Arcjet Guards
Guards apply Arcjet security rules inside AI agent tool calls and anywhere else you process untrusted input. Pass inputs directly, get a decision back. No Request object needed.
They are for the places HTTP middleware can’t reach: inside tool handlers, between agent steps, in queue consumers, and across agentic pipelines that fan out across many services.
The problem
Section titled “The problem”AI agents call tools. Tools receive untrusted input. Your HTTP middleware never sees any of it — guards run inside the tool handler, before input reaches the model.
| Problem | Solution |
|---|---|
Injected instructions — a fetch tool or external API returns content containing instructions that re-enter the model context unchecked. | Prompt injection detection — Arcjet scans tool inputs and results for jailbreaks, instruction overrides, and role-play escapes before they reach the model. Evaluated in the cloud so detection stays up to date without redeploying. |
| Sensitive data exposure — a user pastes a credit card number or phone number into a prompt that gets logged or sent verbatim to a third-party model provider. | Sensitive information detection — Arcjet detects PII — email addresses, phone numbers, credit card numbers, and more — locally via WebAssembly. The raw text never leaves your server; only the classification result does. |
| Budget exhaustion — a user floods the agent with requests, burning through your LLM token quota or per-user allowances. | Rate limiting — token bucket, fixed window, and sliding window algorithms. Use token bucket to model LLM token budgets directly — deduct estimated tokens before each model call and deny when the bucket is empty. |
Get started
Section titled “Get started”Install the add-guard-protection skill into your AI coding agent. It will detect your language, install the package, configure rules, and wire up guard() calls inline in your tool handlers.
Supported languages: JavaScript / TypeScript (@arcjet/guard) and Python (arcjet).
npx skill add arcjet/skills --skill add-guard-protectionThen open your AI coding agent and describe what you want to protect — for example: “rate limit my tool calls per user and block prompt injection” or “secure my MCP server” or “protect my queue worker”.
Source
Section titled “Source”- arcjet/skills - AI coding agent skills for Arcjet
- arcjet/arcjet-js — JavaScript / TypeScript SDK
- arcjet/arcjet-python — Python SDK