Arcjet Fastify example app

Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.

This is an example Fastify application demonstrating the use of multiple features.

Features

• Bot protection shows how a page can be protected from automated clients.
• Rate limiting shows the use of different rate limit configurations depending on the authenticated user. A logged-in user can make more requests than an anonymous user.
• Signup form protection uses Arcjet's server-side email verification configured to block disposable providers and ensure that the domain has a valid MX record. It also includes rate limiting and bot protection to prevent automated abuse.
• Sensitive info protects against clients sending you sensitive information such as PII that you do not wish to handle.
• Attack protection demonstrates Arcjet Shield, which detects suspicious behavior such as SQL injection and cross-site scripting attacks.

Deploy it now

   

Run locally

1. Register for a free Arcjet account.

2. Install dependencies:

npm ci

3. Rename .env.example to .env and add your Arcjet key.

4. Start the dev server

# Node.js 24.3+
npm run dev

Tip

For older versions of Node.js or if you encounter this error:

Unknown file extension ".ts"

Use this tsx-based command instead:

npm run dev-tsx

Try it out

Fastify is a server-side framework, so you won't see much in the browser. Here are some API routes to try:

Bot protection

The /bots route uses a guard to protect the controller. All automated clients will receive a 403 response. curl is considered an automated client by default, so you can test it with:

curl -v http://localhost:3000/bots

Rate limiting

The /rate-limiting route uses a fixed window rate limit. Send 3 requests in quick succession to see the rate limit in action:

curl -v http://localhost:3000/rate-limiting

Signup form protection

The /signup route uses Arcjet's signup form protection which combines bot protection, rate limiting, and email verification. To test it, send a POST request with different email addresses to test:

curl -v http://localhost:3000/signup \
  -X POST \
  -H "Content-Type: application/json" \
  --data '{"email":"[email protected]"}'

Try these emails to see how it works:

• invalid.@arcjet – is an invalid email address.
• [email protected] – is from a disposable email provider.
• [email protected] – is a valid email address & domain, but has no MX records.

Sensitive info

The /sensitive-info route uses a guard to protect the controller. It will block requests containing credit card numbers:

curl -v http://localhost:3000/sensitive-info \
  -X POST \
  -H "Content-Type: application/json" \
  --data '{"message":"Hello my credit card is 4111111111111111"}'

Attack protection

The /attack route uses Arcjet Shield to detect and block attacks, such as SQL injection and cross-site scripting. To simulate an attack, send a request with the special header:

curl -v http://localhost:3000/attack \
  -H "x-arcjet-suspicious: true"

After the 5th request, your IP will be blocked for 15 minutes. Suspicious requests must meet a threshold before they are blocked to avoid false positives.

Need help?

Check out the docs, contact support, or join our Discord server.

Contributing

All development for Arcjet examples is done in the arcjet/examples repository.

You are welcome to open an issue here or in arcjet/examples directly. However, please direct all pull requests to arcjet/examples. Take a look at our contributing guide for more information.