The security platform that ships with your code. Bot protection, rate limiting, email validation, attack detection, PII redaction. Developer first security.
Good security doesn’t have to mean expensive tools or a complex setup. For most teams, the real challenge is choosing tools that fit their workflow and provide meaningful protection without becoming another system to manage.
What security tools have delivered the most value for
Arcjet JS SDK v1.0 is out of beta.
Stable API, production-ready, built for predictable upgrades.
Security shouldn’t add maintenance work. v1.0 is our long-term commitment.
2025 was a defining year for Arcjet.
We shipped major platform updates, expanded framework support, and saw adoption grow to nearly 1,000 production deployments, all focused on security developers actually use.
Here's what we built and what’s next:
Arcjet now offers a Python SDK. Add rate limiting, bot detection, email validation, and signup protection directly to FastAPI and Flask apps, right in your code. Read here:
Framework security guides stop where production abuse begins.
Bots, API misuse, and valid requests that cost money don’t appear until real traffic hits.
We wrote about what actually breaks in production.
Good reminder that AI works best once you understand the system. This PERN walkthrough builds the app manually first, then brings in AI, with Arcjet handling app-layer security where it belongs.
We wrote up how Arcjet actually works under the hood.
SDKs written in native languages, local-first decisions via WebAssembly, a Go + gRPC backend, and infra designed for low-latency security at scale.
If you like understanding systems, this is for you.
Detecting the real client IP on Firebase is harder than it should be. We broke down why it’s tricky, what Firebase actually sends, and how to get it right if you rely on IP-based security like rate limiting or bot protection.
hubs.li/Q03ZTMDl0
Implemented @arcjet in one of my project today to lock down API abuse with rate limiting.
Loving how it drops straight into the middleware with just a few lines of code.
React2Shell wasn’t just another React bug.
Arcjet CEO David Mytton @davidmytton joins @PodRocketpod to explain how React 19’s server features expanded the attack surface.
If you’re building with React or Next.js, this is worth watching.
hubs.li/Q03YtKx80
Developers often think Firebase hides the real client IP. Our research shows it doesn’t, there’s a consistent internal header with the true IP. This changes how rate limiting and abuse prevention should be done on managed platforms.
Deep dive: