Agent get started

Arcjet is the runtime security platform that ships with your code. Enforce budgets, stop prompt injection, detect bots, and protect personal information with Arcjet’s AI security building blocks.

Arcjet protects two types of entry points:

Request-based — HTTP route handlers and API endpoints. Use protect() with any supported framework.
Guards — tool calls, MCP servers, queue consumers, agentic pipelines, and anywhere else you process untrusted input without an HTTP request. Use guard() to pass inputs directly. See Guards.

Pick by what’s at the protection site:

	Protect (request SDKs)	Guard (`@arcjet/guard`, `arcjet.guard`)
Designed for	HTTP route handlers, API endpoints	AI tool calls, MCP servers, queue workers, background jobs
Request object	Required	Not needed
Rate limit key	IP or `characteristics`	Explicit `key` string at call time
Rate Limiting / Prompt Injection / Sensitive Info	✅	✅
Bot Protection / Shield / Email Validation / Filters / IP Analysis	✅	—
Custom Rules	—	✅

A single application can use both — request-based protection on API routes and guards inside tool handlers / queue workers / MCP tools.

The recommended path for an agentic workflow is to install a skill that gives your agent the documentation to integrate the Arcjet SDK, then connect to the Arcjet API via the CLI or MCP server to create sites, retrieve credentials, and verify decisions.

Skills

Skills are the primary entry point for setting up Arcjet in an agentic workflow. They give your agent the documentation to detect your framework, install the SDK, and wire up protection rules.

Install the Arcjet skill:

npx skills add arcjet/skills

Then describe what you want to protect. The skill handles the rest.

Source: github.com/arcjet/skills

Connect to the Arcjet API

Skills handle the SDK and rule integration in your code. To create sites, retrieve ARCJET_KEY, inspect requests, and manage remote rules, the agent needs to talk to the Arcjet API. There are two parallel support transports — pick whichever fits your working style:

Arcjet CLI — for agents and humans working in a terminal (Claude Code, Codex, plugin tasks, CI). No editor or MCP setup required.
MCP server — for online clients without shell access (ChatGPT, Claude Desktop) and editors with built-in MCP support (VS Code Copilot, Windsurf, Cursor).

Both transports expose the same management-plane surface. The sections below describe each path end to end.

Path A: Connect with the CLI

The Arcjet CLI lets you manage sites, keys, and rules from your terminal:

npx -y @arcjet/cli@latest auth login
npx -y @arcjet/cli@latest teams list
npx -y @arcjet/cli@latest sites list --team-id team_01abc123
npx -y @arcjet/cli@latest sites get-key --site-id site_01abc123

For frequent use, install the binary so you can run arcjet <command> directly. See CLI install paths.

Set the key in the project environment:

1
# .env.local (Next.js, Astro) or .env (other frameworks)
2
ARCJET_KEY=ajkey_yourkey

Then continue with Install the SDK and Add protection below.

Path B: Connect with the MCP server

Use this path if you are using a tool with built-in MCP support (VS Code Copilot, Windsurf, ChatGPT, Claude Code, Claude Desktop, Cursor).

The Arcjet MCP server lets you manage your account directly from your AI coding tool. See MCP server setup for the per-client configuration steps.

OAuth authentication happens automatically on first connection — a browser window will open for the user to sign in.

Once connected, retrieve your site key with the MCP tools:

Call list-teams to get available teams.
Call list-sites with the team ID to find the site (or call create-site to create a new one).
Call get-site-key with the site ID to retrieve the ARCJET_KEY.

Set the key in the project environment:

1
# .env.local (Next.js, Astro) or .env (other frameworks)
2
ARCJET_KEY=ajkey_yourkey
3
ARCJET_ENV=development

ARCJET_ENV is read by the Arcjet SDK in your local app to switch into development mode. It is not used by the MCP connection itself.

If the user doesn’t have an Arcjet account yet, direct them to app.arcjet.com to create one (free trial).

Install the SDK

Detect the framework by checking the project files:

package.json — look for next, express, fastify, @nestjs/core, @sveltejs/kit, hono, @remix-run/node, react-router, astro, nuxt, or check if the runtime is Bun or Deno.
pyproject.toml / requirements.txt — look for fastapi or flask.

Then install the correct package:

Framework	Install command
Next.js	`npm i @arcjet/next`
Express	`npm i @arcjet/node @arcjet/inspect`
Node.js	`npm i @arcjet/node @arcjet/inspect`
Node.js + Hono	`npm i @arcjet/node @arcjet/inspect`
Fastify	`npm i @arcjet/fastify`
NestJS	`npm i @arcjet/nest`
SvelteKit	`npm i @arcjet/sveltekit @arcjet/inspect`
Remix	`npm i @arcjet/remix @arcjet/inspect`
React Router	`npm i @arcjet/react-router @arcjet/inspect`
Bun	`bun add @arcjet/bun @arcjet/inspect`
Bun + Hono	`bun add @arcjet/bun @arcjet/inspect`
Deno	`deno add npm:@arcjet/deno npm:@arcjet/inspect`
Nuxt	`npx nuxt module add @arcjet/nuxt`
Astro	`npx astro add @arcjet/astro`
Python FastAPI	`pip install arcjet` or `uv add arcjet`
Python Flask	`pip install arcjet` or `uv add arcjet`

Add protection

Add Arcjet rules to protect the application. See the llms-full.txt file for complete, copy-paste code examples for every framework, including the rule parameter reference and decision API. llms.txt is a shorter index for AI agents that links out to the full reference.

