Security doesn't have to be a painBot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.

$ npm install @arcjet/node|

Integrates with

Bot protection, rate limiting, email validation & more in just a few lines of code.
Customizable protection for forms, login pages, API routes, for all your apps and sites.
Don't break prod. Works in every environment. Security as code. No agent required.

Native security for modern frameworks
→security as code

Tech stack

Defense

Arcjet Shield WAF

Protect your application against common attacks, including the OWASP Top 10.

Read the docs

1
// Protect against common attacks e.g. SQL injection, XSS, CSRF
2
import arcjet, { createMiddleware, shield } from "@arcjet/next";
3
export const config = {
4
  // matcher tells Next.js which routes to run the middleware on.
5
  // This runs the middleware on all routes except for static assets.
6
  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
7
};
8
const aj = arcjet({
9
  key: process.env.ARCJET_KEY!
10
  rules: [
11
    // Block common attacks e.g. SQL injection, XSS, CSRF
12
    shield({
13
      // Will block requests. Use "DRY_RUN" to log only
14
      mode: "LIVE",
15
    }),
16
  ],
17
});
18
// Pass existing middleware with optional existingMiddleware prop
19
export default createMiddleware(aj);

Rate limiting

Bot protection

Email validation

Protect a signup form

PII detection

Outsourced security?You might be used to this.

Unversioned, untracked, click-ops rule changes.

Only able to test rule changes in prod.

Deploying agents everywhere.

LATENCY:Provider dependent

?:You're delegating control anywhere a question mark is

Here's how it looks with Arcjet

LEARN MORE ⇢ ✦Aj ARCHITECTURE

Local-first security
→make your appsecurity aware

Security context

Dynamically adjustable rules defined in code. Access the metadata about why a request was allowed or denied and adjust your app logic in real time.

Testable security rules

Native performance with WasmWasm native performanceNative performance

What are devs saying?

LangChain

@LangChainAI

“Detect, block, and redact PII locally without sending it to the cloud using Arcjet. Now integrated with LangChain”

MangoAPI

@mangoapidev

“… @arcjethq for contact form protection on my portfolio! I highly recommend checking them out if you're looking to implement rate limiting or email validation.”

Matt Biilmann

CEO, Netlify

“I've been following their dev centric approach to security features for a while now, and love the ability to compose together Netlify and Arcjet right from the Netlify Dashboard.”

Jacob Lee

Founding Software Engineer · Langchain

“A local, JS-first solution to an ongoing problem around sending sensitive information to LLMs.”

The JavaScript Dev

TheJSDev

“… newsletter subscription with NextJS, Supabase, Nodemailer, and Arcjet, tackling spam and bot challenges effectively.”

Thatch

thatch.ai

“Arcjet has helped us easily invest in the security and efficiency of our platform … Arcjet gives us rich application-level insights at runtime to build security automations in critical parts of our application, from sales to customer onboarding.”

Scaling Devtools

David Mytton - Arcjet and console.dev

Stack Overflow

The Stack Overflow Podcast: David Mytton, CEO of Arcjet

ByteGrad

Top 11 Security Mistakes in Next.js 15 to Avoid - Don't Leak User Data!

devtools FM

ArcJet - Enhancing Application Security

Use advanced features

IP geolocation

Access IP metadata for country, region, timezone, network owner (ASN), etc.

if (decision.ip.city == "San Francisco") {...}
if (decision.ip.region == "California") {...}
if (decision.ip.country == "US") {...}
if (decision.ip.asnType == "business") {...}

Payment form protection

Block suspicious transactions before they hit your card processor.

VPN & proxy detection

Detect requests coming from VPNs, proxies, Tor, relays, and other anonymizing services.

AI quota control

Set dynamic quotas based on token counts and rules based on API keys, session, pricing plan, and other user data.

Redact PII

Mask credit cards, emails, phone numbers, IP addresses, & create custom detections.

Sampling & testing

Test rules without blocking traffic using Arcjet's DRY_RUN mode. Apply sampling to gradually roll out new rules.

function shouldSampleRequest(sampleRate: number) {
  return Math.random() < sampleRate;
}

function sampleSecurity() {
  const mode = shouldSampleRequest(0.1) ? “LIVE” : “DRY_RUN”;
  return aj.withRule(
    shield(
      { mode: mode },
    ),
  ),
}

GraphQL

Apply complex and dynamic rate limiting rules within GraphQL endpoints.

Everything is code

Define rules dynamically and adjust responses based on the Arcjet security signals with variables, functions, conditionals, and all the power of JS.

Any specific ideas? We can help you set things up

Contact usorJoin our Discord

Test your security
→ in dev and prod

Read the docs

1
import { after, before, describe, test } from "node:test";
2
import assert from "node:assert";
3
import { fileURLToPath } from "node:url";
4
import { promisify } from "node:util";
5

6
import { run } from "newman";
7

8
// Promisify the `newman.run` API as `newmanRun` in the tests
9
const newmanRun = promisify(run);
10

11
describe("API Tests", async () => {
12
  // Importing the server also starts it listening on port 8080
13
  const server = await import("../index.js");
14

15
  after((done) => server.close(done));
16

17
  test("/api/low-rate-limit", async () => {
18
    const summary = await newmanRun({
19
      collection: fileURLToPath(
20
        new URL("./low-rate-limit.json", import.meta.url),
21
      ),
22
    });
23

24
    // The `summary` contains a lot of information that might be useful
25
    // console.log(summary);
26

27
    assert.strictEqual(
28
      summary.run.failures.length,
29
      0,
30
      "expected suite to run without error",
31
    );
32
  });
33

34
  test("/api/high-rate-limit", async () => {
35
    const summary = await newmanRun({
36
      collection: fileURLToPath(
37
        new URL("./high-rate-limit.json", import.meta.url),
38
      ),
39
      iterationCount: 51, // 50 are allowed, so 51 trigger the rate limit
40
    });
41

42
    // The `summary` contains a lot of information that might be useful
43
    // console.log(summary);
44

45
    assert.strictEqual(
46
      summary.run.failures.length,
47
      0,
48
      "expected suite to run without error",
49
    );
50
  });
51

52
  test("/api/bots", async () => {
53
    const summary = await newmanRun({
54
      collection: fileURLToPath(new URL("./bots.json", import.meta.url)),
55
    });
56

57
    // The `summary` contains a lot of information that might be useful
58
    // console.log(summary);
59

60
    assert.strictEqual(
61
      summary.run.failures.length,
62
      0,
63
      "expected suite to run without error",
64
    );
65
  });
66
});

Get started with Arcjet