Arcjet is the runtime policy engine for AI features. Authorize tools, control budgets, and protect against spam and bots. A developer-first approach to securing AI applications.
This guide will show you how to protect an application with Arcjet by blocking automated clients that inflate costs and enforcing per-user token budgets.
1. Install Arcjet
Section titled “1. Install Arcjet”In your project root, run the following:
npm install @arcjet/inspect @arcjet/react-routerpnpm add @arcjet/inspect @arcjet/react-routeryarn add @arcjet/inspect @arcjet/react-routerbun add @arcjet/bun @arcjet/inspectOur @arcjet/bun package is built for
Bun’s HTTP server. If your application relies
on Bun’s Node.js Compatibility
(uses node:http or a Node.js framework like express) you should instead
follow our guide for Node.js.
bun add @arcjet/bun @arcjet/inspectdeno add npm:@arcjet/deno npm:@arcjet/inspectmkdir arcjet-fastapicd arcjet-fastapiuv inituv add arcjet fastapi uvicorn langchain langchain-openaimkdir arcjet-flaskcd arcjet-flaskuv inituv add arcjet flask langchain langchain-openainpm install @arcjet/fastifypnpm add @arcjet/fastifyyarn add @arcjet/fastifynpm i @arcjet/nestpnpm add @arcjet/nestyarn add @arcjet/nestnpm i @arcjet/nextpnpm add @arcjet/nextyarn add @arcjet/nextnpm i @arcjet/node @arcjet/inspectpnpm add @arcjet/node @arcjet/inspectyarn add @arcjet/node @arcjet/inspectnpm i @arcjet/node @arcjet/inspectpnpm add @arcjet/node @arcjet/inspectyarn add @arcjet/node @arcjet/inspectnpm i @arcjet/node @arcjet/inspectpnpm add @arcjet/node @arcjet/inspectyarn add @arcjet/node @arcjet/inspectnpm i @arcjet/remix @arcjet/inspectpnpm add @arcjet/remix @arcjet/inspectyarn add @arcjet/remix @arcjet/inspectnpm i @arcjet/sveltekit @arcjet/inspectpnpm add @arcjet/sveltekit @arcjet/inspectyarn add @arcjet/sveltekit @arcjet/inspectnpx nuxt module add @arcjet/nuxtpnpm nuxt module add @arcjet/nuxtyarn nuxt module add @arcjet/nuxtThis automatically installs and configures the Arcjet Nuxt integration in your project. Learn more about how this works in the Nuxt docs. Alternatively, you can follow the manual installation instructions.
Manual installation instruction
In your project root, run the following command:
npm install @arcjet/nuxtpnpm add @arcjet/nuxtyarn add @arcjet/nuxtUpdate your Nuxt configuration file:
export default defineNuxtConfig({ arcjet: { key: process.env.ARCJET_KEY, }, compatibilityDate: "2025-07-15", devtools: { enabled: true }, modules: ["@arcjet/nuxt"],});npx astro add @arcjet/astropnpm astro add @arcjet/astroyarn astro add @arcjet/astroThis automatically installs and configures the Arcjet Astro integration in your project. Learn more about how this works in the Astro docs . Alternatively, you can follow the manual installation instructions.
Manual installation instruction
In your project root, run the following command:
npm add @arcjet/astropnpm add @arcjet/astroyarn add @arcjet/astroUpdate your Astro configuration file:
import { defineConfig } from "astro/config";import node from "@astrojs/node";import arcjet from "@arcjet/astro";
// https://astro.build/configexport default defineConfig({ adapter: node({ mode: "standalone", }), env: { // We recommend enabling secret validation validateSecrets: true, }, integrations: [ // Add the Arcjet Astro integration arcjet(), ],});Requirements
Section titled “Requirements”- Astro 5.9.3 or later
- On-demand rendering enabled
- Bun 1.1.27 or later
- Bun 1.1.27 or later
- Hono 4.3 or later
- Deno 1.46+ if only using the
Deno.serveAPI
OR
- Deno 2.0+ if you are using Deno’s
servecommand
- Fastify 5.0.0 or later
- Node.js 20.0.0 or later (24.3.0 or later for native TypeScript support)
- NestJS 10.4 or later.
- Node.js 20 or later.
- Express and Fastify are supported.
- CommonJS is not supported. Arcjet is ESM only. See our NestJS example app for how to use ESM with NestJS.
- Next.js 15 or 16.
- CommonJS is not supported. Arcjet is ESM only.
- Node.js 20 or later
- CommonJS is not supported. Arcjet is ESM only.
- Node.js 20 or later
- Express.js 4.19 or later
- CommonJS is not supported. Arcjet is ESM only.
- Node.js 20 or later
- Hono 4.3 or later
- CommonJS is not supported. Arcjet is ESM only.
- Nuxt 4 or later
- Running on Node.js 20 or later
- Python 3.10 or later
- Python 3.10 or later
- React Router 7 or later
- CommonJS is not supported. Arcjet is ESM only.
- Remix 2 or later
- CommonJS is not supported. Arcjet is ESM only.
- Node.js 20 or later
- SvelteKit 2.5 or later
- CommonJS is not supported. Arcjet is ESM only.
