Arcjet / Auth.js integration
Arcjet can protect your Auth.js login and signup routes from brute force attacks and other abuse. You can also use the Auth.js authenticated user ID to implement user-specific rate limits.
What is Arcjet?
Arcjet helps developers protect their apps in just a few lines of code. Implement rate limiting, bot protection, email validation, and defense against common attacks.Example use case
- Protect your Auth.js route handlers by rate limiting requests and blocking bots.
- Provide a higher rate limit for authenticated clients based on their Auth.js user ID.
See an example Next.js implementation on GitHub.
Protect Auth.js route handlers
Arcjet can extend the Auth.js route handler to protect it from abuse.
This example configures a rate limit on the Auth.js route POST
handler which
is used for authentication and logout attempts. It allows up to 10 requests
within a 60 second window and also prevents bots from making requests.
Auth.js recommends creating a catch-all API route to handle all authentication requests. Arcjet extends this handler:
Auth.js recommends creating a catch-all API route to handle all authentication requests. Arcjet extends this handler:
Rate limits using Auth.js user ID
Arcjet rate limits allow custom
characteristics to
identify the client and apply the limit. Using the Auth.js
auth
helper you can pass through a
user ID.
Chaining middleware
If you want to protect every page with Arcjet Shield automatically you can run it through Next.js middleware. Auth.js can also use middleware to add authentication to your pages. You can chain the two together.