The typical setup is:

Create an Arcjet client instance once, outside request handlers.
Configure rules: shield (WAF), detectBot, rate limiting (tokenBucket, fixedWindow, or slidingWindow), and optionally sensitiveInfo or detectPromptInjection for AI apps.
Call protect() inside each route handler and check decision.isDenied().

Recommended rules by app type

App type	Rules
AI / LLM chat	`shield` + `detectBot` + `tokenBucket` + `sensitiveInfo` + `detectPromptInjection`
Public API	`shield` + `detectBot` + `fixedWindow` or `tokenBucket`
Signup / login form	`shield` + `detectBot` + `validateEmail` + `slidingWindow`
Internal / admin route	`shield` + `filter` (country/VPN blocking)
Any web app	`shield` + `detectBot` (good baseline)
AI agent tool call (Guard)	`tokenBucket` + `detectPromptInjection` + `localDetectSensitiveInfo`
MCP tool handler (Guard)	`tokenBucket` (keyed by session) + `detectPromptInjection`
Queue worker / background job (Guard)	`tokenBucket` (keyed by user) + `detectPromptInjection` + `localDetectSensitiveInfo`

Verify

After adding protection and starting the app:

Send a test request to a protected route — or for guards, invoke the protected tool / task. The fastest way is a tiny script that imports the function and calls it twice (once to allow, once to exceed a limit). For MCP servers, send a tool call via the MCP client / inspector.
List recent decisions via the CLI (arcjet requests list --site-id <id> for request-based protection or arcjet guards list --site-id <id> for guards) or the MCP tools (list-requests, list-guards).
Inspect individual decisions via the CLI (arcjet requests details, arcjet requests explain, arcjet guards details, arcjet guards explain) or the MCP tools (get-request-details, explain-decision, get-guard-details).
Use arcjet analyze traffic --site-id <id> (CLI) or analyze-traffic (MCP) for a dashboard-level overview of request patterns.
Check the Arcjet dashboard for real-time monitoring.

If decisions are not appearing, verify that ARCJET_KEY and ARCJET_ENV are set correctly and that protect() / guard() is being called.

Common agent prompts

These prompts work well when given to an AI coding agent with skills installed and either the CLI or MCP server connected (the Arcjet plugin is a bundled alternative for Claude Code and Cursor users):

“Protect my API routes with Arcjet” — adds shield, bot detection, and rate limiting to all API routes.
“Add rate limiting to my app” — adds a token bucket or fixed window rate limit.
“Set up bot protection” — blocks automated clients while allowing search engines.
“Add prompt injection detection to my AI chat endpoint” — adds detectPromptInjection with message scanning.
“Block sensitive data from reaching my LLM” — adds sensitiveInfo (JS) or detect_sensitive_info (Python) to scan for PII.
“Set up Arcjet security for my app” — full end-to-end setup with shield, bot detection, and rate limiting.
“Rate limit my AI agent tool calls per user” — installs the guard skill and wires up tokenBucket keyed by user inside each tool handler.
“Secure my MCP server” — installs the guard skill, adds per-tool guard() calls with hardcoded labels and session-scoped rate limits.
“Protect my queue worker from prompt injection” — uses the sync guard client (launchArcjet / launch_arcjet_sync) with prompt injection detection on job payloads.
“Block PII in agent tool outputs before they reach the model” — uses localDetectSensitiveInfo on tool results in a guard call so PII in tool outputs doesn’t leak back into the model context.
“Give me a security briefing for my site” — calls get-security-briefing to return traffic analysis, threat landscape, anomalies, and recommendations.
“Investigate this suspicious IP address” — calls investigate-ip for geo, threat intelligence, and request activity.
“What would happen if I promote my dry-run rules to live?” — calls get-dry-run-impact to show blocked requests, affected IPs, and false-positive risk.

Reference

Quick start guide — framework-specific setup with full code examples
Guards — protect tool calls, queues, and agentic pipelines without an HTTP request
Arcjet CLI — manage sites, keys, and rules from the terminal
MCP server — full MCP tool reference and client setup
Arcjet Plugin — bundled experience for Claude Code and Cursor
llms.txt — short machine-readable index for AI agents
llms-full.txt — full machine-readable reference with all framework examples, rule parameters, and decision API
Remote rules — manage rules from the dashboard or MCP server without code changes
Best practices — recommended patterns and anti-patterns