2. Set your key
Section titled “2. Set your key”Create a free Arcjet account then follow the instructions to add a site and get a key.
The Arcjet Astro integration reads your Arcjet key from the ARCJET_KEY
environment variable. During development, add your key to a .env.local file
in your project root. Astro will automatically load the environment
variables from this file, learn more in the
Astro docs.
# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
You can also set
ARCJET_ENV
and other values in .env files.
# Run Arcjet in development <https://docs.arcjet.com/environment#arcjet-env>.ARCJET_ENV=development# Arcjet key for your site (from <https://app.arcjet.com>).# More info: <https://docs.arcjet.com/environment#arcjet-key>.ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
You can also set
ARCJET_ENV
and other values in .env files.
# Run Arcjet in development <https://docs.arcjet.com/environment#arcjet-env>.ARCJET_ENV=development# Arcjet key for your site (from <https://app.arcjet.com>).# More info: <https://docs.arcjet.com/environment#arcjet-key>.ARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
You can also set
ARCJET_ENV
and other values in .env files.
# Run Arcjet in development <https://docs.arcjet.com/environment#arcjet-env>.ARCJET_ENV=development# Arcjet key for your site (from <https://app.arcjet.com>).# More info: <https://docs.arcjet.com/environment#arcjet-key>.ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
You can also set
ARCJET_ENV
and other values in .env files.
# Run Arcjet in development <https://docs.arcjet.com/environment#arcjet-env>.ARCJET_ENV=development# Arcjet key for your site (from <https://app.arcjet.com>).# More info: <https://docs.arcjet.com/environment#arcjet-key>.ARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
You can also set
ARCJET_ENV
and other values in .env files.
# Run Arcjet in development <https://docs.arcjet.com/environment#arcjet-env>.ARCJET_ENV=development# Arcjet key for your site (from <https://app.arcjet.com>).# More info: <https://docs.arcjet.com/environment#arcjet-key>.ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
You can also set
ARCJET_ENV
and other values in .env files.
# Run Arcjet in development <https://docs.arcjet.com/environment#arcjet-env>.ARCJET_ENV=development# Arcjet key for your site (from <https://app.arcjet.com>).# More info: <https://docs.arcjet.com/environment#arcjet-key>.ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
You can also set
ARCJET_ENV
and other values in .env files.
# Run Arcjet in development <https://docs.arcjet.com/environment#arcjet-env>.ARCJET_ENV=development# Arcjet key for your site (from <https://app.arcjet.com>).# More info: <https://docs.arcjet.com/environment#arcjet-key>.ARCJET_KEY=ajkey_yourkeyThe Arcjet Nuxt integration reads your Arcjet key from the ARCJET_KEY
environment variable. During development, add your key to a .env file in your
project root. Nuxt will automatically load the environment variables from this
file, learn more in the
Nuxt docs.
# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeySet your environment variables:
# Export your Arcjet API key from https://app.arcjet.comARCJET_KEY="ajkey_..."ARCJET_ENV=development
# Export your OpenAI API key (used by LangChain)OPENAI_API_KEY="sk-..."Set your environment variables:
# Export your Arcjet API key from https://app.arcjet.comARCJET_KEY="ajkey_..."ARCJET_ENV=development
# Export your OpenAI API key (used by LangChain)OPENAI_API_KEY="sk-..."Add your key to a .env file in your project root.
ARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
ARCJET_KEY=ajkey_yourkeyAdd your key to a .env file in your project root.
ARCJET_KEY=ajkey_yourkeyAdd your key to a .env.local file in your project root.
You can also set
ARCJET_ENV
and other values in .env files.
# Run Arcjet in development <https://docs.arcjet.com/environment#arcjet-env>.ARCJET_ENV=development# Arcjet key for your site (from <https://app.arcjet.com>).# More info: <https://docs.arcjet.com/environment#arcjet-key>.ARCJET_KEY=ajkey_yourkeyNext you need to update the dev command in your package.json to use the
.env.local file.
{ "scripts": { "dev": "tsx watch --env-file .env.local src/index.ts" } ...}3. Configure
Section titled “3. Configure”This configures Arcjet to protect your AI application: block automated clients that inflate costs, and enforce per-user token budgets.
Update your Astro configuration with the contents:
import { defineConfig } from "astro/config";import node from "@astrojs/node";import arcjet, { shield, detectBot, tokenBucket } from "@arcjet/astro";
export default defineConfig({ adapter: node({ mode: "standalone", }), env: { validateSecrets: true, }, integrations: [ arcjet({ rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ], }), ],});This creates an Arcjet instance that can be used to protect your routes. It can
be imported from the arcjet:client module in your project.
