Arcjet helps developers protect their apps in just a few lines of code. Implement rate limiting, bot protection, email verification, and defense against common attacks.
This is the monorepo containing various Arcjet open source packages for JS.
@arcjet/bun
package with our Bun quick start
guide.npm:@arcjet/deno
package with our Deno quick
start guide.@arcjet/nest
package with our NestJS
quick start guide.@arcjet/next
package with our Next.js
quick start guide.@arcjet/node
package with our Node.js
quick start guide.@arcjet/remix
package with our Remix
quick start guide.@arcjet/sveltekit
package with our
SvelteKit quick start guide.Join our Discord server or reach out for support.
Try an Arcjet protected app live at https://example.arcjet.com (source code).
Read the docs at docs.arcjet.com.
The Arcjet rate limit example below applies a token bucket rate limit rule to a route where we identify the user based on their ID e.g. if they are logged in. The bucket is configured with a maximum capacity of 10 tokens and refills by 5 tokens every 10 seconds. Each request consumes 5 tokens.
See the Arcjet Next.js rate limit documentation for details.
import arcjet, { tokenBucket } from "@arcjet/next";
import { NextResponse } from "next/server";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
characteristics: ["userId"], // track requests by a custom user ID
rules: [
// Create a token bucket rate limit. Other algorithms are supported.
tokenBucket({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
refillRate: 5, // refill 5 tokens per interval
interval: 10, // refill every 10 seconds
capacity: 10, // bucket maximum capacity of 10 tokens
}),
],
});
export async function GET(req: Request) {
const userId = "user123"; // Replace with your authenticated user ID
const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
return NextResponse.json(
{ error: "Too Many Requests", reason: decision.reason },
{ status: 429 },
);
}
return NextResponse.json({ message: "Hello world" });
}
The Arcjet bot protection example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
See the Arcjet Node.js bot protection documentation for details.
import arcjet, { detectBot } from "@arcjet/node";
import http from "node:http";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
rules: [
detectBot({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
allow: [], // "allow none" will block all detected bots
}),
],
});
const server = http.createServer(async function (
req: http.IncomingMessage,
res: http.ServerResponse,
) {
const decision = await aj.protect(req);
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
res.writeHead(403, { "Content-Type": "application/json" });
res.end(JSON.stringify({ error: "Forbidden" }));
} else {
res.writeHead(200, { "Content-Type": "application/json" });
res.end(JSON.stringify({ message: "Hello world" }));
}
});
server.listen(8000);
We provide the source code for various packages in this repository, so you can find a specific one through the categories and descriptions below.
@arcjet/bun
: SDK for Bun.sh.@arcjet/deno
: SDK for Deno.@arcjet/nest
: SDK for NestJS.@arcjet/next
: SDK for the Next.js framework.@arcjet/node
: SDK for Node.js.@arcjet/remix
: SDK for Remix.@arcjet/sveltekit
: SDK for SvelteKit.@arcjet/analyze
: Local analysis engine.@arcjet/headers
: Arcjet extension of the Headers
class.@arcjet/ip
: Utilities for finding the originating IP of a
request.@arcjet/redact
: Redact & unredact sensitive
information from strings.nosecone
: Protect your Response
with secure
headers.@nosecone/next
: Protect your Next.js
application with secure headers.@nosecone/sveltekit
: Protect your
SvelteKit application with secure headers.arcjet
: JS SDK core.@arcjet/body
: utilities for extracting the body from a
Node.js IncomingMessage.@arcjet/decorate
: Utilities for decorating responses
with information.@arcjet/duration
: Utilities for parsing duration
strings into seconds integers.@arcjet/env
: Environment detection for Arcjet variables.@arcjet/logger
: Lightweight logger which mirrors the
Pino structured logger interface.@arcjet/protocol
: JS interface into the Arcjet
protocol.@arcjet/runtime
: Runtime detection.@arcjet/sprintf
: Platform-independent replacement for
util.format
.@arcjet/transport
: Transport mechanisms for the
Arcjet protocol.@arcjet/eslint-config
: Custom eslint config for
our projects.@arcjet/redact-wasm
: Sensitive information
redaction detection engine.@arcjet/rollup-config
: Custom rollup config for
our projects.@arcjet/tsconfig
: Custom tsconfig for our projects.This repository follows the Arcjet Support Policy.
This repository follows the Arcjet Security Policy.
Licensed under the Apache License, Version 2.0.