Arcjet helps developers protect their apps in just a few lines of code. Implement rate limiting, bot protection, email verification & defense against common attacks.
This is the monorepo containing various Arcjet open source packages for JS.
- Bun? Use the
@arcjet/bunpackage. - Next.js? Use the
@arcjet/nextpackage with our Next.js quick start guide. - Node.js? Use the
@arcjet/nodepackage with our Node.js quick start guide. - SvelteKit? Use the
@arcjet/sveltekitpackage.
Join our Discord server or reach out for support.
- Next.js rate limits
- Next.js email validation
- Protect NextAuth login routes
- OpenAI chatbot protection
- Express.js rate limits
- ... more examples
Read the docs at docs.arcjet.com.
The Arcjet rate limit example below applies a token bucket rate limit rule to a route where we identify the user based on their ID e.g. if they are logged in. The bucket is configured with a maximum capacity of 10 tokens and refills by 5 tokens every 10 seconds. Each request consumes 5 tokens.
See the Arcjet Next.js rate limit documentation for details.
import arcjet, { tokenBucket } from "@arcjet/next";
import { NextResponse } from "next/server";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
rules: [
// Create a token bucket rate limit. Other algorithms are supported.
tokenBucket({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
characteristics: ["userId"], // track requests by a custom user ID
refillRate: 5, // refill 5 tokens per interval
interval: 10, // refill every 10 seconds
capacity: 10, // bucket maximum capacity of 10 tokens
}),
],
});
export async function GET(req: Request) {
const userId = "user123"; // Replace with your authenticated user ID
const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
return NextResponse.json(
{ error: "Too Many Requests", reason: decision.reason },
{ status: 429 },
);
}
return NextResponse.json({ message: "Hello world" });
}The Arcjet bot protection example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
See the Arcjet Node.js bot protection documentation for details.
import arcjet, { detectBot } from "@arcjet/node";
import http from "node:http";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
rules: [
detectBot({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
block: ["AUTOMATED"], // blocks all automated clients
}),
],
});
const server = http.createServer(async function (
req: http.IncomingMessage,
res: http.ServerResponse,
) {
const decision = await aj.protect(req);
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
res.writeHead(403, { "Content-Type": "application/json" });
res.end(JSON.stringify({ error: "Forbidden" }));
} else {
res.writeHead(200, { "Content-Type": "application/json" });
res.end(JSON.stringify({ message: "Hello world" }));
}
});
server.listen(8000);We provide the source code for various packages in this repository, so you can find a specific one through the categories and descriptions below.
@arcjet/bun: SDK for Bun.sh.@arcjet/next: SDK for the Next.js framework.@arcjet/node: SDK for Node.js.@arcjet/sveltekit: SDK for SvelteKit.
@arcjet/analyze: Local analysis engine.@arcjet/ip: Utilities for finding the originating IP of a request.
arcjet: JS SDK core.@arcjet/protocol: JS interface into the Arcjet protocol.@arcjet/logger: Logging interface which mirrors the console interface but allows log levels.@arcjet/decorate: Utilities for decorating responses with information.@arcjet/duration: Utilities for parsing duration strings into seconds integers.
@arcjet/eslint-config: Custom eslint config for our projects.@arcjet/rollup-config: Custom rollup config for our projects.@arcjet/tsconfig: Custom tsconfig for our projects.
This repository follows the Arcjet Support Policy.
This repository follows the Arcjet Security Policy.
Licensed under the Apache License, Version 2.0.