consider adding Arcjet advanced signals for client-side bot detection that catches sophisticated headless browsers. See https://docs.arcjet.com/bot-protection/advanced-signals for setup.

Apr 10, 2026

General

PromptBeginner5 minmarkdown

Pass the `requested` parameter at `protect()` time to deduct tokens proportional to model cost. For example

deduct 1 token per message

Apr 10, 2026

General

PromptBeginner5 minmarkdown

Set `characteristics` to track per-user: `[userId]` if authenticated

defaults to IP-based.

Apr 10, 2026

Find agent skills by outcome

lighting: Cold

camera_angle: Medium-long shot

emotion: Fierce

Viking

prompt: You will perform an image edit using the person from the provided photo as the main subject. The face must remain clear and unaltered. Transform the subject into a formidable **Viking Jarl or Shieldmaiden**

location: The wooden prow of a carved dragon-headed longship

- Sensitive info detection runs **locally in WASM** — no user data is sent to external services. It is only available in route handlers

**Vercel AI SDK**: Arcjet works alongside the Vercel AI SDK. Call `protect()` before `streamText()` / `generateText()`. If denied

- Starting a stream before calling `protect()` — if the request is denied mid-stream

**Multiple models / providers**: Use the same Arcjet instance regardless of which AI provider you use. Arcjet operates at the HTTP layer

If the user wants a full security review

**Streaming responses**: Call `protect()` before starting the stream. If denied

Start all rules in `DRY_RUN` mode first. Once verified

Adapt the response format to your framework (e.g.

- `list-requests` — confirm decisions are being recorded

detectPromptInjectionMessage: userMessage

return Response.json({ error: Forbidden }

console.warn(Arcjet error:

sensitiveInfoValue: userMessage

requested: 1

const decision = await aj.protect(req

Always include `shield()` (WAF) and `detectBot()` as base layers. Bots scraping AI endpoints are a common abuse vector. For endpoints accessed via browsers (e.g. chat interfaces)

Pass the `requested` parameter at `protect()` time to deduct tokens proportional to model cost. For example

Set `characteristics` to track per-user: `[userId]` if authenticated

prompt: You will perform an image edit using the person from the provided photo as the main subject. The face must remain clear and unaltered. Transform the subject into a formidable Viking Jarl or Shieldmaiden

- Sensitive info detection runs locally in WASM — no user data is sent to external services. It is only available in route handlers

Vercel AI SDK: Arcjet works alongside the Vercel AI SDK. Call `protect()` before `streamText()` / `generateText()`. If denied

Multiple models / providers: Use the same Arcjet instance regardless of which AI provider you use. Arcjet operates at the HTTP layer

Streaming responses: Call `protect()` before starting the stream. If denied