Arcjet signup form protection combines rate limiting, bot protection, and email
validation to protect your signup forms from abuse.
What is Arcjet? Arcjet helps developers protect their apps
in just a few lines of code. Implement rate limiting, bot protection, email
validation, and defense against common attacks.
Quick start
This guide will show you how to protect a Next.js signup form.
1. Install SDK
In your project root, run the following command to install the SDK:
2. Set your key
Create a free Arcjet account then follow the
instructions to add a site and get a key. Add it to a .env.local
file in your
Next.js project root:
Arcjet signup form protection is a combination of the rate
limiting , bot
protection , and email
validation primitives. These are
configured using our recommended rules.
The example below is a simple email form that submits to an API route. You could
adapt this as part of a signup form.
Create the API route handler to receive the form submission:
import arcjet, { protectSignup } from " @arcjet/next " ;
import { NextResponse } from " next/server " ;
key: process . env . ARCJET_KEY !, // Get your site key from https://app.arcjet.com
mode: " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block emails that are disposable, invalid, or have no MX records
block: [ " DISPOSABLE " , " INVALID " , " NO_MX_RECORDS " ],
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
allow: [], // "allow none" will block all detected bots
// It would be unusual for a form to be submitted more than 5 times in 10
// minutes from the same IP address
// uses a sliding window rate limit
interval: " 10m " , // counts requests over a 10 minute sliding window
max: 5 , // allows 5 submissions within the window
export async function POST ( req : Request ) {
const data = await req . json ();
const email = data . email ;
const decision = await aj . protect (req , {
console . log ( " Arcjet decision: " , decision);
if (decision . isDenied ()) {
if (decision . reason . isEmail ()) {
return NextResponse . json (
message: " Invalid email " ,
return NextResponse . json ({ message: " Forbidden " } , { status: 403 });
return NextResponse . json ({
Next, create the form page:
import React, { useState, type FormEvent } from " react " ;
export default function Page () {
const [ isLoading , setIsLoading ] = useState < boolean > ( false );
const [ error , setError ] = useState < string | null > ( null );
async function onSubmit ( event : FormEvent < HTMLFormElement > ) {
setError ( null ); // Clear previous errors when a new request starts
const formData = new FormData (event . currentTarget );
const response = await fetch ( " /api_app/form " , {
body: JSON . stringify (Object . fromEntries (formData)) ,
" Content-Type " : " application/json " ,
const error = await response . json ();
` ${ response . status } ${ response . statusText } : ${ error . message } ` ,
// Handle response if necessary
const data = await response . json ();
// Capture the error message to display to the user
{ error && < div style = {{ color: " red " }} > {error} </ div > }
< form onSubmit = {onSubmit} >
< label htmlFor = " email " > Email </ label >
This is a "text" input type rather than "email" to demonstrate
Arcjet validating invalid emails. Changing to "email" will allow
the browser to validate as well
defaultValue = { " invalid@email " }
< button type = " submit " disabled = {isLoading} >
{ isLoading ? " Loading... " : " Submit " }
Create the API route handler to receive the form submission:
import arcjet, { protectSignup } from " @arcjet/next " ;
import type { NextApiRequest, NextApiResponse } from " next " ;
key: process . env . ARCJET_KEY !, // Get your site key from https://app.arcjet.com
mode: " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block emails that are disposable, invalid, or have no MX records
block: [ " DISPOSABLE " , " INVALID " , " NO_MX_RECORDS " ],
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
allow: [], // "allow none" will block all detected bots
// It would be unusual for a form to be submitted more than 5 times in 10
// minutes from the same IP address
// uses a sliding window rate limit
interval: " 10m " , // counts requests over a 10 minute sliding window
max: 5 , // allows 5 submissions within the window
export default async function handler (
const email = data . email ;
const decision = await aj . protect (req , {
// The submitted email is passed to the protect function
console . log ( " Arcjet decision: " , decision);
if (decision . isDenied ()) {
if (decision . reason . isEmail ()) {
return res . status ( 400 ) . json ({