Create a new API route at src/pages/api.json.ts:
export const prerender = false;
import type { APIRoute } from "astro";import aj from "arcjet:client";
export const GET: APIRoute = async ({ request }) => { const decision = await aj.protect(request, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return Response.json( { error: "Too Many Requests", reason: decision.reason }, { status: 429 }, ); } else if (decision.reason.isBot()) { return Response.json( { error: "No bots allowed", reason: decision.reason }, { status: 403 }, ); } else { return Response.json( { error: "Forbidden", reason: decision.reason }, { status: 403 }, ); } }
return Response.json({ message: "Hello world" });};Create a new API route at src/pages/api.json.js:
export const prerender = false;
import aj from "arcjet:client";
export const GET = async ({ request }) => { const decision = await aj.protect(request, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return Response.json( { error: "Too Many Requests", reason: decision.reason }, { status: 429 }, ); } else if (decision.reason.isBot()) { return Response.json( { error: "No bots allowed", reason: decision.reason }, { status: 403 }, ); } else { return Response.json( { error: "Forbidden", reason: decision.reason }, { status: 403 }, ); } }
return Response.json({ message: "Hello world" });};Update your src/main.ts file with the contents:
import { ArcjetGuard, ArcjetModule, detectBot, fixedWindow, shield,} from "@arcjet/nest";import { Module } from "@nestjs/common";import { ConfigModule } from "@nestjs/config";import { APP_GUARD, NestFactory } from "@nestjs/core";
@Module({ imports: [ ConfigModule.forRoot({ isGlobal: true, }), ArcjetModule.forRoot({ isGlobal: true, key: process.env.ARCJET_KEY!, rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a fixed window rate limit. Other algorithms are supported. fixedWindow({ mode: "LIVE", window: "60s", // 10 second fixed window max: 2, // Allow a maximum of 2 requests }), ], }), ], controllers: [], providers: [ { provide: APP_GUARD, useClass: ArcjetGuard, }, ],})class AppModule {}
async function bootstrap() { const app = await NestFactory.create(AppModule); await app.listen(3000);}bootstrap();This creates a global guard that will be applied to all routes. In a real application, implementing guards or per-route protections would give you more flexibility. See our example app for how to do this.
Create a new file at server.ts with the contents:
import Fastify from "fastify";import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/fastify";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
const fastify = Fastify({ logger: true });
fastify.get("/", async (request, reply) => { const decision = await aj.protect(request, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return reply .status(429) .header("Content-Type", "application/json") .send({ message: "Too many requests" }); }
if (decision.reason.isBot()) { return reply .status(403) .header("Content-Type", "application/json") .send({ message: "No bots allowed" }); }
return reply .status(403) .header("Content-Type", "application/json") .send({ message: "Forbidden" }); }
return reply .status(200) .header("Content-Type", "application/json") .send({ message: "Hello world" });});
await fastify.listen({ port: 3000 });Create a new file at server.js with the contents:
import Fastify from "fastify";import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/fastify";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
const fastify = Fastify({ logger: true });
fastify.get("/", async (request, reply) => { const decision = await aj.protect(request, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return reply .status(429) .header("Content-Type", "application/json") .send({ message: "Too many requests" }); }
if (decision.reason.isBot()) { return reply .status(403) .header("Content-Type", "application/json") .send({ message: "No bots allowed" }); }
return reply .status(403) .header("Content-Type", "application/json") .send({ message: "Forbidden" }); }
return reply .status(200) .header("Content-Type", "application/json") .send({ message: "Hello world" });});
await fastify.listen({ port: 3000 });Create a new server route at server/api/protected.get.ts:
// The `#arcjet` virtual module is created created when using @arcjet/nuxtimport arcjetNuxt, { detectBot, shield, tokenBucket } from "#arcjet";
const arcjet = arcjetNuxt({ rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
export default defineEventHandler(async (event) => { const decision = await arcjet.protect(event, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { throw createError({ statusCode: 429, statusMessage: "Too Many Requests", }); }
if (decision.reason.isBot()) { throw createError({ statusCode: 403, statusMessage: "No bots allowed", }); } throw createError({ statusCode: 403, statusMessage: "Forbidden", }); }
return { message: "Hello world" };});Create a new server route at server/api/protected.get.js:
// The `#arcjet` virtual module is created created when using @arcjet/nuxtimport arcjetNuxt, { detectBot, shield, tokenBucket } from "#arcjet";
const arcjet = arcjetNuxt({ rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
export default defineEventHandler(async (event) => { const decision = await arcjet.protect(event, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { throw createError({ statusCode: 429, statusMessage: "Too Many Requests", }); }
if (decision.reason.isBot()) { throw createError({ statusCode: 403, statusMessage: "No bots allowed", }); } throw createError({ statusCode: 403, statusMessage: "Forbidden", }); }
return { message: "Hello world" };});Create a new file at index.ts with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/bun";import { isSpoofedBot } from "@arcjet/inspect";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
export default { port: 3000, fetch: aj.handler(async (req) => { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return new Response("Too many requests", { status: 429 }); } else if (decision.reason.isBot()) { return new Response("No bots allowed", { status: 403 }); } else { return new Response("Forbidden", { status: 403 }); } }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return new Response("Forbidden", { status: 403 }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),};Create a new file at index.js with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/bun";import { isSpoofedBot } from "@arcjet/inspect";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
