Arcjet blog

@index.blog.arcjet.com.ap.brid.gy

Arcjet developer security blog. 🌉 bridged from https://blog.arcjet.com/ on the fediverse by https://fed.brid.gy/

1 followers0 following25 stories

Longform Stories

Announcing advanced bot signals to detect automation without CAPTCHAs

Arcjet Signals are evaluated without a CAPTCHA and enforced when the request passes through a critical flow. The browser gives us signals. The application gives us intent.

3d ago·8 min read·1456 words

Designing a CLI for AI agents

How we designed the Arcjet CLI in Go as a stable, defensive interface for humans and AI agents: predictable commands, machine-readable output, strict validation, and confirmation before production cha…

4d ago·12 min read·2343 words

Unified skills, Python docs, email management

What's new in Arcjet (2026-05-22). Unified coding agent skills, expanded Python docs, email notification management.

May 22·2 min read·252 words

Serving AI models with Open Inference Protocol APIs

How Arcjet hosts AI security models using Python, Open Inference Protocol, Go, and Modal: the architecture behind prompt injection detection.

May 20·8 min read·1444 words

Arcjet CLI and team management

What's new in Arcjet (2026-05-15). The Arcjet CLI and team management in the web dashboard.

May 15·1 min read·136 words

How we defend MCP tool outputs from prompt injection

How we defend Arcjet’s MCP tool outputs from prompt injection by separating trusted guidance from untrusted evidence in structured responses.

May 13·7 min read·1241 words

Introducing Arcjet Guards: security inside the agent loop

Arcjet Guards runs security rules inside agent tool handlers, queue consumers, and workflow steps - where proxies and WAFs can't see.

Apr 30·1 min read·29 words

Building a production MCP server in Go

How we built Arcjet’s production MCP server in Go: integrating with an existing API, reusing auth and middleware, designing agent tools, and supporting OAuth discovery.

Apr 28·1 min read·32 words

Advanced client signals, request filtering, build with agents

What's new in Arcjet (2026-04-24). Advanced client signals for bot detection, request filtering in the Arcjet dashboard and agent-focused documentation.

Apr 24·1 min read·28 words

From devcontainers to VMs: parallel dev environments for AI agents

How we replaced a single devcontainer with isolated OrbStack VMs to run multiple parallel development environments for AI agent workflows — architecture, CLI, and tradeoffs.

Apr 22·1 min read·35 words

Securing Serverless and Edge Apps with Arcjet

Serverless and edge architectures have changed how today’s apps are built, which also means they’ve also changed how they must be secured. If you’re deploying to AWS Lambda, Vercel Functions, Cloudfla…

Apr 21·1 min read·78 words

Arcjet MCP server, coding agent plugins, weekly security briefing

What's new in Arcjet (2026-04-17). MCP server, a new AI coding agent plugin for Claude Code and Cursor, and new weekly security briefings via email.

Apr 17·1 min read·34 words

Developers can finally own security

The expertise required to apply security correctly can now live inside the agent, not inside the developer's head or a separate team's backlog.

Apr 16·1 min read·28 words

How to Roll Out Application Layer Security Without Breaking Production

Deploying application layer security in production can feel risky. Blocking rules, rate limits, and bot protections directly change how your system handles traffic and a misconfigured threshold does n…

Apr 14·1 min read·87 words

Is CAPTCHA Still Effective in 2026 and What to Use Instead

Search for “Is CAPTCHA still effective?” and you will find plenty of confident answers. Most of them ignore how modern abuse actually works. CAPTCHA was designed for a web where bots were simplistic …

Apr 7·1 min read·85 words

Rate Limiting Algorithms: Token Bucket vs Sliding Window vs Fixed Window

Rate limiting is a foundational control in API security, abuse prevention, and distributed systems reliability. It determines how systems allocate finite capacity across users, services, and regions. …

Mar 24·1 min read·83 words

Introducing Arcjet AI prompt injection protection

Introducing Arcjet prompt injection detection. Catch hostile instructions before inference. Works with Next.js, Node.js, Flask, FastAPI, and any JavaScript / TypeScript or Python application.

Mar 18·1 min read·30 words

How to Measure the Real Impact of In-Code Security

You added in-code protection. Requests are being evaluated, and some are being blocked. That is good. But the real question is whether your app is actually better off because of it. Security metrics …

Mar 17·1 min read·93 words

How to Future-Proof Your App Security Against Evolving AI Attacks

If you maintain a public-facing form, you are already dealing with bots. The difference now is that they are getting harder to spot. Account registration endpoints, marketing sites, demo request flows…

Mar 10·1 min read·80 words

How to Integrate Arcjet Security into Your Stack in Minutes

Security tooling has a habit of turning into infra work. You start with something simple like rate limiting or bot protection. Suddenly you are configuring a proxy, updating DNS, or introducing a new …

Mar 3·1 min read·92 words

Why Email Domain Restrictions Alone Won’t Protect Your Marketing Forms

If you are a developer working on a marketing or growth team, you have probably implemented this rule at least once: Only accept business email addresses. It usually comes from a reasonable request. …

Feb 25·1 min read·92 words

Why Business Context Is the Missing Link in App-Level Attack Detection

Most attack detection still treats applications like interchangeable boxes: requests come in, signatures are matched, packets are inspected, and decisions are made in isolation. That approach worked w…

Feb 17·1 min read·88 words

Detecting Bots, Scraping, and AI-driven Abuse at the Application Layer

Abuse does not always look like abuse anymore. If you run an API or a user-facing application, you may not see traffic spikes or rate limits firing. Dashboards look calm. Everything appears normal. An…

Feb 10·1 min read·92 words

Arcjet JS SDK v1.0: Stability as a Developer Feature

We’ve just released v1.0 of the Arcjet JavaScript SDK. After more than two years of building, testing, and iterating in public, the SDK is no longer beta. The API is stable, production-ready, and some…

Feb 2·1 min read·85 words

Introducing the Arcjet Python SDK beta

The Arcjet Python SDK allows you to implement rate limiting, bot detection, email validation, and signup spam prevention in FastAPI and Flask style applications.

Jan 14·1 min read·30 words