Arcjet helps developers protect their apps in just a few lines of
code. Implement rate limiting, bot protection, email verification, and defense
against common attacks.
This is the Arcjet TypeScript and JavaScript SDK core.
This is our core package.
It exposes the functionality for the many types of protection that Arcjet
provides which can be configured and combined by users.
The functionality here is exposed from our SDKs
(such as @arcjet/next) that each integrate with a particular framework.
When should I use this?
We recommend using one of our runtime or framework specific packages rather
than this one.
See our Get started guide for more info.
Install
This package is ESM only.
Install with npm in Node.js:
npm install arcjet
Use
import http from"node:http";
import { readBody } from"@arcjet/body";
import arcjet, { ArcjetAllowDecision, ArcjetReason, shield } from"arcjet";
// Get your Arcjet key at <https://app.arcjet.com>.// Set it as an environment variable instead of hard coding it.const arcjetKey = process.env.ARCJET_KEY;
if (!arcjetKey) {
thrownewError("Cannot find `ARCJET_KEY` environment variable");
}
const aj = arcjet({
// Your adapter takes care of this: this is a naïve example.client: {
asyncdecide() {
returnnewArcjetAllowDecision({
reason: newArcjetReason(),
results: [],
ttl: 0,
});
},
report() {},
},
key: arcjetKey,
log: console,
rules: [
// Shield protects your app from common attacks.// Use `DRY_RUN` instead of `LIVE` to only log.shield({ mode: "LIVE" }),
],
});
const server = http.createServer(asyncfunction (
request: http.IncomingMessage,
response: http.ServerResponse,
) {
const url = newURL(request.url || "", "http://" + request.headers.host);
// Your adapter takes care of this: this is a naïve example.const context = {
getBody() {
returnreadBody(request, { limit: 1024 });
},
host: request.headers.host,
ip: request.socket.remoteAddress,
method: request.method,
path: url.pathname,
};
const decision = await aj.protect(context, {});
console.log(decision);
if (decision.isDenied()) {
response.writeHead(403, { "Content-Type": "application/json" });
response.end(JSON.stringify({ message: "Forbidden" }));
return;
}
response.writeHead(200, { "Content-Type": "application/json" });
response.end(JSON.stringify({ message: "Hello world" }));
});
server.listen(8000);
Arcjet runtime security SDK — bot protection, rate limiting, prompt injection detection, PII blocking, and WAF for JavaScript and TypeScript apps
The npm package arcjet receives a total of 59,942 weekly downloads. As such, arcjet popularity was classified as popular.
We found that arcjet demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.It has 2 open source maintainers collaborating on the project.
Package last updated on 12 Mar 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
The White House’s Gold Eagle Initiative aims to coordinate AI-discovered vulnerabilities, validate findings, and accelerate patching across critical software.