export default { port: 3000, fetch: aj.handler(async (req) => { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return new Response("Too many requests", { status: 429 }); } else if (decision.reason.isBot()) { return new Response("No bots allowed", { status: 403 }); } else { return new Response("Forbidden", { status: 403 }); } }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return new Response("Forbidden", { status: 403 }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),};Bun.serve() support
While our documentation gives you examples using Bun’s default export Object
syntax, it will also run if you
use Bun.serve() instead:
/// <reference types="bun-types/bun.d.ts" />import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/bun";import { isSpoofedBot } from "@arcjet/inspect";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
Bun.serve({ async fetch(req: Request) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision.conclusion);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return new Response("Too many requests", { status: 429 }); } else if (decision.reason.isBot()) { return new Response("No bots allowed", { status: 403 }); } else { return new Response("Forbidden", { status: 403 }); } }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); },});Create a new file at index.ts with the contents:
import "jsr:@std/dotenv/load";
import arcjet, { detectBot, shield, tokenBucket } from "npm:@arcjet/deno";import { isSpoofedBot } from "@arcjet/inspect";
const aj = arcjet({ key: Deno.env.get("ARCJET_KEY")!, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
Deno.serve( { port: 3000 }, aj.handler(async (req) => { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision.conclusion);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return new Response("Too many requests", { status: 429 }); } else if (decision.reason.isBot()) { return new Response("No bots allowed", { status: 403 }); } else { return new Response("Forbidden", { status: 403 }); } }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return new Response("Forbidden", { status: 403 }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return new Response("Forbidden", { status: 403 }); }
return new Response("Hello world"); }),);Update your index.ts file with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/bun";import { isSpoofedBot } from "@arcjet/inspect";import { Hono } from "hono";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
const app = new Hono();
app.get("/", async (c) => { const decision = await aj.protect(c.req.raw, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision.conclusion);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return c.json({ error: "Too many requests" }, 429); } else if (decision.reason.isBot()) { return c.json({ error: "No bots allowed" }, 403); } else { return c.json({ error: "Forbidden" }, 403); } }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return c.json({ error: "Forbidden" }, 403); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return c.json({ error: "Forbidden" }, 403); }
return c.json({ message: "Hello world" });});
const port = 3000;console.log(`Server is running on port ${port}`);
export default { fetch: aj.handler(app.fetch), port,};Create a new file at index.js with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/node";import { isSpoofedBot } from "@arcjet/inspect";import http from "node:http";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
const server = http.createServer(async function (req, res) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Too many requests" })); } else if (decision.reason.isBot()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "No bots allowed" })); } else { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } } else if (decision.ip.isHosting()) { // Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else if (decision.results.some(isSpoofedBot)) { // Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); }});
server.listen(8000, () => { console.log("Server listening on port 8000"); });Create a new file at index.ts with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/node";import { isSpoofedBot } from "@arcjet/inspect";import http from "node:http";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
const server = http.createServer(async function ( req: http.IncomingMessage, res: http.ServerResponse,) { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Too many requests" })); } else if (decision.reason.isBot()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "No bots allowed" })); } else { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } } else if (decision.ip.isHosting()) { // Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else if (decision.results.some(isSpoofedBot)) { // Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); }});
server.listen(8000);Create a new route at /src/routes/api/arcjet/+server.ts with the contents:
import { env } from "$env/dynamic/private";import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/sveltekit";import { isSpoofedBot } from "@arcjet/inspect";import { error, json, type RequestEvent } from "@sveltejs/kit";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
export async function GET(event: RequestEvent) { const decision = await aj.protect(event, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return error(429, "Too Many Requests"); } else if (decision.reason.isBot()) { return error(403, "No Bots Allowed"); } else { return error(403, "Forbidden"); } }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return error(403, "Forbidden"); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return error(403, "Forbidden"); }
return json({ message: "Hello World" });}Create a new route at /src/routes/api/arcjet/+server.js with the contents:
import { env } from "$env/dynamic/private";import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/sveltekit";import { isSpoofedBot } from "@arcjet/inspect";import { error, json } from "@sveltejs/kit";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
export async function GET(event) { const decision = await aj.protect(event, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return error(429, "Too Many Requests"); } else if (decision.reason.isBot()) { return error(403, "No Bots Allowed"); } else { return error(403, "Forbidden"); } }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return error(403, "Forbidden"); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return error(403, "Forbidden"); }
