Arcjet helps developers protect their apps in just a few
lines of code. Bot detection. Rate limiting. Email validation. Attack
protection. Data redaction. A developer-first approach to security.
This guide will show you how to set up a simple API server protected by Arcjet.
Choose a framework
Bun
Bun + Hono
NestJS
Next.js
Node.js
Node.js + Express
Node.js + Hono
SvelteKit
1. Install Arcjet
In your project root, run the following command:
pnpm add @arcjet/sveltekit
yarn add @arcjet/sveltekit
Requirements
Bun 1.1.27 or later
Hono 4.3 or later
NestJS 10.4 or later.
Node.js 18 or later.
Express and Fastify are supported.
CommonJS is not supported. Arcjet is ESM only. See our NestJS example
app for how to use ESM with NestJS.
Next.js 14 or 15.
CommonJS is not supported. Arcjet is ESM only.
Node.js 18 or later
CommonJS is not supported. Arcjet is ESM only.
Node.js 18 or later
Express.js 4.19 or later
CommonJS is not supported. Arcjet is ESM only.
Node.js 18 or later
Hono 4.3 or later
CommonJS is not supported. Arcjet is ESM only.
Node.js 18 or later
SvelteKit 2.5 or later
CommonJS is not supported. Arcjet is ESM only.
2. Set your key
Create a free Arcjet account then follow the
instructions to add a site and get a key. Add it to a .env.local
file the
project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
# NODE_ENV is not set automatically, so tell Arcjet we're in dev
# You can leave this unset in prod
# Get your site key from https://app.arcjet.com
3. Add rules
This configures Arcjet rules to protect your app from attacks, apply a rate
limit, and prevent bots from accessing your app.
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/bun " ;
import { env } from " bun " ;
key : env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
fetch : aj . handler ( async ( req ) => {
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return new Response ( " Too many requests " , { status : 429 } ) ;
} else if ( decision . reason . isBot ()) {
return new Response ( " No bots allowed " , { status : 403 } ) ;
return new Response ( " Forbidden " , { status : 403 } ) ;
return new Response ( " Hello world " ) ;
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/bun " ;
import { env } from " bun " ;
key : env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
fetch : aj . handler ( async ( req ) => {
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return new Response ( " Too many requests " , { status : 429 } ) ;
} else if ( decision . reason . isBot ()) {
return new Response ( " No bots allowed " , { status : 403 } ) ;
return new Response ( " Forbidden " , { status : 403 } ) ;
return new Response ( " Hello world " ) ;
Bun.serve()
supportWhile our documentation gives you examples using Bun’s default export Object
syntax , it will also run if you
use Bun.serve()
instead:
/// < reference types = " bun-types/bun.d.ts " />
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/bun " ;
import { env } from " bun " ;
key : env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
async fetch ( req : Request ) {
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision . conclusion ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return new Response ( " Too many requests " , { status : 429 } ) ;
} else if ( decision . reason . isBot ()) {
return new Response ( " No bots allowed " , { status : 403 } ) ;
return new Response ( " Forbidden " , { status : 403 } ) ;
return new Response ( " Hello world " ) ;
import { Module } from " @nestjs/common " ;
import { ConfigModule } from " @nestjs/config " ;
import { APP_GUARD , NestFactory } from " @nestjs/core " ;
envFilePath : " .env.local " ,
key : process . env . ARCJET_KEY ! ,
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a fixed window rate limit. Other algorithms are supported.
window : " 60s " , // 10 second fixed window
max : 2 , // Allow a maximum of 2 requests
async function bootstrap () {
const app = await NestFactory . create ( AppModule ) ;
This creates a global guard that will be applied to all routes. In a real
application, implementing guards or per-route protections would give you more
flexibility. See our example app for
how to do this.
