Rate limiting
Arcjet rate limiting allows you to define rules which limit the number of requests a client can make over a period of time.
What is Arcjet?
Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.Video quick start
Quick start
This guide will show you how to add a simple rate limit to your
1. Install Arcjet
In your project root, run the following command to install the SDK:
bun add @arcjet/bunnpm i @arcjet/nextpnpm add @arcjet/nextyarn add @arcjet/nextnpm i @arcjet/nodepnpm add @arcjet/nodeyarn add @arcjet/nodenpm i @arcjet/sveltekitpnpm add @arcjet/sveltekityarn add @arcjet/sveltekit2. Set your key
Create a free Arcjet account then follow the
instructions to add a site and get a key. Add it to a .env.local file in your
project root.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyARCJET_KEY=ajkey_yourkey# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkeyARCJET_KEY=ajkey_yourkey3. Add a rate limit to a route
The example below applies a token bucket rate limit rule to a route where we identify the user based on their ID e.g. if they are logged in. The bucket is configured with a maximum capacity of 10 tokens and refills by 5 tokens every 10 seconds. Each request consumes 5 tokens.
import arcjet, { tokenBucket } from "@arcjet/bun";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
export default { port: 3000, fetch: aj.handler(async (req) => { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { return new Response("Too many requests", { status: 429 }); }
return new Response("Hello world"); }),};import arcjet, { tokenBucket } from "@arcjet/bun";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
export default { port: 3000, fetch: aj.handler(async (req) => { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { return new Response("Too many requests", { status: 429 }); }
return new Response("Hello world"); }),};Create a new API route at /src/routes/api/arcjet/+server.ts:
import { env } from "$env/dynamic/private";import arcjet, { tokenBucket } from "@arcjet/sveltekit";import { error, json, type RequestEvent } from "@sveltejs/kit";
const aj = arcjet({ // Get your site key from https://app.arcjet.com // and set it as an environment variable rather than hard coding. // See: https://kit.svelte.dev/docs/modules#$env-dynamic-private key: env.ARCJET_KEY!, characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
export async function GET(event: RequestEvent) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(event, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { return error(429, { message: "Too many requests" }); }
return json({ message: "Hello world" });}Create a new API route at /src/routes/api/arcjet/+server.js:
import { env } from "$env/dynamic/private";import arcjet, { tokenBucket } from "@arcjet/sveltekit";import { error, json } from "@sveltejs/kit";
const aj = arcjet({ // Get your site key from https://app.arcjet.com // and set it as an environment variable rather than hard coding. // See: https://kit.svelte.dev/docs/modules#$env-dynamic-private key: env.ARCJET_KEY, characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
export async function GET(event) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(event, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { return error(429, { message: "Too many requests" }); }
return json({ message: "Hello world" });}Create a new API route at /pages/api/arcjet.js:
import arcjet, { tokenBucket } from "@arcjet/next";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
export default async function handler(req, res) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { return res .status(429) .json({ error: "Too many requests", reason: decision.reason }); }
res.status(200).json({ name: "Hello world" });}Create a new API route at /app/api/arcjet/route.ts:
import arcjet, { tokenBucket } from "@arcjet/next";import { NextResponse } from "next/server";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
export async function GET(req: Request) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { return NextResponse.json( { error: "Too Many Requests", reason: decision.reason }, { status: 429 }, ); }
return NextResponse.json({ message: "Hello world" });}Create a new API route at /app/api/arcjet/route.js:
import arcjet, { tokenBucket } from "@arcjet/next";import { NextResponse } from "next/server";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
export async function GET(req) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { return NextResponse.json( { error: "Too Many Requests", reason: decision.reason }, { status: 429 }, ); }
return NextResponse.json({ message: "Hello world" });}Create a new API route at /pages/api/arcjet.ts:
import arcjet, { tokenBucket } from "@arcjet/next";import type { NextApiRequest, NextApiResponse } from "next";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
export default async function handler( req: NextApiRequest, res: NextApiResponse,) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { return res .status(429) .json({ error: "Too many requests", reason: decision.reason }); }
res.status(200).json({ name: "Hello world" });}import arcjet, { tokenBucket } from "@arcjet/node";import http from "node:http";
const aj = arcjet({ key: process.env.ARCJET_KEY, // Get your site key from https://app.arcjet.com characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
const server = http.createServer(async function (req, res) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end( JSON.stringify({ error: "Too Many Requests", reason: decision.reason }), ); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); }});
server.listen(8000);import arcjet, { tokenBucket } from "@arcjet/node";import http from "node:http";
const aj = arcjet({ key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com characteristics: ["userId"], // track requests by a custom user ID rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ],});
const server = http.createServer(async function ( req: http.IncomingMessage, res: http.ServerResponse,) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision);
if (decision.isDenied()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end( JSON.stringify({ error: "Too Many Requests", reason: decision.reason }), ); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); }});
server.listen(8000);4. Start app
Start your app and load http://localhost:5173/api/arcjet. Refresh the page and
you will see the rate limit in action. The requests will also show up in the
Arcjet dashboard.
4. Start server
bun run --hot index.tsbun run --hot index.jsThen make some requests to hit the rate limit:
curl http://localhost:30004. Start app
Start your Next.js app:
npm run devpnpm run devyarn run devThen load http://localhost:3000/api/arcjet. Refresh the page and you will see
the rate limit in action. The requests will also show up in the Arcjet
dashboard.
4. Start server
npx tsx --env-file .env.local index.tsnode --env-file .env.local index.jsThen make some requests to hit the rate limit:
curl http://localhost:8000FAQs
Do I need to run any infrastructure e.g. Redis?
No, Arcjet handles all the infrastructure for you so you don't need to worry about deploying global Redis clusters, designing data structures to track rate limits, or keeping security detection rules up to date.
What is the performance overhead?
Arcjet SDK tries to do as much as possible asynchronously and locally to minimize latency for each request. Where decisions can be made locally or previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Arcjet API is required, such as when tracking a rate limit in a serverless environment, there is some additional latency before a decision is made. The Arcjet API has been designed for high performance and low latency, and is deployed to multiple regions around the world. The SDK will automatically use the closest region which means the total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable?
Where a decision has been cached locally e.g. blocking a client, Arcjet will continue to function even if the service is unavailable.
If a call to the Arcjet API is needed and there is a network problem or Arcjet is unavailable, the default behavior is to fail open and allow the request. You have control over how to handle errors, including choosing to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks?
Network layer attacks tend to be generic and high volume, so these are best handled by your hosting platform. Most cloud providers include network DDoS protection by default.
Arcjet sits closer to your application so it can understand the context. This is important because some types of traffic may not look like a DDoS attack, but can still have the same effect. For example, a customer making too many API requests and affecting other customers, or large numbers of signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against this type of traffic because they don't understand the structure of your application. Arcjet can help you to identify and block this traffic by integrating with your codebase and understanding the context of the request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider. Application level attacks need to be handled by the application. That's where Arcjet helps.
What next?
Arcjet can be used with specific rules on individual routes or as general protection on your entire application. You can customize bot protection, rate limiting for your API and minimize fraudulent registrations with the signup form protection.
Get help
Need help with anything? Email support@arcjet.com to get support from our engineering team.