return json({ message: "Hello World" });}Update your index.js file with the contents:
import arcjet, { shield, detectBot, tokenBucket } from "@arcjet/node";import { isSpoofedBot } from "@arcjet/inspect";import express from "express";
const app = express();const port = 3000;
const aj = arcjet({ // Get your site key from https://app.arcjet.com and set it as an environment // variable rather than hard coding. key: process.env.ARCJET_KEY, rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
app.get("/", async (req, res) => { const decision = await aj.protect(req, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Too Many Requests" })); } else if (decision.reason.isBot()) { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "No bots allowed" })); } else { res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } } else if (decision.ip.isHosting()) { // Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else if (decision.results.some(isSpoofedBot)) { // Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification res.writeHead(403, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: "Forbidden" })); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello World" })); }});
app.listen(port, () => { console.log(`Example app listening on port ${port}`);});Update your index.ts file with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/node";import { isSpoofedBot } from "@arcjet/inspect";import { serve, type HttpBindings } from "@hono/node-server";import { Hono } from "hono";
const aj = arcjet({ key: process.env.ARCJET_KEY!, rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
const app = new Hono<{ Bindings: HttpBindings }>();
app.get("/", async (c) => { const decision = await aj.protect(c.env.incoming, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { return c.json({ error: "Too Many Requests" }, 429); } else if (decision.reason.isBot()) { return c.json({ error: "No Bots Allowed" }, 403); } else { return c.json({ error: "Forbidden" }, 403); } }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { return c.json({ error: "Forbidden" }, 403); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { return c.json({ error: "Forbidden" }, 403); }
return c.json({ message: "Hello Hono!" });});
const port = 3000;console.log(`Server is running on port ${port}`);
serve({ fetch: app.fetch, port,});This example uses the Vercel AI SDK. Install it along with an AI provider:
npm install ai @ai-sdk/openaipnpm add ai @ai-sdk/openaiyarn add ai @ai-sdk/openaiCreate a new API route at /app/api/chat/route.ts:
import { openai } from "@ai-sdk/openai";import arcjet, { detectBot, sensitiveInfo, shield, tokenBucket,} from "@arcjet/next";import type { UIMessage } from "ai";import { convertToModelMessages, isTextUIPart, streamText } from "ai";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com // Track budgets per user — replace "userId" with any stable identifier characteristics: ["userId"], rules: [ // Shield protects against common web attacks e.g. SQL injection shield({ mode: "LIVE" }), // Block all automated clients — bots inflate AI costs detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only allow: [], // Block all bots. See https://arcjet.com/bot-list }), // Enforce budgets to control AI costs. Adjust rates and limits as needed. tokenBucket({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only refillRate: 2_000, // Refill 2,000 tokens per hour interval: "1h", capacity: 5_000, // Maximum 5,000 tokens in the bucket }), // Block messages containing sensitive information to prevent data leaks sensitiveInfo({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block PII types that should never appear in AI prompts. // Remove types your app legitimately handles (e.g. EMAIL for a support bot). deny: ["CREDIT_CARD_NUMBER", "EMAIL"], }), ],});
export async function POST(req: Request) { // Replace with your session/auth lookup to get a stable user ID const userId = "user-123"; const { messages }: { messages: UIMessage[] } = await req.json(); const modelMessages = await convertToModelMessages(messages);
// Estimate token cost: ~1 token per 4 characters of text (rough heuristic). // For accurate counts use https://www.npmjs.com/package/tiktoken const totalChars = modelMessages.reduce((sum, m) => { const content = typeof m.content === "string" ? m.content : JSON.stringify(m.content); return sum + content.length; }, 0); const estimate = Math.ceil(totalChars / 4);
// Check the most recent user message for sensitive information. // Pass the full conversation if you want to scan all messages. const lastMessage: string = (messages.at(-1)?.parts ?? []) .filter(isTextUIPart) .map((p) => p.text) .join(" ");
// Check with Arcjet before calling the AI provider const decision = await aj.protect(req, { userId, requested: estimate, sensitiveInfoValue: lastMessage, });
if (decision.isDenied()) { if (decision.reason.isBot()) { return new Response("Automated clients are not permitted", { status: 403, }); } else if (decision.reason.isRateLimit()) { return new Response("AI usage limit exceeded", { status: 429 }); } else if (decision.reason.isSensitiveInfo()) { return new Response("Sensitive information detected", { status: 400 }); } else { return new Response("Forbidden", { status: 403 }); } }
const result = await streamText({ model: openai("gpt-4o"), messages: modelMessages, });
return result.toUIMessageStreamResponse();}Create a new API route at /app/api/chat/route.js:
import { openai } from "@ai-sdk/openai";import arcjet, { detectBot, shield, tokenBucket, sensitiveInfo,} from "@arcjet/next";import { convertToModelMessages, isTextUIPart, streamText } from "ai";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com // Track budgets per user — replace "userId" with any stable identifier characteristics: ["userId"], rules: [ // Shield protects against common web attacks e.g. SQL injection shield({ mode: "LIVE" }), // Block all automated clients — bots inflate AI costs detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only allow: [], // Block all bots. See https://arcjet.com/bot-list }), // Enforce budgets to control AI costs. Adjust rates and limits as needed. tokenBucket({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only refillRate: 2_000, // Refill 2,000 tokens per hour interval: "1h", capacity: 5_000, // Maximum 5,000 tokens in the bucket }), // Block messages containing sensitive information to prevent data leaks sensitiveInfo({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block PII types that should never appear in AI prompts. // Remove types your app legitimately handles (e.g. EMAIL for a support bot). deny: ["CREDIT_CARD_NUMBER", "EMAIL"], }), ],});
