Arcjet is the runtime security platform that ships with your AI code. Stop bots and automated attacks from burning your AI budget, leaking data, or misusing tools with Arcjet's AI security building blocks.
This is the monorepo containing various Arcjet open source packages for JS.
- Get your API key — Sign up at
app.arcjet.com. - Install the SDK for your framework: Every feature works with any JavaScript application.
| Framework | Package | Install |
|---|---|---|
| Next.js | @arcjet/next |
npm i @arcjet/next |
| Node.js | @arcjet/node |
npm i @arcjet/node |
| Bun | @arcjet/bun |
bun add @arcjet/bun |
| Deno | @arcjet/deno |
deno add npm:@arcjet/deno |
| Express | @arcjet/node |
npm i @arcjet/node |
| Fastify | @arcjet/fastify |
npm i @arcjet/fastify |
| Hono | @arcjet/node or @arcjet/bun |
npm i @arcjet/node |
| NestJS | @arcjet/nest |
npm i @arcjet/nest |
| Nuxt | @arcjet/nuxt |
npm i @arcjet/nuxt |
| Remix | @arcjet/remix |
npm i @arcjet/remix |
| React Router | @arcjet/react-router |
npm i @arcjet/react-router |
| SvelteKit | @arcjet/sveltekit |
npm i @arcjet/sveltekit |
| Astro | @arcjet/astro |
npm i @arcjet/astro |
- Set your environment variable:
# .env.local (or your framework's env file)
ARCJET_KEY=ajkey_yourkey- Protect a route — see the AI protection example or individual feature examples below.
Join our Discord server or reach out for support.
- Documentation — full reference and guides
- Example apps — working starter projects for every framework
- Blueprints — recipes for common security patterns
- 🔒 Prompt Injection Detection — detect and block prompt injection attacks before they reach your LLM.
- 🤖 Bot Protection — stop scrapers, credential stuffers, and AI crawlers from abusing your endpoints.
- 🛑 Rate Limiting — token bucket, fixed window, and sliding window algorithms; model AI token budgets per user.
- 🕵️ Sensitive Information Detection — block PII, credit cards, and custom patterns from entering your AI pipeline.
- 🛡️ Shield WAF — protect against SQL injection, XSS, and other common web attacks.
- 📧 Email Validation — block disposable, invalid, and undeliverable addresses at signup.
- 📝 Signup Form Protection — combines bot protection, email validation, and rate limiting to protect your signup forms.
- 🎯 Request Filters — expression-based rules on IP, path, headers, and custom fields.
- 🌐 IP Analysis — geolocation, ASN, VPN, proxy, Tor, and hosting detection included with every request.
- 🧩 Arcjet Guard — lower-level API for AI agent tool calls and background tasks where there is no HTTP request.
- Astro
- Deno
- Express
- FastAPI
- Fastify
- NestJS
- Next.js (try live)
- Nuxt
- React Router
- Remix
- SvelteKit
- Tanstack Start
- AI quota control
- Cookie banner
- Custom rule
- IP geolocation
- Feedback form
- Malicious traffic
- Payment form
- Sampling traffic
- VPN & proxy
Read the docs at docs.arcjet.com.
Note: Examples below use
@arcjet/nextfor illustration. Replace with the SDK for your runtime —@arcjet/node,@arcjet/bun,@arcjet/sveltekit, etc. The API is identical across all SDKs.
This example protects a Next.js AI chat route using the Vercel AI SDK: blocking automated clients that inflate costs, enforcing per-user token budgets, detecting sensitive information in messages, and blocking prompt injection attacks before they reach the model.
// app/api/chat/route.ts
import { openai } from "@ai-sdk/openai";
import arcjet, {
detectBot,
detectPromptInjection,
sensitiveInfo,
shield,
tokenBucket,
} from "@arcjet/next";
import type { UIMessage } from "ai";
import { convertToModelMessages, isTextUIPart, streamText } from "ai";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
// Track budgets per user — replace "userId" with any stable identifier
characteristics: ["userId"],
rules: [
// Shield protects against common web attacks e.g. SQL injection
shield({ mode: "LIVE" }),
// Block all automated clients — bots inflate AI costs
detectBot({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
allow: [], // Block all bots. See https://arcjet.com/bot-list
}),
// Enforce budgets to control AI costs. Adjust rates and limits as needed.
tokenBucket({
mode: "LIVE",
refillRate: 2_000, // Refill 2,000 tokens per hour
interval: "1h",
capacity: 5_000, // Maximum 5,000 tokens in the bucket
}),
// Block messages containing sensitive information to prevent data leaks
sensitiveInfo({
mode: "LIVE",
// Block PII types that should never appear in AI prompts.
