Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.
This guide will show you how to set up a simple API server protected by Arcjet.
0. Get Started
Installing Bun:
npm install -g bunFor detailed instructions refer to the Bun docs.
Installing Deno:
- macOS and Linux
curl -fsSL https://deno.land/install.sh | sh- Windows
irm https://deno.land/install.ps1 | iexFor detailed instructions refer to the Deno docs.
Installing Nest.js
npm i -g @nestjs/cliFor detailed instructions refer to the Nest.js docs.
To create a Next.js project:
npx create-next-app@latestFor detailed instructions refer to the Next.js docs.
To install Node.js on your system follow the official docs.
To install Express:
npm install expressFor detailed instructions refer to Express.js docs.
To install Node.js on your system follow the official docs.
To create a Remix project:
npx create-remix@latestFor detailed instructions refer to the Remix docs.
To create a SvelteKit project:
npx sv create my-appFor detailed instructions refer to the SvelteKit docs.
Installing Bun
npm install -g bunFor detailed instructions refer to the Bun docs.
To install Hono:
npm create hono@latestpnpm create hono@latestyarn create honoFor detailed instructions refer to the Hono docs.
To install Hono:
npm create hono@latestpnpm create hono@latestyarn create honoFor detailed instructions refer to the Hono docs.
To install Node.js on your system follow the official docs.
1. Install Arcjet
In your project root, run the following command:
bun add @arcjet/bunbun add @arcjet/bundeno add npm:@arcjet/denonpm i @arcjet/nestpnpm add @arcjet/nestyarn add @arcjet/nestnpm i @arcjet/nextpnpm add @arcjet/nextyarn add @arcjet/nextnpm i @arcjet/nodepnpm add @arcjet/nodeyarn add @arcjet/nodenpm i @arcjet/nodepnpm add @arcjet/nodeyarn add @arcjet/nodenpm i @arcjet/nodepnpm add @arcjet/nodeyarn add @arcjet/nodenpm i @arcjet/remixpnpm add @arcjet/remixyarn add @arcjet/remixnpm i @arcjet/sveltekitpnpm add @arcjet/sveltekityarn add @arcjet/sveltekitRequirements
- Bun 1.1.27 or later
- Bun 1.1.27 or later
- Hono 4.3 or later
- Deno 1.46+ if only using the
Deno.serveAPI
OR
- Deno 2.0+ if you are using Deno’s
servecommand
- NestJS 10.4 or later.
- Node.js 18 or later.
- Express and Fastify are supported.
- CommonJS is not supported. Arcjet is ESM only. See our NestJS example app for how to use ESM with NestJS.
- Next.js 14 or 15.
- CommonJS is not supported. Arcjet is ESM only.
- Node.js 18 or later
- CommonJS is not supported. Arcjet is ESM only.
- Node.js 18 or later
- Express.js 4.19 or later
- CommonJS is not supported. Arcjet is ESM only.
- Node.js 18 or later
- Hono 4.3 or later
- CommonJS is not supported. Arcjet is ESM only.
- Remix 2 or later
- CommonJS is not supported. Arcjet is ESM only.
- Node.js 18 or later
- SvelteKit 2.5 or later
- CommonJS is not supported. Arcjet is ESM only.
2. Set your key
Create a free Arcjet account then follow the instructions to add a site and get a key.
Add your key to a .env.local file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
ARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyNext you need to update the dev command in your package.json to use the
.env.local file.
{ "scripts": { "dev": "tsx watch --env-file .env.local src/index.ts" } ...}3. Add rules
This configures Arcjet rules to protect your app from attacks, apply a rate limit, and prevent bots from accessing your app.
Update your src/main.ts file with the contents:
import { ArcjetGuard, ArcjetModule, detectBot, fixedWindow, shield,} from "@arcjet/nest";import { Module } from "@nestjs/common";import { ConfigModule } from "@nestjs/config";import { APP_GUARD, NestFactory } from "@nestjs/core";
@Module({ imports: [ ConfigModule.forRoot({ isGlobal: true, }), ArcjetModule.forRoot({ isGlobal: true, key: process.env.ARCJET_KEY!, rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a fixed window rate limit. Other algorithms are supported. fixedWindow({ mode: "LIVE", window: "60s", // 10 second fixed window max: 2, // Allow a maximum of 2 requests }), ], }), ], controllers: [], providers: [ { provide: APP_GUARD, useClass: ArcjetGuard, }, ],})class AppModule {}
async function bootstrap() { const app = await NestFactory.create(AppModule); await app.listen(3000);}bootstrap();This creates a global guard that will be applied to all routes. In a real application, implementing guards or per-route protections would give you more flexibility. See our example app for how to do this.