export async function POST(req) { // Replace with your session/auth lookup to get a stable user ID const userId = "user-123"; const { messages } = await req.json(); const modelMessages = await convertToModelMessages(messages);
// Estimate token cost: ~1 token per 4 characters of text (rough heuristic). // For accurate counts use https://www.npmjs.com/package/tiktoken const totalChars = modelMessages.reduce((sum, m) => { const content = typeof m.content === "string" ? m.content : JSON.stringify(m.content); return sum + content.length; }, 0); const estimate = Math.ceil(totalChars / 4);
// Check the most recent user message for sensitive information. // Pass the full conversation if you want to scan all messages. const lastMessage = (messages.at(-1)?.parts ?? []) .filter(isTextUIPart) .map((p) => p.text) .join(" ");
// Check with Arcjet before calling the AI provider const decision = await aj.protect(req, { userId, requested: estimate, sensitiveInfoValue: lastMessage, });
if (decision.isDenied()) { if (decision.reason.isBot()) { return new Response("Automated clients are not permitted", { status: 403, }); } else if (decision.reason.isRateLimit()) { return new Response("AI usage limit exceeded", { status: 429 }); } else if (decision.reason.isSensitiveInfo()) { return new Response("Sensitive information detected", { status: 400 }); } else { return new Response("Forbidden", { status: 403 }); } }
const result = await streamText({ model: openai("gpt-4o"), messages: modelMessages, });
return result.toUIMessageStreamResponse();}And create a new page at /app/page.tsx:
"use client";
import { useChat } from "@ai-sdk/react";import { useState } from "react";
export default function Chat() { const [input, setInput] = useState(""); const [errorMessage, setErrorMessage] = useState<string | null>(null); const { messages, sendMessage } = useChat({ onError: async (e) => setErrorMessage(e.message), }); return ( <div className="flex flex-col w-full max-w-md py-24 mx-auto stretch"> {messages.map((message) => ( <div key={message.id} className="whitespace-pre-wrap"> {message.role === "user" ? "User: " : "AI: "} {message.parts.map((part, i) => { switch (part.type) { case "text": return <div key={`${message.id}-${i}`}>{part.text}</div>; } })} </div> ))}
{errorMessage && ( <div className="text-red-500 text-sm mb-4">{errorMessage}</div> )}
<form onSubmit={(e) => { e.preventDefault(); sendMessage({ text: input }); setInput(""); setErrorMessage(null); }} > <input className="fixed dark:bg-zinc-900 bottom-0 w-full max-w-md p-2 mb-8 border border-zinc-300 dark:border-zinc-800 rounded shadow-xl" value={input} placeholder="Say something..." onChange={(e) => setInput(e.currentTarget.value)} /> </form> </div> );}Create a new route at app/routes/arcjet.tsx with the contents:
import arcjet, { detectBot, shield, tokenBucket } from "@arcjet/remix";import { isSpoofedBot } from "@arcjet/inspect";import type { LoaderFunctionArgs } from "@remix-run/node";
const aj = arcjet({ key: process.env.ARCJET_KEY!, rules: [ // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a bot detection rule detectBot({ mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints //characteristics: ["ip.src"], refillRate: 5, // Refill 5 tokens per interval interval: 10, // Refill every 10 seconds capacity: 10, // Bucket capacity of 10 tokens }), ],});
// The loader function is called for every request to the app, but you could// also protect an actionexport async function loader(args: LoaderFunctionArgs) { const decision = await aj.protect(args, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { throw new Response("Too many requests", { status: 429, statusText: "Too many requests", }); } else if (decision.reason.isBot()) { throw new Response("Bots forbidden", { status: 403, statusText: "Bots forbidden", }); } else { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); } }
// Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection if (decision.ip.isHosting()) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// We don't need to use the decision elsewhere, but you could return it to // the component return null;}
export default function Index() { return ( <> <h1>Hello world</h1> </> );}Create a new route at app/routes/home.tsx with the contents:
import arcjetReactRouter, { detectBot, filter, shield, tokenBucket,} from "@arcjet/react-router";import { isSpoofedBot } from "@arcjet/inspect";import type { Route } from "../routes/+types/home";
const arcjet = arcjetReactRouter({ key: process.env.ARCJET_KEY!, rules: [ // Create a bot detection rule: detectBot({ // Block all bots except the following allow: [ "CATEGORY:SEARCH_ENGINE", // Google, Bing, etc // Uncomment to allow these other common bot categories // See the full list at https://arcjet.com/bot-list //"CATEGORY:MONITOR", // Uptime monitoring services //"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord ], mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only }), // Requests from hosting IPs are likely from bots, so they can usually be // blocked. However, consider your use case - if this is an API endpoint // then hosting IPs might be legitimate. // https://docs.arcjet.com/blueprints/vpn-proxy-detection filter({ deny: ["ip.src.hosting"], mode: "LIVE", }), // Shield protects your app from common attacks e.g. SQL injection shield({ mode: "LIVE" }), // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ // Tracked by IP address by default, but this can be customized // See https://docs.arcjet.com/fingerprints // characteristics: ["ip.src"], capacity: 10, // Bucket capacity of 10 tokens interval: 10, // Refill every 10 seconds mode: "LIVE", refillRate: 5, // Refill 5 tokens per interval }), ],});
export default function Home() { return ( <> <h1>Hello world</h1> </> );}
// The loader function is called for every request to the app, but you could// also protect an actionexport async function loader( loaderArguments: Route.LoaderArgs,): Promise<undefined> { const decision = await arcjet.protect(loaderArguments, { requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isRateLimit()) { throw new Response("Too many requests", { status: 429, statusText: "Too many requests", }); } else if (decision.reason.isBot()) { throw new Response("Bots forbidden", { status: 403, statusText: "Bots forbidden", }); } else { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); } }
