Application Security by Arcjet

Arcjet is a security layer that allows developers to protect their apps with just a few lines of code. Implement rate limiting, bot protection, email validation, and defense against common attacks.

Arcjet is installed as a dependency in your application and doesn’t require an agent or any additional infrastructure. The SDK is currently available for JS applications, with support for other languages coming soon.

This service is in beta. We consider it ready for production, but we may make breaking changes to the SDK. These will be announced in the GitHub changelog.

Get started

A quick way to see what Arcjet can do is to deploy the example app. It’s also available at example.arcjet.com.

Clone the GitHub repository:

git clone git@github.com:arcjet/arcjet-example-nextjs-fly.git

Set up a new Fly app:

fly launch --no-deploy

This command will generate a Dockerfile and a fly.toml for you.

Create an Arcjet account and link it to your Fly app:

fly ext arcjet create

This will:

  • Create an Arcjet account linked to your Fly account.
  • Create an Arcjet team mapped to your Fly organization.
  • Create an Arcjet site for your Fly application.
  • Set ARCJET_KEY as a secret on your Fly application.

Deploy to Fly:

fly deploy

Open your app in your browser and try the features.

Review the request details in your Arcjet dashboard:

fly ext arcjet dashboard

Run locally

Arcjet protections run locally as well as when deployed to Fly. This makes it easy to test and debug security rules.

Assuming you have already cloned the example and linked Arcjet to your Fly app (see above):

Log into your Arcjet dashboard to get the ARCJET_KEY for your app.

fly ext arcjet dashboard

Install dependencies:

npm ci

Rename .env.local.example to .env.local and add your Arcjet key. If you want to test the rate limiting authentication, you will also need to add an Auth.js secret and create a GitHub OAuth app.

Start the dev server

npm run dev

Open http://localhost:3000 in your browser.

Protecting your application with Arcjet

Once you have set your ARCJET_KEY secret, you can start using Arcjet to protect your application:

Node.js example

You can also find this example on GitHub.

  1. Install the Arcjet SDK:

    npm i @arcjet/node
    
  2. Add a rate limit to a route in index.ts:

    import arcjet, { tokenBucket } from "@arcjet/node";
    import http from "node:http";
    
    const aj = arcjet({
      key: process.env.ARCJET_KEY!, // Set as a secret on your Fly app
      rules: [
        // Create a token bucket rate limit. Other algorithms are supported.
        tokenBucket({
          mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
          characteristics: ["userId"], // track requests by a custom user ID
          refillRate: 5, // refill 5 tokens per interval
          interval: 10, // refill every 10 seconds
          capacity: 10, // bucket maximum capacity of 10 tokens
        }),
      ],
    });
    
    const server = http.createServer(async function (
      req: http.IncomingMessage,
      res: http.ServerResponse,
    ) {
      const userId = "user123"; // Replace with your authenticated user ID
      const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
      console.log("Arcjet decision", decision);
    
      if (decision.isDenied()) {
        res.writeHead(429, { "Content-Type": "application/json" });
        res.end(
          JSON.stringify({ error: "Too Many Requests", reason: decision.reason }),
        );
      } else {
        res.writeHead(200, { "Content-Type": "application/json" });
        res.end(JSON.stringify({ message: "Hello world" }));
      }
    });
    
    server.listen(8000);
    
  3. Run your application:

    npx tsx --env-file .env.local index.ts
    

Load the application and refresh the page a few times to see the rate limit in action.

Pricing

Arcjet is currently in beta and is free to use. The current features available today will be unlimited and free to use. Our goal is to help developers protect their applications so we don’t want you to incur costs if you are attacked.

Arcjet pricing will be based on the usage of features we intend to introduce in the future e.g. organization-wide rules, compliance tools, team management, etc.

Support

Email: support@arcjet.com

Discord: Join.

See the Arcjet docs for the full support policy.