// Remove types your app legitimately handles (e.g. EMAIL for a support bot).
deny: ["CREDIT_CARD_NUMBER", "EMAIL"],
}),
// Detect prompt injection attacks before they reach your AI model
detectPromptInjection({
mode: "LIVE",
}),
],
});
export async function POST(req: Request) {
const userId = "user-123"; // Replace with your session/auth lookup
const { messages }: { messages: UIMessage[] } = await req.json();
const modelMessages = await convertToModelMessages(messages);
// Estimate token cost: ~1 token per 4 characters of text (rough heuristic)
const totalChars = modelMessages.reduce((sum, m) => {
const content =
typeof m.content === "string" ? m.content : JSON.stringify(m.content);
return sum + content.length;
}, 0);
const estimate = Math.ceil(totalChars / 4);
// Extract the most recent user message to scan for injection and PII
const lastMessage: string = (messages.at(-1)?.parts ?? [])
.filter(isTextUIPart)
.map((p) => p.text)
.join(" ");
const decision = await aj.protect(req, {
userId,
requested: estimate,
sensitiveInfoValue: lastMessage,
detectPromptInjectionMessage: lastMessage,
});
if (decision.isDenied()) {
if (decision.reason.isBot()) {
return new Response("Automated clients are not permitted", {
status: 403,
});
} else if (decision.reason.isRateLimit()) {
return new Response("AI usage limit exceeded", { status: 429 });
} else if (decision.reason.isSensitiveInfo()) {
return new Response("Sensitive information detected", { status: 400 });
} else if (decision.reason.isPromptInjection()) {
return new Response(
"Prompt injection detected — please rephrase your message",
{ status: 400 },
);
} else {
return new Response("Forbidden", { status: 403 });
}
}
const result = await streamText({
model: openai("gpt-4o"),
messages: modelMessages,
});
return result.toUIMessageStreamResponse();
}Detect and block prompt injection attacks — attempts to override your AI
model's instructions — before they reach your model. Pass the user's message
via detectPromptInjectionMessage on each protect() call.
import arcjet, { detectPromptInjection } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
detectPromptInjection({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
}),
],
});
export async function POST(request: Request) {
const { message } = await request.json();
const decision = await aj.protect(request, {
detectPromptInjectionMessage: message,
});
if (decision.isDenied() && decision.reason.isPromptInjection()) {
return new Response(
"Prompt injection detected — please rephrase your message",
{ status: 400 },
);
}
// Forward to your AI model...
}Arcjet allows you to configure a list of bots to allow or deny. Specifying
allow means all other bots are denied. An empty allow list blocks all bots.
Available categories: CATEGORY:ACADEMIC, CATEGORY:ADVERTISING,
CATEGORY:AI, CATEGORY:AMAZON, CATEGORY:APPLE, CATEGORY:ARCHIVE,
CATEGORY:BOTNET, CATEGORY:FEEDFETCHER, CATEGORY:GOOGLE,
CATEGORY:META, CATEGORY:MICROSOFT, CATEGORY:MONITOR,
CATEGORY:OPTIMIZER, CATEGORY:PREVIEW, CATEGORY:PROGRAMMATIC,
CATEGORY:SEARCH_ENGINE, CATEGORY:SLACK, CATEGORY:SOCIAL,
CATEGORY:TOOL, CATEGORY:UNKNOWN, CATEGORY:VERCEL,
CATEGORY:WEBHOOK, CATEGORY:YAHOO. You can also allow or deny
specific bots by name.
import arcjet, { detectBot } from "@arcjet/next";
import { isSpoofedBot } from "@arcjet/inspect";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
detectBot({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
allow: [
"CATEGORY:SEARCH_ENGINE", // Google, Bing, etc
// Uncomment to allow these other common bot categories:
// "CATEGORY:MONITOR", // Uptime monitoring services
// "CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
// See the full list at https://arcjet.com/bot-list
],
}),
],
});
export async function GET(request: Request) {
const decision = await aj.protect(request);
if (decision.isDenied() && decision.reason.isBot()) {
return new Response("No bots allowed", { status: 403 });
}
// Arcjet verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so check the results separately.
