Agent get started
Arcjet is the runtime security platform that ships with your code. Enforce budgets, stop prompt injection, detect bots, and protect personal information with Arcjet’s AI security building blocks.
This page walks AI coding agents through getting Arcjet set up in any project.
Option A: Arcjet Plugin (recommended)
Section titled “Option A: Arcjet Plugin (recommended)”The Arcjet plugin for Claude Code and Cursor is the fastest way to add Arcjet security. Install it with a single command:
npx plugins add arcjet/arcjet-pluginThe plugin handles everything automatically — MCP connection, API key setup, SDK installation, and adding protection rules. Just trigger a skill:
| Skill | Purpose |
|---|---|
/arcjet:protect-route | Designed for web apps. Adds protection to route handlers with automatic framework detection |
/arcjet:add-ai-protection | Designed for AI apps. Implements prompt injection detection, PII blocking, and token budget rate limiting |
That’s it. The plugin detects your framework, connects to MCP, and walks you through the rest. Skip to Common agent prompts for usage examples, or continue below for manual setup with other tools.
Option B: Manual setup
Section titled “Option B: Manual setup”Use this path if you’re working with VS Code Copilot, Windsurf, ChatGPT, Claude Desktop, or prefer to set things up step by step.
Step 1: Connect the MCP server
Section titled “Step 1: Connect the MCP server”The Arcjet MCP server lets you manage your account directly from your AI coding tool.
- In ChatGPT, go to Settings.
- Navigate to Connectors and select Add connection.
- Enter
https://api.arcjet.com/mcpas the server URL. - Select OAuth for authentication.
- Click Create.
claude mcp add arcjet --transport http https://api.arcjet.com/mcp- Open Settings in the sidebar.
- Navigate to Connectors and select Add custom connector.
- Set the Name to
Arcjetand the URL tohttps://api.arcjet.com/mcp.
Add to .cursor/mcp.json:
{ "mcpServers": { "arcjet": { "type": "streamable-http", "url": "https://api.arcjet.com/mcp" } } }Add to .vscode/mcp.json:
{ "servers": { "arcjet": { "type": "http", "url": "https://api.arcjet.com/mcp" } } }Add to mcp_config.json:
{ "mcpServers": { "arcjet": { "serverUrl": "https://api.arcjet.com/mcp" } } }OAuth authentication happens automatically on first connection — a browser window will open for the user to sign in.
See the MCP server docs for the full tool reference.
Step 2: Get your ARCJET_KEY
Section titled “Step 2: Get your ARCJET_KEY”Use the MCP tools to retrieve your site key:
- Call
list-teamsto get available teams. - Call
list-siteswith the team ID to find the site (or callcreate-siteto create a new one). - Call
get-site-keywith the site ID to retrieve theARCJET_KEY.
Set the key in the project environment:
# .env.local (Next.js, Astro) or .env (other frameworks)ARCJET_KEY=ajkey_yourkeyARCJET_ENV=developmentIf the user doesn’t have an Arcjet account yet, direct them to app.arcjet.com to create one (free trial).
Step 3: Install the SDK
Section titled “Step 3: Install the SDK”Detect the framework by checking the project files:
package.json— look fornext,express,fastify,@nestjs/core,@sveltejs/kit,hono,@remix-run/node,react-router,astro,nuxt, or check if the runtime is Bun or Deno.pyproject.toml/requirements.txt— look forfastapiorflask.
Then install the correct package:
| Framework | Install command |
|---|---|
| Next.js | npm i @arcjet/next |
| Express | npm i @arcjet/node @arcjet/inspect |
| Node.js | npm i @arcjet/node @arcjet/inspect |
| Node.js + Hono | npm i @arcjet/node @arcjet/inspect |
| Fastify | npm i @arcjet/fastify |
| NestJS | npm i @arcjet/nest |
| SvelteKit | npm i @arcjet/sveltekit @arcjet/inspect |
| Remix | npm i @arcjet/remix @arcjet/inspect |
| React Router | npm i @arcjet/react-router @arcjet/inspect |
| Bun | bun add @arcjet/bun @arcjet/inspect |
| Bun + Hono | bun add @arcjet/bun @arcjet/inspect |
| Deno | deno add npm:@arcjet/deno npm:@arcjet/inspect |
| Nuxt | npx nuxt module add @arcjet/nuxt |
| Astro | npx astro add @arcjet/astro |
| Python FastAPI | pip install arcjet or uv add arcjet |
| Python Flask | pip install arcjet or uv add arcjet |
Step 4: Add protection
Section titled “Step 4: Add protection”Add Arcjet rules to protect the application. See the llms.txt file for complete, copy-paste code examples for every framework, including the rule parameter reference and decision API.
The typical setup is:
- Create an Arcjet client instance once, outside request handlers.
- Configure rules:
shield(WAF),detectBot, rate limiting (tokenBucket,fixedWindow, orslidingWindow), and optionallysensitiveInfoordetectPromptInjectionfor AI apps. - Call
protect()inside each route handler and checkdecision.isDenied().
Recommended rules by app type
Section titled “Recommended rules by app type”| App type | Rules |
|---|---|
| AI / LLM chat | shield + detectBot + tokenBucket + sensitiveInfo + detectPromptInjection |
| Public API | shield + detectBot + fixedWindow or tokenBucket |
| Signup / login form | shield + detectBot + validateEmail + slidingWindow |
| Internal / admin route | shield + filter (country/VPN blocking) |
| Any web app | shield + detectBot (good baseline) |
Step 5: Verify
Section titled “Step 5: Verify”After adding protection and starting the app:
- Send a test request to a protected route.
- Use the MCP
list-requeststool to confirm requests are flowing to Arcjet. - Use
get-request-detailsorexplain-decisionto inspect individual decisions. - Use
analyze-trafficfor a dashboard-level overview of request patterns. - Check the Arcjet dashboard for real-time request monitoring.
If requests are not appearing, verify that ARCJET_KEY and ARCJET_ENV are
set correctly and that protect() is being called in the route handler.
Common agent prompts
Section titled “Common agent prompts”These prompts work well when given to an AI coding agent with the Arcjet plugin installed or MCP server connected:
- “Protect my API routes with Arcjet” — adds shield, bot detection, and rate limiting to all API routes.
- “Add rate limiting to my app” — adds a token bucket or fixed window rate limit.
- “Set up bot protection” — blocks automated clients while allowing search engines.
- “Add prompt injection detection to my AI chat endpoint” — adds
detectPromptInjectionwith message scanning. - “Block sensitive data from reaching my LLM” — adds
sensitiveInfo(JS) ordetect_sensitive_info(Python) to scan for PII. - “Set up Arcjet security for my app” — full end-to-end setup with shield, bot detection, and rate limiting.
- “Give me a security briefing for my site” — calls
get-security-briefingto return traffic analysis, threat landscape, anomalies, and recommendations. - “Investigate this suspicious IP address” — calls
investigate-ipfor geo, threat intelligence, and request activity. - “What would happen if I promote my dry-run rules to live?” — calls
get-dry-run-impactto show blocked requests, affected IPs, and false-positive risk.
Reference
Section titled “Reference”- Quick start guide — framework-specific setup with full code examples
- Arcjet Plugin — plugin for Claude Code and Cursor with automatic security guidance
- llms.txt — machine-readable reference with all framework examples, rule parameters, and decision API
- MCP server — full MCP tool reference and client setup
- Best practices — recommended patterns and anti-patterns