting credentials locally. Subsequent commands authenticate automatically.
Check the current state:
arcjet auth statusSign out:
arcjet auth logoutNon-interactive authentication
Section titled “Non-interactive authentication”For CI, scripts, or non-interactive agent runs, set ARCJET_TOKEN instead of running arcjet auth login:
export ARCJET_TOKEN=<token>Treat ARCJET_TOKEN as the headless escape hatch, not the default. In an interactive terminal session, prefer arcjet auth login.
Agent usage
Section titled “Agent usage”When running the CLI from an agent, two flags keep output predictable and the context window small:
--output json— emit machine-readable JSON. When stdout is not a TTY, JSON is the default, so this is rarely required from a subprocess but is safe to set explicitly.--fields <a,b,c>— limit output to the listed top-level keys. Use this aggressively to avoid pulling unused fields into the conversation.
arcjet teams list --output json --fields id,namearcjet sites list --team-id team_01abc123 --output json --fields id,namearcjet requests list --site-id site_01abc123 --output json --fields id,conclusion,pathSite IDs use the format site_<suffix> and team IDs use the format team_<suffix> (TypeID format).
Run arcjet --help to see all available commands, or arcjet <command> --help for details on a specific command.
Command reference
Section titled “Command reference”Authentication
Section titled “Authentication”| Command | Description |
|---|---|
arcjet auth login | Authenticate via the browser-based device flow. |
arcjet auth logout | Remove stored credentials. |
arcjet auth status | Show the current authentication state. |
Teams and sites
Section titled “Teams and sites”| Command | Description |
|---|---|
arcjet teams list | List teams the authenticated user belongs to. |
arcjet sites list --team-id <id> | List sites within a team. |
arcjet sites create --team-id <id> | Create a new site (requires --confirm). |
arcjet sites get-key --site-id <id> | Return the SDK key (ARCJET_KEY) for a site. |
Remote rules
Section titled “Remote rules”| Command | Description |
|---|---|
arcjet rules list --site-id <id> | List remote rules configured for a site. |
arcjet rules create --site-id <id> | Create a remote rule in DRY_RUN or LIVE mode (--confirm). |
arcjet rules update --site-id <id> | Replace an existing remote rule’s configuration (--confirm). |
arcjet rules delete --site-id <id> | Delete a remote rule (--confirm). |
arcjet rules promote --site-id <id> | Promote a remote rule from DRY_RUN to LIVE (--confirm). |
Remote rules support rate_limit, bot, shield, and filter types. Rules that need parsed request body content (email, sensitive_info, prompt_injection) require the SDK.
Analysis
Section titled “Analysis”| Command | Description |
|---|---|
arcjet analyze traffic --site-id <id> | Traffic analysis: total requests, denials, top paths, top IPs, trend. |
arcjet analyze anomalies --site-id <id> | Detect unusual security patterns vs the previous period. |
arcjet analyze dry-run-impact --site-id <id> | Impact of promoting dry-run rules to live. |
arcjet analyze ip --site-id <id> --ip <ip> | Investigate an IP — geo, threat intelligence, recent request activity. |
Requests
Section titled “Requests”| Command | Description |
|---|---|
arcjet requests list --site-id <id> | List recent requests; filter by conclusion. |
arcjet requests details --site-id <id> --request-id <request-id> | Full details for a request — headers, rules, decision info. |
arcjet requests explain --site-id <id> --request-id <request-id> | Natural-language explanation of a decision and next steps. |
Monitoring
Section titled “Monitoring”| Command | Description |
|---|---|
arcjet briefing --site-id <id> | Comprehensive security briefing — traffic, threats, anomalies, dry-run readiness, quota, recommendations. |
arcjet watch --site-id <id> | Stream live requests for a site (polls the API). |
Utilities
Section titled “Utilities”| Command | Description |
|---|---|
arcjet completion <bash|zsh|fish> | Generate shell completions. |
arcjet version | Print version information. |
Common workflows
Section titled “Common workflows”The CLI mirrors the MCP server’s typical workflows. Each step is a single command.
Bootstrap a project: arcjet auth login → arcjet teams list → arcjet sites list --team-id <id> (or arcjet sites create) → arcjet sites get-key --site-id <id> → write the returned key to the project’s .env file as ARCJET_KEY.
Investigate a request: arcjet requests list --site-id <id> to find the request → arcjet requests details --site-id <id> --request-id <request-id> for headers and rule execution → arcjet requests explain --site-id <id> --request-id <request-id> for a natural-language summary.
Analyse and monitor: arcjet analyze traffic --site-id <id> for a dashboard-level overview → arcjet analyze anomalies --site-id <id> to surface unusual patterns → arcjet analyze ip --site-id <id> --ip <ip> for a deep dive on a suspicious IP.
Daily security briefing: arcjet briefing --site-id <id> returns traffic, threats, anomalies, dry-run readiness, quota, and prioritised recommendations in a single call.
Manage remote rules: arcjet rules list --site-id <id> → arcjet rules create --site-id <id> in DRY_RUN → arcjet analyze dry-run-impact --site-id <id> to verify → arcjet rules promote --site-id <id> to switch to LIVE.
Skills
Section titled “Skills”Skills are documented in Agent get started. The CLI is one of the transports that connects skills to the Arcjet API — it is not itself a skill surface.
Invariants
Section titled “Invariants”- Always confirm with the user before write or delete operations. Mutating commands require
--confirm. - Site IDs use the format
site_<suffix>(TypeID format). Team IDs use the formatteam_<suffix>. - Commands and parameters are a stable API contract.
Reference
Section titled “Reference”- Agent get started — full agent onboarding flow.
- MCP server — same management-plane surface, exposed over MCP.
- Arcjet Plugin — Claude Code and Cursor plugin with automatic security guidance.
- llms.txt — short machine-readable index for AI agents.
- llms-full.txt — full machine-readable reference with framework examples and the rule parameter reference.
- arcjet/cli on GitHub — release archives and source.
Get help
Section titled “Get help”Need help with anything? Email us or join our Discord to get support from our engineering team.