// Paid Arcjet accounts include additional verification checks using IP data. // Verification isn't always possible, so we recommend checking the decision // separately. // https://docs.arcjet.com/bot-protection/reference#bot-verification if (decision.results.some(isSpoofedBot)) { throw new Response("Forbidden", { status: 403, statusText: "Forbidden" }); }
// We don't need to use the decision elsewhere, but you could return it to // the component return undefined;}Create a new file at main.py with the contents:
import loggingimport os
from arcjet import ( Mode, arcjet_sync, detect_bot, shield, token_bucket,)from flask import Flask, jsonify, requestfrom langchain_core.output_parsers import StrOutputParserfrom langchain_core.prompts import ChatPromptTemplatefrom langchain_openai import ChatOpenAI
app = Flask(__name__)
logging.basicConfig(level=logging.INFO)logger = logging.getLogger(__name__)
arcjet_key = os.getenv("ARCJET_KEY")if not arcjet_key: raise RuntimeError("ARCJET_KEY is required. Get one at https://app.arcjet.com")
openai_api_key = os.getenv("OPENAI_API_KEY")if not openai_api_key: raise RuntimeError( "OPENAI_API_KEY is required. Get one at https://platform.openai.com" )
llm = ChatOpenAI(model="gpt-4o-mini", api_key=openai_api_key)
prompt = ChatPromptTemplate.from_messages( [ ("system", "You are a helpful assistant."), ("human", "{message}"), ])
chain = prompt | llm | StrOutputParser()
aj = arcjet_sync( key=arcjet_key, # Get your key from https://app.arcjet.com rules=[ # Shield protects your app from common attacks e.g. SQL injection shield(mode=Mode.LIVE), # Create a bot detection rule detect_bot( mode=Mode.LIVE, # An empty allow list blocks all bots, which is a good default for # an AI chat app allow=[ "CURL", # Allow curl so we can test it # Uncomment to allow these other common bot categories # See the full list at https://arcjet.com/bot-list # BotCategory.MONITOR, # Uptime monitoring services # BotCategory.PREVIEW, # Link previews e.g. Slack, Discord ], ), # Create a token bucket rate limit. Other algorithms are supported token_bucket( # Track budgets by arbitrary characteristics of the request. Here # we use user ID, but you could pass any value. Removing this will # fall back to IP-based rate limiting. characteristics=["userId"], mode=Mode.LIVE, refill_rate=5, # Refill 5 tokens per interval interval=10, # Refill every 10 seconds capacity=10, # Bucket capacity of 10 tokens ), ],)
@app.post("/chat")def chat(): # Replace with actual user ID from the user session userId = "your_user_id" # Call protect() to evaluate the request against the rules decision = aj.protect( request, # Deduct 5 tokens from the bucket requested=5, # Identify the user for rate limiting purposes characteristics={"userId": userId}, )
# Handle denied requests if decision.is_denied(): status = 429 if decision.reason.is_rate_limit() else 403 return jsonify(error="Denied", reason=decision.reason.to_dict()), status
# All rules passed, proceed with handling the request body = request.get_json() message = body.get("message", "") if body else "" reply = chain.invoke({"message": message})
return jsonify(reply=reply)
if __name__ == "__main__": app.run(debug=True)Create a new file at main.py with the contents:
import loggingimport os
from arcjet import ( Mode, arcjet, detect_bot, shield, token_bucket,)from fastapi import FastAPI, Requestfrom fastapi.responses import JSONResponsefrom langchain_core.output_parsers import StrOutputParserfrom langchain_core.prompts import ChatPromptTemplatefrom langchain_openai import ChatOpenAIfrom pydantic import BaseModel
app = FastAPI()
logging.basicConfig(level=logging.INFO)logger = logging.getLogger(__name__)
arcjet_key = os.getenv("ARCJET_KEY")if not arcjet_key: raise RuntimeError("ARCJET_KEY is required. Get one at https://app.arcjet.com")
openai_api_key = os.getenv("OPENAI_API_KEY")if not openai_api_key: raise RuntimeError( "OPENAI_API_KEY is required. Get one at https://platform.openai.com" )
llm = ChatOpenAI(model="gpt-4o-mini", api_key=openai_api_key)
prompt = ChatPromptTemplate.from_messages( [ ("system", "You are a helpful assistant."), ("human", "{message}"), ])
chain = prompt | llm | StrOutputParser()
class ChatRequest(BaseModel): message: str
aj = arcjet( key=arcjet_key, # Get your key from https://app.arcjet.com rules=[ # Shield protects your app from common attacks e.g. SQL injection shield(mode=Mode.LIVE), # Create a bot detection rule detect_bot( mode=Mode.LIVE, # An empty allow list blocks all bots, which is a good default for # an AI chat app allow=[ "CURL", # Allow curl so we can test it # Uncomment to allow these other common bot categories # See the full list at https://arcjet.com/bot-list # BotCategory.MONITOR, # Uptime monitoring services # BotCategory.PREVIEW, # Link previews e.g. Slack, Discord ], ), # Create a token bucket rate limit. Other algorithms are supported token_bucket( # Track budgets by arbitrary characteristics of the request. Here # we use user ID, but you could pass any value. Removing this will # fall back to IP-based rate limiting. characteristics=["userId"], mode=Mode.LIVE, refill_rate=5, # Refill 5 tokens per interval interval=10, # Refill every 10 seconds capacity=10, # Bucket capacity of 10 tokens ), ],)
@app.post("/chat")async def chat(request: Request, body: ChatRequest): # Replace with actual user ID from the user session userId = "your_user_id"
# Call protect() to evaluate the request against the rules decision = await aj.protect( request, # Deduct 5 tokens from the bucket requested=5, # Identify the user for rate limiting purposes characteristics={"userId": userId}, )
# Handle denied requests if decision.is_denied(): status = 429 if decision.reason.is_rate_limit() else 403 return JSONResponse({"error": "Denied"}, status_code=status)
# All rules passed, proceed with handling the request reply = await chain.ainvoke({"message": body.message})
return {"reply": reply}4. Start app
uv run uvicorn main:app --reloadAnd send a message to the API endpoint:
curl -X POST http://localhost:8000/chat \ -H "Content-Type: application/json" \ -d '{"message": "What is the capital of France?"}'You will see requests being processed in your Arcjet dashboard in real time.