message: " Invalid email " ,
// This returns an error which is then displayed on the form, but you
// could take other actions such as redirecting to an error page. See
// https://nextjs.org/docs/pages/building-your-application/data-fetching/forms-and-mutations#redirecting
return res . status ( 403 ) . json ({
// The form submission is allowed to proceed so do something with it here
res . status ( 200 ) . json ({ name: " Hello world " });
Next, create the form page:
import React, { useState, type FormEvent } from " react " ;
export default function Page () {
const [ isLoading , setIsLoading ] = useState < boolean > ( false );
const [ error , setError ] = useState < string | null > ( null );
async function onSubmit ( event : FormEvent < HTMLFormElement > ) {
setError ( null ); // Clear previous errors when a new request starts
const formData = new FormData (event . currentTarget );
const response = await fetch ( " /api/form " , {
body: JSON . stringify (Object . fromEntries (formData)) ,
" Content-Type " : " application/json " ,
const error = await response . json ();
` ${ response . status } ${ response . statusText } : ${ error . message } ` ,
// Handle response if necessary
const data = await response . json ();
// Capture the error message to display to the user
{ error && < div style = {{ color: " red " }} > {error} </ div > }
< form onSubmit = {onSubmit} >
< label htmlFor = " email " > Email </ label >
This is a "text" input type rather than "email" to demonstrate
Arcjet validating invalid emails. Changing to "email" will allow
the browser to validate as well
defaultValue = { " invalid@email " }
< button type = " submit " disabled = {isLoading} >
{ isLoading ? " Loading... " : " Submit " }
Create the API route handler to receive the form submission:
import arcjet, { protectSignup } from " @arcjet/next " ;
import { NextResponse } from " next/server " ;
key: process . env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
mode: " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block emails that are disposable, invalid, or have no MX records
block: [ " DISPOSABLE " , " INVALID " , " NO_MX_RECORDS " ],
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
allow: [], // "allow none" will block all detected bots
// It would be unusual for a form to be submitted more than 5 times in 10
// minutes from the same IP address
// uses a sliding window rate limit
interval: " 10m " , // counts requests over a 10 minute sliding window
max: 5 , // allows 5 submissions within the window
export async function POST ( req ) {
const data = await req . json ();
const email = data . email ;
const decision = await aj . protect ( req , {
console . log ( " Arcjet decision: " , decision );
if ( decision . isDenied ()) {
if ( decision . reason . isEmail ()) {
return NextResponse . json (
message: " Invalid email " ,
return NextResponse . json ({ message: " Forbidden " } , { status: 403 });
return NextResponse . json ({
Next, create the form page:
import React, { useState } from " react " ;
export default function Page () {
const [ isLoading , setIsLoading ] = useState ( false );
const [ error , setError ] = useState ( null );
async function onSubmit ( event ) {
setError ( null ); // Clear previous errors when a new request starts
const formData = new FormData ( event . currentTarget );
const response = await fetch ( " /api_app/form " , {
body: JSON . stringify ( Object . fromEntries ( formData )) ,
" Content-Type " : " application/json " ,
const error = await response . json ();
` ${ response . status } ${ response . statusText } : ${ error . message } ` ,
// Handle response if necessary
const data = await response . json ();
// Capture the error message to display to the user
{ error && < div style = { { color: " red " } } > { error } </ div > }
< form onSubmit = { onSubmit } >
< label htmlFor = " email " > Email </ label >
This is a "text" input type rather than "email" to demonstrate
Arcjet validating invalid emails. Changing to "email" will allow
the browser to validate as well
defaultValue = { " invalid@email " }
< button type = " submit " disabled = { isLoading } >
{ isLoading ? " Loading... " : " Submit " }
Create the API route handler to receive the form submission:
import arcjet, { protectSignup } from " @arcjet/next " ;
import { NextResponse } from " next/server " ;
key: process . env . ARCJET_KEY , // Get your site key from https://app.arcjet.com
mode: " LIVE " , // will block requests. Use "DRY_RUN" to log only
// Block emails that are disposable, invalid, or have no MX records
block: [ " DISPOSABLE " , " INVALID " , " NO_MX_RECORDS " ],
