Engineering
Updated
3 min read

How Arcjet approaches open source

How we think about open source licensing, releasing open source projects, forks, and contributing upstream.

How Arcjet approaches open source

Arcjet isn’t an open source company - but we believe in open source. We maintain a small number of public projects we use and rely on internally. We also contribute upstream where it makes sense.

Here’s how we think about open source at Arcjet: where we participate, what we maintain, and why we’ve drawn a clear line between SDK and service.

How we license Arcjet

Users of Arcjet interact with two core parts of the product:

  1. Our security SDK. This is integrated into your codebase, currently as a variety of JS packages for Node, Next.js, Remix, Bun, Deno, and other frameworks and runtimes all available for installation through NPM. This is licensed under the Apache-2.0 license because we want developers to feel comfortable including it in their codebase.
  2. Our cloud API. The SDK runs locally to make fast decisions, but calls our cloud API to enrich those with additional signals - IP reputation, bot verification lookups, etc. This is closed source and hosted by us in 38 different cloud regions. It’s the service part of our product.

How we’ve chosen to license these parts of the product reflects how they’re used. Code you bring into your application is licensed like any other library with minimal restrictions whereas our API is delivered as a service.

A big part of the value is how we maintain the service backed by our IP reputation data, threat intelligence, and real-time analysis engines, but paying customers also fund the development of the SDKs.

Arcjet architecture diagram, from our docs.

New open source projects

Our approach is to open source internal tools or projects that aren’t our core product, might benefit the community in some way, but that we will continue to maintain regardless. 

We don’t want to open source something and then abandon it.

I’ve seen too many startups throw repositories open with the hope that “the community” will do the work of maintaining and promoting them. That’s often the last resort of a failing business. Open source is not a business model.

So far we’ve released one project: gravity, a host generator for WebAssembly Components. This was (and still is) something we make heavy use of internally, we think could benefit the community, and we could benefit from others helping to improve it. WebAssembly has had a lot of focus in the Rust and JavaScript communities, but other languages have less developed host support. We needed something for our Go server.

Gravity is still very focused on our own use case, but we've already seen several external contributions and talked to some interesting companies who want to help develop it.

Forked open source projects

We use open source projects internally, many of which we use directly without modification. Others we’ve forked as the foundation for our own changes which diverged enough from the original that we released them as new projects. We’ll do this if we think the changes are likely to be useful to others - we won’t if the changes are very Arcjet specific.

A good example of this is the well-known-bots directory that we forked from crawler-user-agents and added additional metadata we needed for our bot detection functionality. This included additional URLs for tracking the source as well as categorization and more specific crawler listings. We proposed the changes upstream, but they were rejected so we ended up with a hard fork.

Contributing upstream

We encourage our team to contribute upstream. Submitting a well written bug report is a good step, but if we can also propose a fix that’s even better. That’s the power of open source and I hope we'll be able to do this more over time.

We also contribute to some projects by sponsoring with money.

Arcjet’s open source philosophy

Open source isn’t a branding exercise for us - it’s a tool. When we publish something, it’s because we use it, we’ll maintain it, and we think others might benefit. When we fork, it’s because upstream didn’t fit. And when we contribute, it’s because we want the ecosystem to be better. 

A huge company like Google has the resources to take a different approach, but that doesn’t mean a growing startup can’t contribute. This is our model.

Related articles

Subscribe by email

Get the full posts by email every week.