Create a new file at index.ts with the contents:
import "jsr:@std/dotenv/load";
import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "npm:@arcjet/deno";
const aj = arcjet({ key: Deno.env.get("ARCJET_KEY")!, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
Deno.serve( { port: 3000 }, aj.handler(async (req) => { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision.conclusion);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return new Response("Too many requests", { status: 429 }); } else if (decision.reason.isBot()) { return new Response("No bots allowed", { status: 403 }); } else { return new Response("Forbidden", { status: 403 }); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),);Update your index.ts file with the contents:
import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/bun";import { Hono } from "hono";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
const app = new Hono();
app.get("/", async (c) => { const decision = await aj.protect(c.req.raw, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision.conclusion);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return c.json({ error: "Too many requests" }, 429); } else if (decision.reason.isBot()) { return c.json({ error: "No bots allowed" }, 403); } else { return c.json({ error: "Forbidden" }, 403); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return c.json({ error: "Forbidden" }, 403); }
return c.json({ message: "Hello world" });});
const port = 3000;console.log(`Server is running on port ${port}`);
export default { fetch: aj.handler(app.fetch), port,};Create a new route at /src/routes/api/arcjet/+server.js with the contents:
import { env } from "$env/dynamic/private";import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/sveltekit";import { error, json } from "@sveltejs/kit";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
export async function GET(event) { const decision = await aj.protect(event, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return error(429, "Too Many Requests"); } else if (decision.reason.isBot()) { return error(403, "No Bots Allowed"); } else { return error(403, "Forbidden"); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return error(403, "Forbidden"); }
return json({ message: "Hello World" });}Create a new route at /src/routes/api/arcjet/+server.ts with the contents:
import { env } from "$env/dynamic/private";import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/sveltekit";import { error, json, type RequestEvent } from "@sveltejs/kit";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
export async function GET(event: RequestEvent) { const decision = await aj.protect(event, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return error(429, "Too Many Requests"); } else if (decision.reason.isBot()) { return error(403, "No Bots Allowed"); } else { return error(403, "Forbidden"); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return error(403, "Forbidden"); }
return json({ message: "Hello World" });}Create a new API route at /pages/api/arcjet.js:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/next";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
export default async function handler(req, res) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return res .status(429) .json({ error: "Too many requests", reason: decision.reason }); } else if (decision.reason.isBot()) { return res .status(403) .json({ error: "No bots allowed", reason: decision.reason }); } else { return res .status(403) .json({ error: "Forbidden", reason: decision.reason }); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return res .status(403) .json({ error: "Forbidden", reason: decision.reason }); }
res.status(200).json({ name: "Hello world" });}Create a new API route at /app/api/arcjet/route.js:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/next";import { NextResponse } from "next/server";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
export async function GET(req) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return NextResponse.json( { error: "Too Many Requests", reason: decision.reason }, { status: 429 }, ); } else if (decision.reason.isBot()) { return NextResponse.json( { error: "No bots allowed", reason: decision.reason }, { status: 403 }, ); } else { return NextResponse.json( { error: "Forbidden", reason: decision.reason }, { status: 403 }, ); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return NextResponse.json( { error: "Forbidden", reason: decision.reason }, { status: 403 }, ); }
return NextResponse.json({ message: "Hello world" });}Create a new API route at /app/api/arcjet/route.ts:
import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/next";import { NextResponse } from "next/server";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
export async function GET(req: Request) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return NextResponse.json( { error: "Too Many Requests", reason: decision.reason }, { status: 429 }, ); } else if (decision.reason.isBot()) { return NextResponse.json( { error: "No bots allowed", reason: decision.reason }, { status: 403 }, ); } else { return NextResponse.json( { error: "Forbidden", reason: decision.reason }, { status: 403 }, ); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return NextResponse.json( { error: "Forbidden", reason: decision.reason }, { status: 403 }, ); }
return NextResponse.json({ message: "Hello world" });}Create a new API route at /pages/api/arcjet.ts:
import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/next";import type { NextApiRequest, NextApiResponse } from "next";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
