arcjet-js
Arcjet is a TypeScript/JavaScript SDK that protects AI applications and web services from bot attacks, prompt injection, rate limiting abuse, and sensitive data leaks. It provides pre-built security rules for request handlers and AI tool calls across multiple frameworks (Next.js, Express, Bun, Deno, etc.) with both cloud-side and local evaluation modes.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | arcjet/arcjet-js |
| Owner | arcjet |
| Primary language | TypeScript |
| License | Apache-2.0 — OSI-approved |
| Stars | 672 |
| Forks | 30 |
| Open issues | 7 |
| Latest release | v1.8.0 (2026-07-07) |
| Last updated | 2026-07-07 |
| Source | https://github.com/arcjet/arcjet-js |
What arcjet-js is
Arcjet-js is a monorepo of framework-specific SDKs built on Apache-2.0 that integrate into HTTP request handlers (via @arcjet/next, @arcjet/node, etc.) or AI tool flows (via @arcjet/guard). It offers configurable rules for rate limiting, prompt injection detection, PII/sensitive info detection, bot detection via IP analysis, Shield WAF protections, and custom rule evaluation with local or cloud-side decision making.
Get the arcjet-js source
Clone the repository and explore it locally.
git clone https://github.com/arcjet/arcjet-js.gitcd arcjet-js# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- API key provisioning: requires signup at app.arcjet.com or CLI auth (npx @arcjet/cli auth login); keys must be stored securely in environment variables.
- Framework selection: pick the correct SDK (@arcjet/next vs @arcjet/node vs @arcjet/bun) based on your runtime; Request vs Guard API differs semantically for HTTP vs tool-call contexts.
- Latency trade-off: cloud-side rule evaluation adds network round-trip; local evaluation may reduce latency but feature set varies—benchmark for your SLA.
- Rule composition: rules are combined (e.g., rate limiting + bot detection + prompt injection on same endpoint); understand rule prioritization and decision flow (block vs log vs challenge).
- Monitoring & observability: integrate with your logging/APM stack to track rejected requests, false positives, and rate limit pressure; blueprint examples available.
When to avoid it — and what to weigh
- Fully Offline or Air-Gapped Deployments — Cloud-side rule evaluation requires outbound connectivity to Arcjet servers; local-only evaluation may have feature limitations. Requires explicit review of Arcjet's cloud dependency model.
- Minimal Dependency or Lightweight Footprint Critical — Monorepo adds framework-specific SDKs and transitive dependencies; if bundle size or node_modules footprint is a hard constraint, evaluate against lighter alternatives (express-rate-limit, simple WAF middleware).
- Highly Customized or Proprietary Security Logic — Arcjet provides opinionated rule patterns; if security rules must integrate deeply with existing custom detection systems or legacy security architecture, integration friction may be high.
- Uncertain Commercial Licensing Intent — Apache-2.0 is permissive, but Arcjet runs a managed service backend; clarify Arcjet cloud service terms, data retention, and SLA for production AI cost control workflows.
License & commercial use
Apache License 2.0 (SPDX: Apache-2.0). Permissive OSI-approved license permitting commercial use, modification, and redistribution with liability disclaimers and patent grant. No proprietary restrictions on the SDK code itself.
Apache-2.0 SDK permits commercial use without restriction. However, Arcjet operates a managed backend service (app.arcjet.com); commercial use of that service and API key provisioning are subject to Arcjet's separate Terms of Service and SLAs. Review Arcjet's commercial ToS, pricing tiers, and data handling policies separately—OSS license does not cover service terms.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Arcjet provides client-side SDK and rule definitions; evaluation happens server-side (cloud or local). SDK itself has no known public exploits disclosed in DATA. Prompt injection and sensitive info detection rely on pattern matching or ML; effectiveness depends on rule configuration and model quality (not quantified in DATA). Rate limiting and bot detection depend on IP reputation/behavior heuristics—evaluate false positive/negative rates for your traffic. No audit, SLSA, or vulnerability disclosure policy stated in DATA; requires review. Cloud-side evaluation introduces dependency on Arcjet's infrastructure and data handling practices.
Alternatives to consider
express-rate-limit + helmet + custom bot detection
Lighter, framework-native approach; no third-party service dependency. Trade-off: requires bespoke prompt injection detection, IP analysis logic, and cross-framework code duplication.
Cloudflare Workers + Waf Rules + Rate Limiting
Edge-native security with instant global deployment; Waf rules, rate limiting, bot management in one platform. Trade-off: requires Cloudflare infrastructure; less LLM-specific (prompt injection detection not native); different pricing model.
AWS WAF + Lambda throttling + custom logic
AWS ecosystem integration; built-in DDoS/bot protection, flexible rule engine. Trade-off: requires AWS expertise, slower iteration, less plug-and-play for AI workloads.
Build on arcjet-js with DEV.co software developers
Explore Arcjet's framework-agnostic security rules and try the live example at arcjet.com. Sign up at app.arcjet.com to get an API key and start protecting your AI workloads.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
arcjet-js FAQ
Do I need to run Arcjet servers myself?
Can I use Arcjet offline or in air-gapped environments?
How do I choose between @arcjet/next, @arcjet/node, and @arcjet/guard?
What happens if Arcjet cloud service is unavailable?
Custom software development services
Adopting arcjet-js is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Secure Your AI Endpoints
Explore Arcjet's framework-agnostic security rules and try the live example at arcjet.com. Sign up at app.arcjet.com to get an API key and start protecting your AI workloads.