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if (decision.results.some(isSpoofedBot)) {
return new Response("Forbidden", { status: 403 });
}
return new Response("Hello world");
}Bots can be configured by category and/or by specific bot name. For example, to allow search engines and the OpenAI crawler, but deny all other bots:
detectBot({
mode: "LIVE",
allow: ["CATEGORY:SEARCH_ENGINE", "OPENAI_CRAWLER_SEARCH"],
});Arcjet supports token bucket, fixed window, and sliding window algorithms.
Token buckets are ideal for controlling AI token budgets — set capacity to
the max tokens a user can spend, refillRate to how many tokens are restored
per interval, and deduct tokens per request via requested in protect().
The interval accepts strings ("1s", "1m", "1h", "1d") or seconds as
a number. Use characteristics to track limits per user instead of per IP.
import arcjet, { tokenBucket } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
characteristics: ["userId"], // Track per user
rules: [
tokenBucket({
mode: "LIVE",
refillRate: 2_000, // Refill 2,000 tokens per hour
interval: "1h",
capacity: 5_000, // Maximum 5,000 tokens in the bucket
}),
],
});
const decision = await aj.protect(request, {
userId: "user-123",
requested: estimate, // Number of tokens to deduct
});
if (decision.isDenied() && decision.reason.isRateLimit()) {
return new Response("AI usage limit exceeded", { status: 429 });
}Detect and block PII in request content. Pass the content to scan via
sensitiveInfoValue on each protect() call. Built-in entity types:
CREDIT_CARD_NUMBER, EMAIL, PHONE_NUMBER, IP_ADDRESS. You can also
provide a custom detect callback for additional patterns.
import arcjet, { sensitiveInfo } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
sensitiveInfo({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
deny: ["CREDIT_CARD_NUMBER", "EMAIL", "PHONE_NUMBER"],
}),
],
});
const decision = await aj.protect(request, {
sensitiveInfoValue: userMessage,
});
if (decision.isDenied() && decision.reason.isSensitiveInfo()) {
return new Response("Sensitive information detected", { status: 400 });
}Protect your application against common web attacks, including the OWASP Top 10.
import arcjet, { shield } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
shield({
mode: "LIVE", // Blocks requests. Use "DRY_RUN" to log only
}),
],
});Validate and verify email addresses. Deny types: DISPOSABLE, FREE,
NO_MX_RECORDS, NO_GRAVATAR, INVALID.
import arcjet, { validateEmail } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
validateEmail({
mode: "LIVE",
deny: ["DISPOSABLE", "INVALID", "NO_MX_RECORDS"],
}),
],
});
const decision = await aj.protect(request, {
email: "user@example.com",
});
if (decision.isDenied() && decision.reason.isEmail()) {
return new Response("Invalid email address", { status: 400 });
}Filter requests using expression-based rules against request properties (IP, headers, path, method, etc.).
import arcjet, { filter } from "@arcjet/next";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
filter({
mode: "LIVE",
deny: ['ip.src == "1.2.3.4"', 'http.request.uri.path contains "/admin"'],
}),
],
});Restrict access to specific countries — useful for licensing, compliance, or
regional rollouts. The allow list denies all countries not listed:
filter({
mode: "LIVE",
// Allow only US traffic — all other countries are denied
allow: ['ip.src.country == "US"'],
});Prevent anonymized traffic from accessing sensitive endpoints — useful for fraud prevention, enforcing geo-restrictions, and reducing abuse:
filter({
mode: "LIVE",
deny: [
"ip.src.vpn", // VPN services
"ip.src.proxy", // Open proxies
"ip.src.tor", // Tor exit nodes
],
});For more nuanced handling, use decision.ip helpers after calling protect():
const decision = await aj.protect(request);
if (decision.ip.isVpn() || decision.ip.isTor()) {
return new Response("VPN traffic not allowed", { status: 403 });
}See the Request Filters docs, IP Geolocation blueprint, and VPN/Proxy Detection blueprint for more details.