export default async function handler( req: NextApiRequest, res: NextApiResponse,) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return res .status(429) .json({ error: "Too many requests", reason: decision.reason }); } else if (decision.reason.isBot()) { return res .status(403) .json({ error: "No bots allowed", reason: decision.reason }); } else { return res .status(403) .json({ error: "Forbidden", reason: decision.reason }); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return res .status(403) .json({ error: "Forbidden", reason: decision.reason }); }
res.status(200).json({ name: "Hello world" });}Create a new file at index.js with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/node";import http from "node:http";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
const server = http.createServer(async function (req, res) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Too many requests" })); } else if (decision.reason.isBot()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "No bots allowed" })); } else { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } } else if (decision.results.some(isSpoofed)) { // Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); }});
server.listen(8000);Create a new file at index.ts with the contents:
import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/node";import http from "node:http";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
const server = http.createServer(async function ( req: http.IncomingMessage, res: http.ServerResponse,) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Too many requests" })); } else if (decision.reason.isBot()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "No bots allowed" })); } else { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } } else if (decision.results.some(isSpoofed)) { // Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); }});
server.listen(8000);Update your index.js file with the contents:
import arcjet, { shield, detectBot, tokenBucket } from "@arcjet/node";import express from "express";
const app = express();const port = 3000;
const aj = arcjet({ // Get your site key from https://app.arcjet.com and set it as an environment // variable rather than hard coding. key: process.env.ARCJET_KEY, characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
app.get("/", async (req, res) => { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Too Many Requests" })); } else if (decision.reason.isBot()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "No bots allowed" })); } else { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } } else if (decision.results.some(isSpoofed)) { // Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello World" })); }});
app.listen(port, () => { console.log(`Example app listening on port ${port}`);});Update your index.ts file with the contents:
import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/node";import { serve, type HttpBindings } from "@hono/node-server";import { Hono } from "hono";
const aj = arcjet({ key: process.env.ARCJET_KEY!, characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
const app = new Hono<{ Bindings: HttpBindings }>();
app.get("/", async (c) => { const decision = await aj.protect(c.env.incoming, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return c.json({ error: "Too Many Requests" }, 429); } else if (decision.reason.isBot()) { return c.json({ error: "No Bots Allowed" }, 403); } else { return c.json({ error: "Forbidden" }, 403); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return c.json({ error: "Forbidden" }, 403); }
return c.json({ message: "Hello Hono!" });});
const port = 3000;console.log(`Server is running on port ${port}`);
serve({ fetch: app.fetch, port,});Create a new route at app/routes/arcjet.tsx with the contents:
import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/remix";import type { LoaderFunctionArgs } from "@remix-run/node";
const aj = arcjet({ key: process.env.ARCJET_KEY!, characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
// The loader function is called for every request to the app, but you could// also protect an actionexport async function loader(args: LoaderFunctionArgs) { const decision = await aj.protect(args, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { throw new Response("Too many requests", { status: 429, statusText: "Too many requests", }); } else if (decision.reason.isBot()) { throw new Response("Bots forbidden", { status: 403, statusText: "Bots forbidden", }); } else { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// We don't need to use the decision elsewhere, but you could return it to // the component return null;}
export default function Index() { return ( <> <h1>Hello world</h1> </> );}Create a new file at index.js with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/bun";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
export default { port: 3000, fetch: aj.handler(async (req) => { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return new Response("Too many requests", { status: 429 }); } else if (decision.reason.isBot()) { return new Response("No bots allowed", { status: 403 }); } else { return new Response("Forbidden", { status: 403 }); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),};Create a new file at index.ts with the contents:
import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/bun";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
export default { port: 3000, fetch: aj.handler(async (req) => { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return new Response("Too many requests", { status: 429 }); } else if (decision.reason.isBot()) { return new Response("No bots allowed", { status: 403 }); } else { return new Response("Forbidden", { status: 403 }); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),};Bun.serve() support
While our documentation gives you examples using Bun’s default export Object
syntax, it will also run if you
use Bun.serve() instead:
/// <reference types="bun-types/bun.d.ts" />import arcjet, { type ArcjetRuleResult, detectBot, shield, tokenBucket,} from "@arcjet/bun";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["ip.src"], // Track requests by IP rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
