Application Security by Arcjet
Arcjet is a security layer that allows developers to protect their apps with just a few lines of code. Implement rate limiting, bot protection, email validation, and defense against common attacks.
Arcjet is installed as a dependency in your application and doesn’t require an agent or any additional infrastructure. The SDK is currently available for JS applications, with support for other languages coming soon.
This service is in beta. We consider it ready for production, but we may make breaking changes to the SDK. These will be announced in the GitHub changelog.
Get started
A quick way to see what Arcjet can do is to deploy the example app. It’s also available at example.arcjet.com.
Clone the GitHub repository:
git clone git@github.com:arcjet/arcjet-example-nextjs-fly.git
Set up a new Fly app:
fly launch --no-deploy
This command will generate a Dockerfile and a fly.toml for you.
Create an Arcjet account and link it to your Fly app:
fly ext arcjet create
This will:
- Create an Arcjet account linked to your Fly account.
- Create an Arcjet team mapped to your Fly organization.
- Create an Arcjet site for your Fly application.
- Set
ARCJET_KEYas a secret on your Fly application.
Deploy to Fly:
fly deploy
Open your app in your browser and try the features.
Review the request details in your Arcjet dashboard:
fly ext arcjet dashboard
Run locally
Arcjet protections run locally as well as when deployed to Fly. This makes it easy to test and debug security rules.
Assuming you have already cloned the example and linked Arcjet to your Fly app (see above):
Log into your Arcjet dashboard to get the ARCJET_KEY for your app.
fly ext arcjet dashboard
Install dependencies:
npm ci
Rename .env.local.example to .env.local and add your Arcjet key. If you
want to test the rate limiting authentication, you will also need to add an
Auth.js secret and create a GitHub OAuth
app.
Start the dev server
npm run dev
Open http://localhost:3000 in your browser.
Protecting your application with Arcjet
Once you have set your ARCJET_KEY secret, you can start using Arcjet to protect your application:
Node.js example
You can also find this example on GitHub.
Install the Arcjet SDK:
npm i @arcjet/nodeAdd a rate limit to a route in
index.ts:import arcjet, { tokenBucket } from "@arcjet/node"; import http from "node:http"; const aj = arcjet({ key: process.env.ARCJET_KEY!, // Set as a secret on your Fly app rules: [ // Create a token bucket rate limit. Other algorithms are supported. tokenBucket({ mode: "LIVE", // will block requests. Use "DRY_RUN" to log only characteristics: ["userId"], // track requests by a custom user ID refillRate: 5, // refill 5 tokens per interval interval: 10, // refill every 10 seconds capacity: 10, // bucket maximum capacity of 10 tokens }), ], }); const server = http.createServer(async function ( req: http.IncomingMessage, res: http.ServerResponse, ) { const userId = "user123"; // Replace with your authenticated user ID const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket console.log("Arcjet decision", decision); if (decision.isDenied()) { res.writeHead(429, { "Content-Type": "application/json" }); res.end( JSON.stringify({ error: "Too Many Requests", reason: decision.reason }), ); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); } }); server.listen(8000);Run your application:
npx tsx --env-file .env.local index.ts
Load the application and refresh the page a few times to see the rate limit in action.
Pricing
Arcjet is currently in beta and is free to use. The current features available today will be unlimited and free to use. Our goal is to help developers protect their applications so we don’t want you to incur costs if you are attacked.
Arcjet pricing will be based on the usage of features we intend to introduce in the future e.g. organization-wide rules, compliance tools, team management, etc.
Support
Email: support@arcjet.com
Discord: Join.
See the Arcjet docs for the full support policy.