Arcjet enriches every request with IP metadata. Use these helpers to make policy decisions based on network signals:
const decision = await aj.protect(request);
if (decision.ip.isHosting()) {
// Requests from cloud/hosting providers are often automated.
// https://docs.arcjet.com/blueprints/vpn-proxy-detection
return new Response("Forbidden", { status: 403 });
}
if (decision.ip.isVpn() || decision.ip.isProxy() || decision.ip.isTor()) {
// Handle VPN/proxy traffic according to your policy
}
// Access geolocation and network details
console.log(decision.ip.country, decision.ip.city, decision.ip.asn);Track and limit requests by any stable identifier — user ID, API key, session, etc. — rather than IP address alone.
const aj = arcjet({
key: process.env.ARCJET_KEY!,
characteristics: ["userId"], // Declare at the SDK level
rules: [
tokenBucket({
mode: "LIVE",
refillRate: 2_000,
interval: "1h",
capacity: 5_000,
}),
],
});
// Pass the characteristic value at request time
const decision = await aj.protect(request, {
userId: "user-123",
requested: estimate,
});
@arcjet/guardis a lower-level API designed for AI agent tool calls and background tasks where there is no HTTP request object. It gives you fine-grained, per-call control over rate limiting, prompt injection detection, sensitive information detection, and custom rules.
Framework SDKs (@arcjet/next, etc.) |
@arcjet/guard |
|
|---|---|---|
| Designed for | HTTP request protection | AI agent tool calls, background jobs |
| Request object | Required (protect(request, ...)) |
Not needed |
| Rule binding | Rules configured once, input via protect() opts |
Rules configured as functions, called with input per invocation |
| Rate limit key | IP or characteristics dict |
Explicit key string (SHA-256 hashed before sending) |
| Custom rules | Not supported | defineCustomRule with typed config/input/data |
npm i @arcjet/guardimport {
launchArcjet,
tokenBucket,
detectPromptInjection,
} from "@arcjet/guard";
// Create the Arcjet client once at module scope
const arcjet = launchArcjet({ key: process.env.ARCJET_KEY! });
// Configure reusable rules
const limitRule = tokenBucket({
refillRate: 10,
intervalSeconds: 60,
maxTokens: 100,
});
const piRule = detectPromptInjection();
// Per request — create rule inputs each time
async function handleToolCall(
userId: string,
userMessage: string,
tokenCount: number,
) {
const rl = limitRule({ key: userId, requested: tokenCount });
const decision = await arcjet.guard({
label: "tools.weather",
rules: [rl, piRule(userMessage)],
});
if (decision.conclusion === "DENY") {
throw new Error(`Blocked: ${decision.reason}`);
}
// safe to proceed
}Token bucket, fixed window, and sliding window algorithms are available.
Configure the rule once, then call it with a key (and optional requested
token count) for each invocation.
import { launchArcjet, tokenBucket } from "@arcjet/guard";
const arcjet = launchArcjet({ key: process.env.ARCJET_KEY! });
const limitRule = tokenBucket({
refillRate: 2_000, // tokens added per interval
intervalSeconds: 3600, // seconds between refills
maxTokens: 5_000, // maximum bucket capacity
});
const decision = await arcjet.guard({
label: "tools.chat",
rules: [limitRule({ key: userId, requested: tokenEstimate })],
});
if (decision.conclusion === "DENY" && decision.reason === "RATE_LIMIT") {
throw new Error("Rate limit exceeded");
}import { launchArcjet, fixedWindow } from "@arcjet/guard";
const arcjet = launchArcjet({ key: process.env.ARCJET_KEY! });
const limitRule = fixedWindow({
maxRequests: 1000, // maximum requests per window
windowSeconds: 3600, // 1-hour window
});
const decision = await arcjet.guard({
label: "api.search",
rules: [limitRule({ key: teamId })],
});import { launchArcjet, slidingWindow } from "@arcjet/guard";
const arcjet = launchArcjet({ key: process.env.ARCJET_KEY! });
const limitRule = slidingWindow({
maxRequests: 500, // maximum requests per interval
intervalSeconds: 60, // 1-minute rolling window
});
const decision = await arcjet.guard({
label: "api.events",
rules: [limitRule({ key: userId })],
});import { launchArcjet, detectPromptInjection } from "@arcjet/guard";
const arcjet = launchArcjet({ key: process.env.ARCJET_KEY! });
const piRule = detectPromptInjection();
const decision = await arcjet.guard({
label: "tools.chat",
rules: [piRule(userMessage)],
});
if (decision.conclusion === "DENY" && decision.reason === "PROMPT_INJECTION") {
throw new Error("Prompt injection detected — please rephrase your message");
}Detects PII locally — the raw text never leaves the SDK. Built-in entity
types: EMAIL, PHONE_NUMBER, IP_ADDRESS, CREDIT_CARD_NUMBER.