function isSpoofed(result: ArcjetRuleResult) { return ( // You probably don't want DRY_RUN rules resulting in a denial // since they are generally used for evaluation purposes but you // could log here. result.state !== "DRY_RUN" && result.reason.isBot() && result.reason.isSpoofed() );}
Bun.serve({ async fetch(req: Request) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision.conclusion);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return new Response("Too many requests", { status: 429 }); } else if (decision.reason.isBot()) { return new Response("No bots allowed", { status: 403 }); } else { return new Response("Forbidden", { status: 403 }); } }
// Arcjet Pro plan verifies the authenticity of common bots using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofed)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); },});4. Start app
bun run --hot index.tsVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit. You may see 2 requests - one for the
page and one for a favicon.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
deno run --watch index.tsVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit. You may see 2 requests - one for the
page and one for a favicon.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
node --env-file .env.local index.jsVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
bun run --hot index.tsbun run --hot index.jsVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit. You may see 2 requests - one for the
page and one for a favicon.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run startpnpm run startyarn run startVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:3000/api/arcjet in
your browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000/api/arcjetThe wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npx tsx --env-file .env.local index.tsnode --env-file .env.local index.jsVisit http://localhost:8000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:8000The wait is necessary because the decision is cached for your IP based on the
interval configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:5173/arcjet in your
browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -I http://localhost:5173/arcjetThe wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:5173/api/arcjet in
your browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:5173/api/arcjetThe wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
The requests will also show in the Arcjet dashboard.
FAQs
Do I need to run any infrastructure e.g. Redis?
No, Arcjet handles all the infrastructure for you so you don't need to worry about deploying global Redis clusters, designing data structures to track rate limits, or keeping security detection rules up to date.
What is the performance overhead?
Arcjet SDK tries to do as much as possible asynchronously and locally to minimize latency for each request. Where decisions can be made locally or previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Arcjet API is required, such as when tracking a rate limit in a serverless environment, there is some additional latency before a decision is made. The Arcjet API has been designed for high performance and low latency, and is deployed to multiple regions around the world. The SDK will automatically use the closest region which means the total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable?
Where a decision has been cached locally e.g. blocking a client, Arcjet will continue to function even if the service is unavailable.
If a call to the Arcjet API is needed and there is a network problem or Arcjet is unavailable, the default behavior is to fail open and allow the request. You have control over how to handle errors, including choosing to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks?
Network layer attacks tend to be generic and high volume, so these are best handled by your hosting platform. Most cloud providers include network DDoS protection by default.
Arcjet sits closer to your application so it can understand the context. This is important because some types of traffic may not look like a DDoS attack, but can still have the same effect. For example, a customer making too many API requests and affecting other customers, or large numbers of signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against this type of traffic because they don't understand the structure of your application. Arcjet can help you to identify and block this traffic by integrating with your codebase and understanding the context of the request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider. Application level attacks need to be handled by the application. That's where Arcjet helps.
What next?
Site-wide bot protection Use middleware to protect your entire app.
Customize allowed bots Identify bots and configure allow/deny lists.
Testing Write tests for your rules.
Explore
Arcjet can be used with specific rules on individual routes or as general protection on your entire application. You can defend from clients sending you sensitive information, minimize fraudulent registrations with the signup form protection and more.
Example apps Check out the examples.
Learn how Arcjet works Arcjet's architecture.
SDK reference Bun SDK reference guide.
SDK reference Bun SDK reference guide.
SDK reference Node.js SDK reference guide.
SDK reference NestJS SDK reference guide.
SDK reference Next.js SDK reference guide.
SDK reference Node.js SDK reference guide.
SDK reference Node.js SDK reference guide.
SDK reference Node.js SDK reference guide.
SDK reference Remix SDK reference guide.
SDK reference SvelteKit SDK reference guide.
Get help
Need help with anything? Email us or join our Discord to get support from our engineering team.