Arcjet Review 2026: Security as Code
Arcjet is a security SDK for web applications. Instead of configuring a WAF dashboard, you write security rules in your application code. Rate limiting, bot detection, email validation, and attack protection — all as TypeScript code. Here's the review.
What Arcjet Does
- Rate limiting — Token bucket, sliding window, fixed window algorithms
- Bot protection — Detect and block automated traffic
- Email validation — Check for disposable, invalid, and free email providers
- Shield — Block common attacks (SQL injection, XSS patterns)
- Sensitive info detection — Detect and block PII in requests
What I Like
Security as Code
This is Arcjet's core innovation. Security rules live in your codebase:
import arcjet, { shield, rateLimit, detectBot } from "@arcjet/next"
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
shield({ mode: "LIVE" }),
rateLimit({ mode: "LIVE", max: 100, window: "1m" }),
detectBot({ mode: "LIVE", allow: ["CATEGORY:SEARCH_ENGINE"] }),
],
})
export async function POST(req: Request) {
const decision = await aj.protect(req)
if (decision.isDenied()) {
return Response.json({ error: "Blocked" }, { status: 403 })
}
// Handle request
}
Security rules are version-controlled, reviewed in PRs, and tested like any other code. No separate dashboard to configure.
Framework Integration
First-class support for Next.js, Hono, Express, Bun, Deno, SvelteKit, and more. The SDK feels native to each framework.
Local Development
Rules run locally during development. Test rate limits, bot detection, and security rules without hitting a cloud service. This is rare for security tools.
Composable Rules
Stack multiple rules per route:
// Login endpoint: strict rate limit + bot protection + email validation
const loginProtection = arcjet({
rules: [
rateLimit({ max: 5, window: "15m" }),
detectBot({ mode: "LIVE" }),
validateEmail({ mode: "LIVE", deny: ["DISPOSABLE", "INVALID"] }),
],
})
// API endpoint: higher rate limit + shield
const apiProtection = arcjet({
rules: [
rateLimit({ max: 1000, window: "1m" }),
shield({ mode: "LIVE" }),
],
})
Different security profiles for different routes. All in code.
Email Validation
Built-in email validation that checks:
- Syntax validity
- MX record existence
- Disposable email providers
- Free email providers (Gmail, Yahoo)
- Gravatar existence
Useful for signup forms without a separate email validation service.
What I Don't Like
Early Stage
Arcjet is relatively new. The SDK is stable but the ecosystem is smaller than established WAFs (Cloudflare, AWS WAF). Expect rapid changes.
Limited Analytics Dashboard
The dashboard shows blocked requests and rule triggers, but it's basic compared to Cloudflare's security analytics. You won't get deep threat intelligence.
No DDoS Protection
Arcjet runs at the application level, not the network level. For volumetric DDoS attacks, you still need Cloudflare or AWS Shield in front. Arcjet handles application-layer threats.
Pricing Uncertainty at Scale
Free tier is generous, but pricing for high-traffic apps isn't clearly published. Enterprise pricing is custom.
Bot Detection Accuracy
Bot detection is good but not perfect. Sophisticated bots can still get through. For critical protection, layer Arcjet with Cloudflare's bot management.
Pricing
| Tier | Price | Requests |
|---|---|---|
| Free | $0 | 10K requests/month |
| Pro | $30/month | 500K requests |
| Enterprise | Custom | Unlimited |
Free tier is enough for development and small projects. Pro covers most production apps.
Best Use Cases
- SaaS apps — Protect login, signup, and API endpoints
- API products — Rate limiting and bot protection per key
- E-commerce — Block scrapers and credential stuffing
- Developer-led teams — Security rules in code, not dashboards
Worst Use Cases
- DDoS protection — Use Cloudflare for network-level attacks
- Non-developer teams — Requires code changes
- Legacy apps — SDK integration may not be straightforward
- Compliance-heavy — May need established WAF for audit trails
Arcjet vs Alternatives
| Arcjet | Cloudflare WAF | Rate limiting (DIY) | |
|---|---|---|---|
| Implementation | SDK (code) | Dashboard | Custom code |
| Rate limiting | ✅ | ✅ | ✅ |
| Bot protection | ✅ | ✅ Best | ❌ |
| DDoS | ❌ | ✅ | ❌ |
| Email validation | ✅ | ❌ | ❌ |
| Version controlled | ✅ | ❌ | ✅ |
| Local dev | ✅ | ❌ | ✅ |
FAQ
Does Arcjet replace Cloudflare?
No. Use both. Cloudflare handles DDoS and network-level threats. Arcjet handles application-level security with fine-grained control.
Can I use Arcjet in production?
Yes. The SDK is stable and used in production apps.
How does Arcjet affect latency?
Minimal. Most decisions are made locally with minimal network calls. Adds <5ms to request processing.
Is Arcjet open source?
The SDK is open source. The backend service is cloud-hosted.
Bottom Line
Arcjet brings application security into the developer workflow. Security rules in code, version-controlled, testable locally. It doesn't replace your CDN/WAF (Cloudflare) but adds a powerful application-layer security toolkit.
Recommendation: Use Arcjet for login protection, API rate limiting, and bot detection. Layer it with Cloudflare for complete coverage. The "security as code" approach fits modern development workflows perfectly.