Arcjet helps developers protect their apps in just a few lines of code. Implement rate limiting, bot protection, email verification, and defense against common attacks.
This is the monorepo containing various Arcjet open source packages for JS.
- Bun? Use the
@arcjet/bun
package with our Bun quick start guide. - Deno? Use the
npm:@arcjet/deno
package with our Deno quick start guide. - NestJS? Use the
@arcjet/nest
package with our NestJS quick start guide. - Next.js? Use the
@arcjet/next
package with our Next.js quick start guide. - Node.js? Use the
@arcjet/node
package with our Node.js quick start guide. - Remix? Use the
@arcjet/remix
package with our Remix quick start guide. - SvelteKit? Use the
@arcjet/sveltekit
package with our SvelteKit quick start guide.
Join our Discord server or reach out for support.
- Next.js rate limits
- Next.js email validation
- Bun rate limits
- Protect NextAuth login routes
- OpenAI chatbot protection
- Express.js rate limits
- SvelteKit
- ... more examples
Try an Arcjet protected app live at https://example.arcjet.com (source code).
Read the docs at docs.arcjet.com.
The Arcjet rate limit example below applies a token bucket rate limit rule to a route where we identify the user based on their ID e.g. if they are logged in. The bucket is configured with a maximum capacity of 10 tokens and refills by 5 tokens every 10 seconds. Each request consumes 5 tokens.
See the Arcjet Next.js rate limit documentation for details.
import arcjet, { tokenBucket } from "@arcjet/next";
import { NextResponse } from "next/server";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
characteristics: ["userId"], // track requests by a custom user ID
rules: [
// Create a token bucket rate limit. Other algorithms are supported.
tokenBucket({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
refillRate: 5, // refill 5 tokens per interval
interval: 10, // refill every 10 seconds
capacity: 10, // bucket maximum capacity of 10 tokens
}),
],
});
export async function GET(req: Request) {
const userId = "user123"; // Replace with your authenticated user ID
const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
return NextResponse.json(
{ error: "Too Many Requests", reason: decision.reason },
{ status: 429 },
);
}
return NextResponse.json({ message: "Hello world" });
}
The Arcjet bot protection example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
See the Arcjet Node.js bot protection documentation for details.
import arcjet, { detectBot } from "@arcjet/node";
import http from "node:http";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
rules: [
detectBot({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
allow: [], // "allow none" will block all detected bots
}),
],
});
const server = http.createServer(async function (
req: http.IncomingMessage,
res: http.ServerResponse,
) {
const decision = await aj.protect(req);
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
res.writeHead(403, { "Content-Type": "application/json" });
res.end(JSON.stringify({ error: "Forbidden" }));
} else {
res.writeHead(200, { "Content-Type": "application/json" });
res.end(JSON.stringify({ message: "Hello world" }));
}
});
server.listen(8000);
We provide the source code for various packages in this repository, so you can find a specific one through the categories and descriptions below.
@arcjet/bun
: SDK for Bun.sh.@arcjet/deno
: SDK for Deno.@arcjet/nest
: SDK for NestJS.@arcjet/next
: SDK for the Next.js framework.@arcjet/node
: SDK for Node.js.@arcjet/remix
: SDK for Remix.@arcjet/sveltekit
: SDK for SvelteKit.
@arcjet/analyze
: Local analysis engine.@arcjet/headers
: Arcjet extension of the Headers class.@arcjet/ip
: Utilities for finding the originating IP of a request.@arcjet/redact
: Redact & unredact sensitive information from strings.
nosecone
: Protect yourResponse
with secure headers.@nosecone/next
: Protect your Next.js application with secure headers.@nosecone/sveltekit
: Protect your SvelteKit application with secure headers.
arcjet
: JS SDK core.@arcjet/body
: utilities for extracting the body from a Node.js IncomingMessage.@arcjet/decorate
: Utilities for decorating responses with information.@arcjet/duration
: Utilities for parsing duration strings into seconds integers.@arcjet/env
: Environment detection for Arcjet variables.@arcjet/logger
: Lightweight logger which mirrors the Pino structured logger interface.@arcjet/protocol
: JS interface into the Arcjet protocol.@arcjet/runtime
: Runtime detection.@arcjet/sprintf
: Platform-independent replacement forutil.format
.@arcjet/transport
: Transport mechanisms for the Arcjet protocol.
@arcjet/eslint-config
: Custom eslint config for our projects.@arcjet/redact-wasm
: Sensitive information redaction detection engine.@arcjet/rollup-config
: Custom rollup config for our projects.@arcjet/tsconfig
: Custom tsconfig for our projects.
This repository follows the Arcjet Support Policy.
This repository follows the Arcjet Security Policy.
Licensed under the Apache License, Version 2.0.