DEV.co
Open-Source Security · arcjet

arcjet-js

Arcjet is a TypeScript/JavaScript SDK that protects AI applications and web services from bot attacks, prompt injection, rate limiting abuse, and sensitive data leaks. It provides pre-built security rules for request handlers and AI tool calls across multiple frameworks (Next.js, Express, Bun, Deno, etc.) with both cloud-side and local evaluation modes.

Source: GitHub — github.com/arcjet/arcjet-js
672
GitHub stars
30
Forks
TypeScript
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryarcjet/arcjet-js
Ownerarcjet
Primary languageTypeScript
LicenseApache-2.0 — OSI-approved
Stars672
Forks30
Open issues7
Latest releasev1.8.0 (2026-07-07)
Last updated2026-07-07
Sourcehttps://github.com/arcjet/arcjet-js

What arcjet-js is

Arcjet-js is a monorepo of framework-specific SDKs built on Apache-2.0 that integrate into HTTP request handlers (via @arcjet/next, @arcjet/node, etc.) or AI tool flows (via @arcjet/guard). It offers configurable rules for rate limiting, prompt injection detection, PII/sensitive info detection, bot detection via IP analysis, Shield WAF protections, and custom rule evaluation with local or cloud-side decision making.

Quickstart

Get the arcjet-js source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/arcjet/arcjet-js.gitcd arcjet-js# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

AI Chat APIs with Cost Control

Protect LLM endpoints from automated abuse and budget exhaustion; detect prompt injection and rate-limit per-user token consumption before expensive API calls.

Multi-Framework Web Apps Requiring Uniform Security

Deploy identical bot/rate-limit/WAF rules across Next.js, Express, Remix, SvelteKit, NestJS, or Fastify codebases without rewriting security logic per framework.

AI Agent Tool Handlers and MCP Servers

Use @arcjet/guard to validate tool calls, block prompt injection, and sanitize inputs in agent flows that lack traditional HTTP request context.

Implementation considerations

  • API key provisioning: requires signup at app.arcjet.com or CLI auth (npx @arcjet/cli auth login); keys must be stored securely in environment variables.
  • Framework selection: pick the correct SDK (@arcjet/next vs @arcjet/node vs @arcjet/bun) based on your runtime; Request vs Guard API differs semantically for HTTP vs tool-call contexts.
  • Latency trade-off: cloud-side rule evaluation adds network round-trip; local evaluation may reduce latency but feature set varies—benchmark for your SLA.
  • Rule composition: rules are combined (e.g., rate limiting + bot detection + prompt injection on same endpoint); understand rule prioritization and decision flow (block vs log vs challenge).
  • Monitoring & observability: integrate with your logging/APM stack to track rejected requests, false positives, and rate limit pressure; blueprint examples available.

When to avoid it — and what to weigh

  • Fully Offline or Air-Gapped Deployments — Cloud-side rule evaluation requires outbound connectivity to Arcjet servers; local-only evaluation may have feature limitations. Requires explicit review of Arcjet's cloud dependency model.
  • Minimal Dependency or Lightweight Footprint Critical — Monorepo adds framework-specific SDKs and transitive dependencies; if bundle size or node_modules footprint is a hard constraint, evaluate against lighter alternatives (express-rate-limit, simple WAF middleware).
  • Highly Customized or Proprietary Security Logic — Arcjet provides opinionated rule patterns; if security rules must integrate deeply with existing custom detection systems or legacy security architecture, integration friction may be high.
  • Uncertain Commercial Licensing Intent — Apache-2.0 is permissive, but Arcjet runs a managed service backend; clarify Arcjet cloud service terms, data retention, and SLA for production AI cost control workflows.

License & commercial use

Apache License 2.0 (SPDX: Apache-2.0). Permissive OSI-approved license permitting commercial use, modification, and redistribution with liability disclaimers and patent grant. No proprietary restrictions on the SDK code itself.

Apache-2.0 SDK permits commercial use without restriction. However, Arcjet operates a managed backend service (app.arcjet.com); commercial use of that service and API key provisioning are subject to Arcjet's separate Terms of Service and SLAs. Review Arcjet's commercial ToS, pricing tiers, and data handling policies separately—OSS license does not cover service terms.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Arcjet provides client-side SDK and rule definitions; evaluation happens server-side (cloud or local). SDK itself has no known public exploits disclosed in DATA. Prompt injection and sensitive info detection rely on pattern matching or ML; effectiveness depends on rule configuration and model quality (not quantified in DATA). Rate limiting and bot detection depend on IP reputation/behavior heuristics—evaluate false positive/negative rates for your traffic. No audit, SLSA, or vulnerability disclosure policy stated in DATA; requires review. Cloud-side evaluation introduces dependency on Arcjet's infrastructure and data handling practices.

Alternatives to consider

express-rate-limit + helmet + custom bot detection

Lighter, framework-native approach; no third-party service dependency. Trade-off: requires bespoke prompt injection detection, IP analysis logic, and cross-framework code duplication.

Cloudflare Workers + Waf Rules + Rate Limiting

Edge-native security with instant global deployment; Waf rules, rate limiting, bot management in one platform. Trade-off: requires Cloudflare infrastructure; less LLM-specific (prompt injection detection not native); different pricing model.

AWS WAF + Lambda throttling + custom logic

AWS ecosystem integration; built-in DDoS/bot protection, flexible rule engine. Trade-off: requires AWS expertise, slower iteration, less plug-and-play for AI workloads.

Software development agency

Build on arcjet-js with DEV.co software developers

Explore Arcjet's framework-agnostic security rules and try the live example at arcjet.com. Sign up at app.arcjet.com to get an API key and start protecting your AI workloads.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

arcjet-js FAQ

Do I need to run Arcjet servers myself?
No. Arcjet is a managed service; rules are evaluated on Arcjet's servers by default. You can optionally enable local evaluation mode for reduced latency, but feature set may differ. Verify local vs. cloud capabilities for your use case.
Can I use Arcjet offline or in air-gapped environments?
Not without modifications. Default mode requires internet connectivity to Arcjet cloud. Local evaluation mode may be available, but requires explicit review of Arcjet's documentation and your licensing agreement.
How do I choose between @arcjet/next, @arcjet/node, and @arcjet/guard?
@arcjet/next for Next.js; @arcjet/node for Express, Fastify, or vanilla Node.js; @arcjet/bun for Bun runtime. Use @arcjet/guard for AI agent tool calls and non-HTTP contexts. You can use multiple SDKs in the same project.
What happens if Arcjet cloud service is unavailable?
Unknown from DATA. Consult Arcjet's documentation and SLA for fallback behavior (e.g., fail-open, fail-closed, local evaluation). Critical for production AI cost control workflows.

Custom software development services

Adopting arcjet-js is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Secure Your AI Endpoints

Explore Arcjet's framework-agnostic security rules and try the live example at arcjet.com. Sign up at app.arcjet.com to get an API key and start protecting your AI workloads.