import { launchArcjet, localDetectSensitiveInfo } from "@arcjet/guard";
const arcjet = launchArcjet({ key: process.env.ARCJET_KEY! });
const si = localDetectSensitiveInfo({
deny: ["CREDIT_CARD_NUMBER", "PHONE_NUMBER"],
});
const decision = await arcjet.guard({
label: "tools.summary",
rules: [si(userMessage)],
});
if (decision.conclusion === "DENY" && decision.reason === "SENSITIVE_INFO") {
throw new Error("Sensitive information detected");
}Define your own local evaluation logic with arbitrary key-value data. When
evaluate is provided, the SDK calls it locally before sending the request.
The function receives (config, input, { signal }) and must return
{ conclusion: "ALLOW" | "DENY" }.
import { launchArcjet, defineCustomRule } from "@arcjet/guard";
const arcjet = launchArcjet({ key: process.env.ARCJET_KEY! });
const topicBlock = defineCustomRule<
{ blockedTopic: string },
{ topic: string },
{ matched: string }
>({
evaluate: (config, input) => {
if (input.topic === config.blockedTopic) {
return { conclusion: "DENY", data: { matched: input.topic } };
}
return { conclusion: "ALLOW" };
},
});
const rule = topicBlock({ data: { blockedTopic: "politics" } });
const decision = await arcjet.guard({
label: "tools.chat",
rules: [rule({ data: { topic: userTopic } })],
});Both the configured rule and the bound input provide typed result accessors:
const limitRule = tokenBucket({
refillRate: 10,
intervalSeconds: 60,
maxTokens: 100,
});
const rl = limitRule({ key: userId, requested: 5 });
const decision = await arcjet.guard({ label: "tools.weather", rules: [rl] });
// From the bound input (matches exact invocation)
const r = rl.result(decision);
if (r) {
console.log(r.remainingTokens, r.maxTokens);
}
// From the configured rule (matches all invocations of this rule)
const ruleResult = limitRule.result(decision);
// Check only denied results
const denied = rl.deniedResult(decision);
if (denied) {
console.log(`Rate limited — resets at ${denied.resetAtUnixSeconds}`);
}Methods available on both RuleWithConfig and RuleWithInput:
| Method | RuleWithConfig (e.g. limitRule) |
RuleWithInput (e.g. rl) |
|---|---|---|
results(decision) |
All results for this config | Single-element or empty array |
result(decision) |
First result (any conclusion) | This submission's result |
deniedResult(decision) |
First denied result | This submission's result if denied |
const decision = await arcjet.guard({ label: "tools.weather", rules: [...] });
// Layer 1: conclusion and reason
decision.conclusion; // "ALLOW" or "DENY"
decision.reason; // "RATE_LIMIT", "PROMPT_INJECTION", "SENSITIVE_INFO", "CUSTOM", "ERROR", etc.
// Layer 2: error detection
decision.hasError(); // true if any rule errored or the server reported diagnostics
// Layer 3: per-rule results (see "Per-rule results" above)
for (const result of decision.results) {
console.log(result.type, result.conclusion);
}| Parameter | Type | Description |
|---|---|---|
rules |
RuleWithInput[] |
Bound rule inputs (required) |
label |
string |
Label identifying this guard call (required) |
metadata |
Record<string, string> | undefined |
Optional key-value metadata |
All guard rules accept a mode parameter. Use "DRY_RUN" to evaluate rules
without blocking:
const limitRule = tokenBucket({
mode: "DRY_RUN",
refillRate: 10,
intervalSeconds: 60,
maxTokens: 100,
});See the Arcjet best practices for detailed guidance. Key recommendations:
Create a single client instance and reuse it across your app using
withRule() to attach route-specific rules. The SDK caches decisions and
configuration, so creating a new instance per request wastes that work.