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
allow: [], // "allow none" will block all detected bots
// It would be unusual for a form to be submitted more than 5 times in 10
// minutes from the same IP address
// uses a sliding window rate limit
interval: " 10m " , // counts requests over a 10 minute sliding window
max: 5 , // allows 5 submissions within the window
export async function POST ( req ) {
const data = await req . json ();
const email = data . email ;
const decision = await aj . protect ( req , {
console . log ( " Arcjet decision: " , decision );
if ( decision . isDenied ()) {
if ( decision . reason . isEmail ()) {
return NextResponse . json (
message: " Invalid email " ,
return NextResponse . json ({ message: " Forbidden " } , { status: 403 });
return NextResponse . json ({
Next, create the form page:
import React, { useState } from " react " ;
export default function Page () {
const [ isLoading , setIsLoading ] = useState ( false );
const [ error , setError ] = useState ( null );
async function onSubmit ( event ) {
setError ( null ); // Clear previous errors when a new request starts
const formData = new FormData ( event . currentTarget );
const response = await fetch ( " /api/form_js " , {
body: JSON . stringify ( Object . fromEntries ( formData )) ,
" Content-Type " : " application/json " ,
const error = await response . json ();
` ${ response . status } ${ response . statusText } : ${ error . message } ` ,
// Handle response if necessary
const data = await response . json ();
// Capture the error message to display to the user
{ error && < div style = { { color: " red " } } > { error } </ div > }
< form onSubmit = { onSubmit } >
< label htmlFor = " email " > Email </ label >
This is a "text" input type rather than "email" to demonstrate
Arcjet validating invalid emails. Changing to "email" will allow
the browser to validate as well
defaultValue = { " invalid@email " }
< button type = " submit " disabled = { isLoading } >
{ isLoading ? " Loading... " : " Submit " }
4. Start app
Start your app and load http://localhost:3000/form
. Submit the form with a
variety of email addresses and you can see how the check behaves. The requests
will also show up in the Arcjet dashboard .
FAQs
Do I need to run any infrastructure e.g. Redis? No, Arcjet handles all the infrastructure for you so you don't need to
worry about deploying global Redis clusters, designing data structures to
track rate limits, or keeping security detection rules up to date.
What is the performance overhead? Arcjet SDK tries to do as much as possible asynchronously and locally to
minimize latency for each request. Where decisions can be made locally or
previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Arcjet API is required, such as when tracking a
rate limit in a serverless environment, there is some additional latency
before a decision is made. The Arcjet API has been designed for high
performance and low latency, and is deployed to multiple regions around the
world. The SDK will automatically use the closest region which means the
total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable? Where a decision has been cached locally e.g. blocking a client, Arcjet
will continue to function even if the service is unavailable.
If a call to the Arcjet API is needed and there is a network problem or
Arcjet is unavailable, the default behavior is to fail open and allow
the request. You have control over how to handle errors, including choosing
to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks? Network layer attacks tend to be generic and high volume, so these are
best handled by your hosting platform. Most cloud providers include network
DDoS protection by default.
Arcjet sits closer to your application so it can understand the context.
This is important because some types of traffic may not look like a DDoS
attack, but can still have the same effect. For example, a customer making
too many API requests and affecting other customers, or large numbers of
signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against
this type of traffic because they don't understand the structure of your
application. Arcjet can help you to identify and block this traffic by
integrating with your codebase and understanding the context of the
request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider.
Application level attacks need to be handled by the application. That's
where Arcjet helps.
What next?
Testing Write tests for your rules.
Get help
Need help with anything? Email us or join our
Discord to get support from our
engineering team.
Discussion