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/node " ;
import http from " node:http " ;
key : process . env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
const server = http . createServer ( async function ( req , res ) {
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
res . writeHead ( 429 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Too many requests " } )) ;
} else if ( decision . reason . isBot ()) {
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " No bots allowed " } )) ;
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Forbidden " } )) ;
res . writeHead ( 200 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { message : " Hello world " } )) ;
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/node " ;
import http from " node:http " ;
key : process . env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
const server = http . createServer ( async function (
req : http . IncomingMessage ,
res : http . ServerResponse ,
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
res . writeHead ( 429 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Too many requests " } )) ;
} else if ( decision . reason . isBot ()) {
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " No bots allowed " } )) ;
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Forbidden " } )) ;
res . writeHead ( 200 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { message : " Hello world " } )) ;
Create a new API route at /src/routes/api/arcjet/+server.js
:
import { env } from " $env/dynamic/private " ;
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/sveltekit " ;
import { error } from " @sveltejs/kit " ;
key : env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
export async function handle ({ event , resolve }) {
const decision = await aj . protect ( event , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return error ( 429 , " Too Many Requests " ) ;
} else if ( decision . reason . isBot ()) {
return error ( 403 , " No Bots Allowed " ) ;
return error ( 403 , " Forbidden " ) ;
Create a new API route at /src/routes/api/arcjet/+server.ts
:
import { env } from " $env/dynamic/private " ;
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/sveltekit " ;
import { error , type RequestEvent } from " @sveltejs/kit " ;
key : env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
export async function handle ({
resolve : ( event : RequestEvent ) => Response | Promise < Response >;
const decision = await aj . protect ( event , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return error ( 429 , " Too Many Requests " ) ;
} else if ( decision . reason . isBot ()) {
return error ( 403 , " No Bots Allowed " ) ;
return error ( 403 , " Forbidden " ) ;
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/bun " ;
import { Hono } from " hono " ;
import { env } from " bun " ;
key : env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
app . get ( " / " , async ( c ) => {
const decision = await aj . protect ( c . req . raw , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision . conclusion ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return c . json ( { error : " Too many requests " }, 429 ) ;
} else if ( decision . reason . isBot ()) {
return c . json ( { error : " No bots allowed " }, 403 ) ;
return c . json ( { error : " Forbidden " }, 403 ) ;
return c . json ( { message : " Hello world " } ) ;
console . log ( ` Server is running on port ${ port }` ) ;
fetch : aj . handler ( app . fetch ) ,
Create a new API route at /pages/api/arcjet.js
:
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/next " ;
key : process . env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
export default async function handler ( req , res ) {
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
. json ( { error : " Too many requests " , reason : decision . reason } ) ;
} else if ( decision . reason . isBot ()) {
. json ( { error : " No bots allowed " , reason : decision . reason } ) ;
. json ( { error : " Forbidden " , reason : decision . reason } ) ;
res . status ( 200 ) . json ( { name : " Hello world " } ) ;
Create a new API route at /app/api/arcjet/route.ts
:
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/next " ;
import { NextResponse } from " next/server " ;
key : process . env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
export async function GET ( req : Request ) {
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return NextResponse . json (
{ error : " Too Many Requests " , reason : decision . reason },
} else if ( decision . reason . isBot ()) {
return NextResponse . json (
{ error : " No bots allowed " , reason : decision . reason },
return NextResponse . json (
{ error : " Forbidden " , reason : decision . reason },
return NextResponse . json ( { message : " Hello world " } ) ;
Create a new API route at /pages/api/arcjet.ts
:
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/next " ;
import type { NextApiRequest , NextApiResponse } from " next " ;
key : process . env . ARCJET_KEY ! , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
export default async function handler (
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
. json ( { error : " Too many requests " , reason : decision . reason } ) ;
} else if ( decision . reason . isBot ()) {
. json ( { error : " No bots allowed " , reason : decision . reason } ) ;
. json ( { error : " Forbidden " , reason : decision . reason } ) ;
res . status ( 200 ) . json ( { name : " Hello world " } ) ;
Create a new API route at /app/api/arcjet/route.js
:
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/next " ;
import { NextResponse } from " next/server " ;
key : process . env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
export async function GET ( req ) {
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return NextResponse . json (
{ error : " Too Many Requests " , reason : decision . reason },
} else if ( decision . reason . isBot ()) {
return NextResponse . json (
{ error : " No bots allowed " , reason : decision . reason },
return NextResponse . json (
{ error : " Forbidden " , reason : decision . reason },
return NextResponse . json ( { message : " Hello world " } ) ;
import arcjet , { detectBot , shield , tokenBucket } from " @arcjet/node " ;
import { serve , type HttpBindings } from " @hono/node-server " ;
import { Hono } from " hono " ;
key : process . env . ARCJET_KEY ! ,
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
const app = new Hono <{ Bindings : HttpBindings }> () ;
app . get ( " / " , async ( c ) => {
const decision = await aj . protect ( c . env . incoming , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
return c . json ( { error : " Too Many Requests " }, 429 ) ;
} else if ( decision . reason . isBot ()) {
return c . json ( { error : " No Bots Allowed " }, 403 ) ;
return c . json ( { error : " Forbidden " }, 403 ) ;
return c . json ( { message : " Hello Hono! " } ) ;
console . log ( ` Server is running on port ${ port }` ) ;
import arcjet , { fixedWindow } from " @arcjet/node " ;
import express from " express " ;
// Get your site key from https://app.arcjet.com and set it as an environment
// variable rather than hard coding.
key : process . env . ARCJET_KEY ,
characteristics : [ " ip.src " ] , // Track requests by IP
// Shield protects your app from common attacks e.g. SQL injection
shield ( { mode : " LIVE " } ) ,
// Create a bot detection rule
mode : " LIVE " , // Blocks requests. Use "DRY_RUN" to log only
// Block all bots except search engine crawlers. See
// https://arcjet.com/bot-list
allow : [ " CATEGORY:SEARCH_ENGINE " ] ,
// Create a token bucket rate limit. Other algorithms are supported.