4. Start app
uv run flask run --reloadAnd send a message to the API endpoint:
curl -X POST http://localhost:5000/chat \ -H "Content-Type: application/json" \ -d '{"message": "What is the capital of France?"}'You will see requests being processed in your Arcjet dashboard in real time.
4. Start app
bun run --hot index.tsBun’s --hot flag will reload the runtime when changes are made to your .ts
files, but not your .env.local file. If you change your .env.local file,
you need to restart the command manually.
Visit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit. You may see 2 requests - one for the
page and one for a favicon.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
deno run --watch index.tsDeno will prompt you for various permissions. You can also start Deno with the
appropriate permission flags (--allow-read --allow-env --allow-net) to skip
the prompt.
Visit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit. You may see 2 requests - one for the
page and one for a favicon.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
node --env-file .env.local index.jsVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:4321/api.json in
your browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:4321/api.jsonThe wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
bun run --hot index.tsbun run --hot index.jsBun’s --hot flag will reload the runtime when changes are made to your .ts
files, but not your .env.local file. If you change your .env.local file,
you need to restart the command manually.
Visit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit. You may see 2 requests - one for the
page and one for a favicon.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run startpnpm run startyarn run startVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devThen start chatting with the AI in your app! You will see requests being processed in your Arcjet dashboard in real time.
Try entering an email address to see the sensitive info detection in action, or sending many messages in a row to trigger the rate limit.
4. Start app
npx tsx --env-file .env.local index.tsnode --env-file .env.local index.jsVisit http://localhost:8000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:8000The wait is necessary because the decision is cached for your IP based on the
interval configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:3000/api/protected in
your browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000/api/protectedThe wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:5173 in your
browser and refresh a few times to hit the rate limit.
Wait 10 seconds and then run:
curl --head http://localhost:5173The wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:5173/arcjet in your
browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -I http://localhost:5173/arcjetThe wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
npm run devpnpm run devyarn run devVisit http://localhost:5173/api/arcjet in
your browser and refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:5173/api/arcjetThe wait is necessary because the decision is cached for your IP based on the
interval rate limit configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
4. Start app
node --env-file .env.local index.jsnode --env-file .env.local server.tsVisit http://localhost:3000 in your browser and
refresh a few times to hit the rate limit.
Wait 10 seconds, then run:
curl -v http://localhost:3000The wait is necessary because the decision is cached for your IP based on the
interval configuration.
You should see a 403 response because curl is considered a bot by default
(customizable).
The requests will also show in the Arcjet dashboard.
Do I need to run any infrastructure e.g. Redis?
No, Arcjet handles all the infrastructure for you so you don't need to worry about deploying global Redis clusters, designing data structures to track rate limits, or keeping security detection rules up to date.
What is the performance overhead?
Arcjet SDK tries to do as much as possible asynchronously and locally to minimize latency for each request. Where decisions can be made locally or previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Cloud API is required, such as when tracking a rate limit in a serverless environment, there is some additional latency before a decision is made. The Cloud API has been designed for high performance and low latency, and is deployed to multiple regions around the world. The SDK will automatically use the closest region which means the total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable?
Where a decision has been cached locally e.g. blocking a client, Arcjet will continue to function even if the service is unavailable.
If a call to the Cloud API is needed and there is a network problem or Arcjet is unavailable, the default behavior is to fail open and allow the request. You have control over how to handle errors, including choosing to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks?
Network layer attacks tend to be generic and high volume, so these are best handled by your hosting platform. Most cloud providers include network DDoS protection by default.
Arcjet sits closer to your application so it can understand the context. This is important because some types of traffic may not look like a DDoS attack, but can still have the same effect. For example, a customer making too many API requests and affecting other customers, or large numbers of signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against this type of traffic because they don't understand the structure of your application. Arcjet can help you to identify and block this traffic by integrating with your codebase and understanding the context of the request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider. Application level attacks need to be handled by the application. That's where Arcjet helps.
What next?
Section titled “What next?” AI runtime protection The runtime policy engine for AI features.
Customize allowed bots Identify bots and configure allow/deny lists.
Testing Write tests for your rules.
Get help
Section titled “Get help”Need help with anything? Email us or join our Discord to get support from our engineering team.