// lib/arcjet.ts — create once, import everywhere
import arcjet, { shield } from "@arcjet/next";
// Replace @arcjet/next with @arcjet/node, @arcjet/bun, etc. for your runtime
export default arcjet({
key: process.env.ARCJET_KEY!,
rules: [
shield({ mode: "LIVE" }), // base rules applied to every request
],
});// app/api/chat/route.ts — extend per-route with withRule()
import aj from "@/lib/arcjet";
import { detectBot, tokenBucket } from "@arcjet/next";
const routeAj = aj.withRule(detectBot({ mode: "LIVE", allow: [] })).withRule(
tokenBucket({
mode: "LIVE",
refillRate: 2_000,
interval: "1h",
capacity: 5_000,
}),
);
export async function POST(req: Request) {
const decision = await routeAj.protect(req, { requested: 500 });
// ...
}Other recommendations:
- Call
protect()in route handlers, not middleware. Middleware lacks route context, making it hard to apply route-specific rules or customize responses. - Call
protect()once per request. Calling it in both middleware and a handler doubles the work and can produce unexpected results. - Start rules in
DRY_RUNmode to observe behavior before switching toLIVE. This lets you tune thresholds without affecting real traffic. - Configure proxies if your app runs behind a load balancer or reverse
proxy so Arcjet resolves the real client IP:
arcjet({ key: process.env.ARCJET_KEY!, rules: [], proxies: ["100.100.100.100"], });
- Handle errors explicitly.
protect()never throws — on error it returns anERRORresult. Fail open by logging and allowing the request:if (decision.isErrored()) { console.error("Arcjet error", decision.reason.message); // allow the request to proceed }
We provide the source code for various packages in this repository, so you can find a specific one through the categories and descriptions below.
@arcjet/astro: SDK for Astro.@arcjet/bun: SDK for Bun.@arcjet/deno: SDK for Deno.@arcjet/fastify: SDK for Fastify.@arcjet/guard: Guards SDK for AI agent tool calls and background tasks.@arcjet/nest: SDK for NestJS.@arcjet/next: SDK for Next.js.@arcjet/node: SDK for Node.js.@arcjet/nuxt: SDK for Nuxt.@arcjet/react-router: SDK for React Router.@arcjet/remix: SDK for Remix.@arcjet/sveltekit: SDK for SvelteKit.
See the docs for details.
@nosecone/next: Protect your Next.js application with secure headers.@nosecone/sveltekit: Protect your SvelteKit application with secure headers.nosecone: Protect yourResponsewith secure headers.
@arcjet/analyze: Local analysis engine.@arcjet/body: Extract the body from a stream.@arcjet/cache: Basic cache interface and implementations.@arcjet/decorate: Decorate responses with info.@arcjet/duration: Parse duration strings.@arcjet/env: Environment detection.@arcjet/headers: Extension of the Headers class.@arcjet/inspect: Inspect decisions made by an SDK.@arcjet/ip: Find the originating IP of a request.@arcjet/logger: Lightweight logger which mirrors the Pino structured logger interface.@arcjet/protocol: JS interface into the protocol.@arcjet/redact: Redact & unredact sensitive info from strings.@arcjet/runtime: Runtime detection.@arcjet/sprintf: Platform-independent replacement forutil.format.@arcjet/stable-hash: Stable hashing.@arcjet/transport: Transport mechanisms for the Arcjet protocol.arcjet: JS SDK core.
@arcjet/eslint-config: Custom eslint config for our projects.@arcjet/rollup-config: Custom rollup config for our projects.
This repository follows the Arcjet Support Policy.
This repository follows the Arcjet Security Policy.
This is a monorepo managed with npm workspaces and
Turborepo. Each package lives in its own directory at the repo
root (e.g. arcjet-next/, analyze/).
If you want to use Arcjet then you should install a specific package for your
runtime (e.g. @arcjet/next for Next.js). If you want to contribute to the
development of the SDKs see CONTRIBUTING.md.
Packages maintained in this repository are compatible with LTS versions of Node.js and the current minor release of TypeScript.
Licensed under the Apache License, Version 2.0.