refillRate : 5 , // Refill 5 tokens per interval
interval : 10 , // Refill every 10 seconds
capacity : 10 , // Bucket capacity of 10 tokens
app . get ( " / " , async ( req , res ) => {
const decision = await aj . protect ( req , { requested : 5 } ) ; // Deduct 5 tokens from the bucket
console . log ( " Arcjet decision " , decision ) ;
if ( decision . isDenied ()) {
if ( decision . reason . isRateLimit ()) {
res . writeHead ( 429 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Too Many Requests " } )) ;
} else if ( decision . reason . isBot ()) {
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " No bots allowed " } )) ;
res . writeHead ( 403 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { error : " Forbidden " } )) ;
res . writeHead ( 200 , { " Content-Type " : " application/json " } ) ;
res . end ( JSON . stringify ( { message : " Hello World " } )) ;
console . log ( ` Example app listening on port ${ port }` ) ;
4. Start app
Visit http://localhost:3000
in your browser and
refresh a few times to hit the rate limit. You may see 2 requests - one for the
page and one for a favicon.
Wait 10 seconds, then run:
curl -v http://localhost:3000
The wait is necessary because the decision is cached for your IP based on the
refillRate
configuration.
You should see a 403
response because curl
is considered a bot by default
(customizable ).
The requests will also show up in the Arcjet
dashboard .
4. Start app
Visit http://localhost:3000
in your browser and
refresh a few times to hit the rate limit. You may see 2 requests - one for the
page and one for a favicon.
Wait 10 seconds, then run:
curl -v http://localhost:3000
The wait is necessary because the decision is cached for your IP based on the
refillRate
configuration.
You should see a 403
response because curl
is considered a bot by default
(customizable ).
The requests will also show up in the Arcjet
dashboard .
4. Start app
node --env-file .env.local index.js
Visit http://localhost:3000
in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000
The wait is necessary because the decision is cached for your IP based on the
refillRate
configuration.
You should see a 403
response because curl
is considered a bot by default
(customizable ).
The requests will also show up in the Arcjet
dashboard .
4. Start app
Visit http://localhost:3000
in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000
The wait is necessary because the decision is cached for your IP based on the
refillRate
configuration.
You should see a 403
response because curl
is considered a bot by default
(customizable ).
The requests will also show up in the Arcjet
dashboard .
4. Start app
Visit http://localhost:3000/api/arcjet
in
your browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000/api/arcjet
The wait is necessary because the decision is cached for your IP based on the
refillRate
configuration.
You should see a 403
response because curl
is considered a bot by default
(customizable ).
The requests will also show up in the Arcjet
dashboard .
4. Start app
Visit http://localhost:3000
in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000
The wait is necessary because the decision is cached for your IP based on the
refillRate
configuration.
You should see a 403
response because curl
is considered a bot by default
(customizable ).
The requests will also show up in the Arcjet
dashboard .
4. Start app
Visit http://localhost:5173/api/arcjet
in
your browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:5173/api/arcjet
The wait is necessary because the decision is cached for your IP based on the
refillRate
configuration.
You should see a 403
response because curl
is considered a bot by default
(customizable ).
The requests will also show up in the Arcjet
dashboard .
4. Start app
npx tsx --env-file .env.local index.ts
node --env-file .env.local index.js
Visit http://localhost:8000
in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:8000
The wait is necessary because the decision is cached for your IP based on the
refillRate
configuration.
You should see a 403
response because curl
is considered a bot by default
(customizable ).
The requests will also show up in the Arcjet
dashboard .
What next?
FAQs
Do I need to run any infrastructure e.g. Redis? No, Arcjet handles all the infrastructure for you so you don't need to
worry about deploying global Redis clusters, designing data structures to
track rate limits, or keeping security detection rules up to date.
What is the performance overhead? Arcjet SDK tries to do as much as possible asynchronously and locally to
minimize latency for each request. Where decisions can be made locally or
previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Arcjet API is required, such as when tracking a
rate limit in a serverless environment, there is some additional latency
before a decision is made. The Arcjet API has been designed for high
performance and low latency, and is deployed to multiple regions around the
world. The SDK will automatically use the closest region which means the
total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable? Where a decision has been cached locally e.g. blocking a client, Arcjet
will continue to function even if the service is unavailable.
If a call to the Arcjet API is needed and there is a network problem or
Arcjet is unavailable, the default behavior is to fail open and allow
the request. You have control over how to handle errors, including choosing
to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks? Network layer attacks tend to be generic and high volume, so these are
best handled by your hosting platform. Most cloud providers include network
DDoS protection by default.
Arcjet sits closer to your application so it can understand the context.
This is important because some types of traffic may not look like a DDoS
attack, but can still have the same effect. For example, a customer making
too many API requests and affecting other customers, or large numbers of
signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against
this type of traffic because they don't understand the structure of your
application. Arcjet can help you to identify and block this traffic by
integrating with your codebase and understanding the context of the
request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider.
Application level attacks need to be handled by the application. That's
where Arcjet helps.
Get help
Need help with anything? Email us or join our
Discord to get support from our engineering team.