Arcjet helps developers protect their apps in just a few lines of code. Implement rate limiting, bot protection, email verification, and defense against common attacks.
This is the monorepo containing various Arcjet open source packages for JS.
- Bun? Use the
@arcjet/bunpackage with our Bun quick start guide. - Deno? Use the
npm:@arcjet/denopackage with our Deno quick start guide. - NestJS? Use the
@arcjet/nestpackage with our NestJS quick start guide. - Next.js? Use the
@arcjet/nextpackage with our Next.js quick start guide. - Node.js? Use the
@arcjet/nodepackage with our Node.js quick start guide. - SvelteKit? Use the
@arcjet/sveltekitpackage with our SvelteKit quick start guide.
Join our Discord server or reach out for support.
- Next.js rate limits
- Next.js email validation
- Bun rate limits
- Protect NextAuth login routes
- OpenAI chatbot protection
- Express.js rate limits
- SvelteKit
- ... more examples
Try an Arcjet protected app live at https://example.arcjet.com (source code).
Read the docs at docs.arcjet.com.
The Arcjet rate limit example below applies a token bucket rate limit rule to a route where we identify the user based on their ID e.g. if they are logged in. The bucket is configured with a maximum capacity of 10 tokens and refills by 5 tokens every 10 seconds. Each request consumes 5 tokens.
See the Arcjet Next.js rate limit documentation for details.
import arcjet, { tokenBucket } from "@arcjet/next";
import { NextResponse } from "next/server";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
characteristics: ["userId"], // track requests by a custom user ID
rules: [
// Create a token bucket rate limit. Other algorithms are supported.
tokenBucket({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
refillRate: 5, // refill 5 tokens per interval
interval: 10, // refill every 10 seconds
capacity: 10, // bucket maximum capacity of 10 tokens
}),
],
});
export async function GET(req: Request) {
const userId = "user123"; // Replace with your authenticated user ID
const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
return NextResponse.json(
{ error: "Too Many Requests", reason: decision.reason },
{ status: 429 },
);
}
return NextResponse.json({ message: "Hello world" });
}The Arcjet bot protection example below will return a 403 Forbidden response for all requests from clients we are sure are automated.
See the Arcjet Node.js bot protection documentation for details.
import arcjet, { detectBot } from "@arcjet/node";
import http from "node:http";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
rules: [
detectBot({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
allow: [], // "allow none" will block all detected bots
}),
],
});
const server = http.createServer(async function (
req: http.IncomingMessage,
res: http.ServerResponse,
) {
const decision = await aj.protect(req);
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
res.writeHead(403, { "Content-Type": "application/json" });
res.end(JSON.stringify({ error: "Forbidden" }));
} else {
res.writeHead(200, { "Content-Type": "application/json" });
res.end(JSON.stringify({ message: "Hello world" }));
}
});
server.listen(8000);We provide the source code for various packages in this repository, so you can find a specific one through the categories and descriptions below.
@arcjet/bun: SDK for Bun.sh.@arcjet/deno: SDK for Deno.@arcjet/nest: SDK for NestJS.@arcjet/next: SDK for the Next.js framework.@arcjet/node: SDK for Node.js.@arcjet/sveltekit: SDK for SvelteKit.
@arcjet/analyze: Local analysis engine.@arcjet/headers: Arcjet extension of the Headers class.@arcjet/ip: Utilities for finding the originating IP of a request.
arcjet: JS SDK core.@arcjet/protocol: JS interface into the Arcjet protocol.@arcjet/transport: Transport mechanisms for the Arcjet protocol.@arcjet/logger: Lightweight logger which mirrors the Pino structured logger interface.@arcjet/decorate: Utilities for decorating responses with information.@arcjet/duration: Utilities for parsing duration strings into seconds integers.@arcjet/runtime: Runtime detection.@arcjet/sprintf: Platform-independent replacement forutil.format.@arcjet/env: Environment detection for Arcjet variables.
@arcjet/eslint-config: Custom eslint config for our projects.@arcjet/rollup-config: Custom rollup config for our projects.@arcjet/tsconfig: Custom tsconfig for our projects.
This repository follows the Arcjet Support Policy.
This repository follows the Arcjet Security Policy.
Licensed under the Apache License, Version 2.0.