Arcjet - JS SDK

Arcjet helps developers protect their apps in just a few lines of
code. Implement rate limiting, bot protection, email verification, and defense
against common attacks.

This is the monorepo containing various Arcjet open source packages
for JS.

Quick start

• Bun? Use the @arcjet/bun package with our Bun quick start
  guide.
• Deno? Use the npm:@arcjet/deno package with our Deno quick
  start guide.
• NestJS? Use the @arcjet/nest package with our NestJS
  quick start guide.
• Next.js? Use the @arcjet/next package with our Next.js
  quick start guide.
• Node.js? Use the @arcjet/node package with our Node.js
  quick start guide.
• Remix? Use the @arcjet/remix package with our Remix
  quick start guide.
• SvelteKit? Use the @arcjet/sveltekit package with our
  SvelteKit quick start guide.

Get help

Join our Discord server or reach out for support.

Examples

• Next.js rate limits
• Next.js email validation
• Bun rate limits
• Protect NextAuth login routes
• OpenAI chatbot protection
• Express.js rate limits
• SvelteKit
• … more examples

Example app

Try an Arcjet protected app live at https://example.arcjet.com
(source code).

Usage

Read the docs at docs.arcjet.com.

Next.js rate limit example

The Arcjet rate limit example below
applies a token bucket rate limit rule to a route where we identify the user
based on their ID e.g. if they are logged in. The bucket is configured with a
maximum capacity of 10 tokens and refills by 5 tokens every 10 seconds. Each
request consumes 5 tokens.

See the Arcjet Next.js rate limit documentation
for details.

import arcjet, { tokenBucket } from "@arcjet/next";
import { NextResponse } from "next/server";

const aj = arcjet({
  key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
  characteristics: ["userId"], // track requests by a custom user ID
  rules: [
    // Create a token bucket rate limit. Other algorithms are supported.
    tokenBucket({
      mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
      refillRate: 5, // refill 5 tokens per interval
      interval: 10, // refill every 10 seconds
      capacity: 10, // bucket maximum capacity of 10 tokens
    }),
  ],
});

export async function GET(req: Request) {
  const userId = "user123"; // Replace with your authenticated user ID
  const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
  console.log("Arcjet decision", decision);

  if (decision.isDenied()) {
    return NextResponse.json(
      { error: "Too Many Requests", reason: decision.reason },
      { status: 429 },
    );
  }

  return NextResponse.json({ message: "Hello world" });
}

Node.js bot protection example

The Arcjet bot protection example below will
return a 403 Forbidden response for all requests from clients we are sure are
automated.

See the Arcjet Node.js bot protection documentation for
details.

import arcjet, { detectBot } from "@arcjet/node";
import http from "node:http";

const aj = arcjet({
  key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
  rules: [
    detectBot({
      mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
      // configured with a list of bots to allow from
      // https://arcjet.com/bot-list
      allow: [], // "allow none" will block all detected bots
    }),
  ],
});

const server = http.createServer(async function (
  req: http.IncomingMessage,
  res: http.ServerResponse,
) {
  const decision = await aj.protect(req);
  console.log("Arcjet decision", decision);

  if (decision.isDenied()) {
    res.writeHead(403, { "Content-Type": "application/json" });
    res.end(JSON.stringify({ error: "Forbidden" }));
  } else {
    res.writeHead(200, { "Content-Type": "application/json" });
    res.end(JSON.stringify({ message: "Hello world" }));
  }
});

server.listen(8000);

Packages

We provide the source code for various packages in this repository, so you can
find a specific one through the categories and descriptions below.

SDKs

• @arcjet/bun: SDK for Bun.sh.
• @arcjet/deno: SDK for Deno.
• @arcjet/nest: SDK for NestJS.
• @arcjet/next: SDK for the Next.js framework.
• @arcjet/node: SDK for Node.js.
• @arcjet/remix: SDK for Remix.
• @arcjet/sveltekit: SDK for SvelteKit.

Analysis

• @arcjet/analyze: Local analysis engine.
• @arcjet/headers: Arcjet extension of the Headers
  class.
• @arcjet/ip: Utilities for finding the originating IP of a
  request.
• @arcjet/redact: Redact & unredact sensitive
  information from strings.

Utilities

• arcjet: JS SDK core.
• @arcjet/body: utilities for extracting the body from a
  Node.js IncomingMessage.
• @arcjet/decorate: Utilities for decorating responses
  with information.
• @arcjet/duration: Utilities for parsing duration
  strings into seconds integers.
• @arcjet/env: Environment detection for Arcjet variables.
• @arcjet/logger: Lightweight logger which mirrors the
  Pino structured logger interface.
• @arcjet/protocol: JS interface into the Arcjet
  protocol.
• @arcjet/runtime: Runtime detection.
• @arcjet/sprintf: Platform-independent replacement for
  util.format.
• @arcjet/transport: Transport mechanisms for the
  Arcjet protocol.

Internal development

• @arcjet/eslint-config: Custom eslint config for
  our projects.
• @arcjet/redact-wasm: Sensitive information
  redaction detection engine.
• @arcjet/rollup-config: Custom rollup config for
  our projects.
• @arcjet/tsconfig: Custom tsconfig for our projects.

Support

This repository follows the Arcjet Support Policy.

Security

This repository follows the Arcjet Security Policy.

License

Licensed under the Apache License, Version 2.0.