Arcjet - JS SDK

Arcjet helps developers protect their apps in just a few lines of code. Implement rate limiting, bot protection, email verification & defend against common attacks.

This is the monorepo containing various Arcjet open source packages for JS.

Quick start

• Next.js? Use the @arcjet/next package with our Next.js quick start guide.
• Node.js? Use the @arcjet/node package with our Node.js quick start guide.

Get help

Join our Discord server or reach out for support.

Examples

• Next.js rate limits
• Next.js email validation
• Protect NextAuth login routes
• OpenAI chatbot protection
• Express.js rate limits
• ... more examples

Usage

Read the docs at docs.arcjet.com.

Next.js rate limit example

The Arcjet rate limit example below applies a token bucket rate limit rule to a route where we identify the user based on their ID e.g. if they are logged in. The bucket is configured with a maximum capacity of 10 tokens and refills by 5 tokens every 10 seconds. Each request consumes 5 tokens.

See the Arcjet Next.js rate limit documentation for details.

import arcjet, { tokenBucket } from "@arcjet/next";
import { NextResponse } from "next/server";

const aj = arcjet({
  key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
  rules: [
    // Create a token bucket rate limit. Other algorithms are supported.
    tokenBucket({
      mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
      characteristics: ["userId"], // track requests by a custom user ID
      refillRate: 5, // refill 5 tokens per interval
      interval: 10, // refill every 10 seconds
      capacity: 10, // bucket maximum capacity of 10 tokens
    }),
  ],
});

export async function GET(req: Request) {
  const userId = "user123"; // Replace with your authenticated user ID
  const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
  console.log("Arcjet decision", decision);

  if (decision.isDenied()) {
    return NextResponse.json(
      { error: "Too Many Requests", reason: decision.reason },
      { status: 429 },
    );
  }

  return NextResponse.json({ message: "Hello world" });
}

Node.js bot protection example

The Arcjet bot protection example below will return a 403 Forbidden response for all requests from clients we are sure are automated.

See the Arcjet Node.js bot protection documentation for details.

import arcjet, { detectBot } from "@arcjet/node";
import http from "node:http";

const aj = arcjet({
  key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
  rules: [
    detectBot({
      mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
      block: ["AUTOMATED"], // blocks all automated clients
    }),
  ],
});

const server = http.createServer(async function (
  req: http.IncomingMessage,
  res: http.ServerResponse,
) {
  const decision = await aj.protect(req);
  console.log("Arcjet decision", decision);

  if (decision.isDenied()) {
    res.writeHead(403, { "Content-Type": "application/json" });
    res.end(JSON.stringify({ error: "Forbidden" }));
  } else {
    res.writeHead(200, { "Content-Type": "application/json" });
    res.end(JSON.stringify({ message: "Hello world" }));
  }
});

server.listen(8000);

Packages

We provide the source code for various packages in this repository, so you can find a specific one through the categories and descriptions below.

SDKs

• @arcjet/next: SDK for the Next.js framework.
• @arcjet/node: SDK for Node.js.

Analysis

• @arcjet/analyze: Local analysis engine.
• @arcjet/ip: Utilities for finding the originating IP of a request.

Utilities

• arcjet: JS SDK core.
• @arcjet/protocol: JS interface into the Arcjet protocol.
• @arcjet/logger: Logging interface which mirrors the console interface but allows log levels.
• @arcjet/decorate: Utilities for decorating responses with information.
• @arcjet/duration: Utilities for parsing duration strings into seconds integers.

Internal development

• @arcjet/eslint-config: Custom eslint config for our projects.
• @arcjet/rollup-config: Custom rollup config for our projects.
• @arcjet/tsconfig: Custom tsconfig for our projects.

Support

This repository follows the Arcjet Support Policy.

Security

This repository follows the Arcjet Security Policy.

License

Licensed under the Apache License, Version 2.0.