The Arcjet Python SDK allows you to implement rate limiting, bot detection, email validation, and signup spam prevention in FastAPI and Flask style applications.
Arcjet helps developers implement critical security protections against bots and signup spam. Directly integrated into your codebase, the Arcjet SDK provides building blocks to build security as just another feature, wherever you run and deploy your application.
We started with support for JavaScript and TypeScript applications because JS is the most popular language, particularly for new applications. However, it's a fairly modern pattern for applications to be built as a single codebase in a single language. It's very common to use JS for web application frontends, but often the backend is written in something else.
We get a lot of requests for support for additional languages, with Python being the most popular. Django is a particular driver of this given its popularity for web applications and APIs, but AI use cases have accelerated Python's popularity.
So that's why our next SDK is for Python! Available today in beta, our Python SDK supports both FastAPI (asynchronous) and Flask (synchronous) style APIs. It's open source and we have example applications for both FastAPI and Flask.
For example, with FastAPI you can protect your routes from common bots e.g. as part of a signup form:
from arcjet import Mode, detect_bot
from fastapi import APIRouter, Request
from fastapi.responses import JSONResponse
from app.arcjet import arcjet_with_rule
arcjet = arcjet_with_rule(
[
# Shield protects your app from common attacks e.g. SQL injection
detect_bot(
# configured with a list of bots to allow from
# https://arcjet.com/bot-list
allow=[], # blocks all automated clients
mode=Mode.LIVE, # will block requests. Use "DRY_RUN" to log only
),
]
)
router = APIRouter()
@router.get("/bots", name="Bot protection")
async def bots(request: Request):
"""
All automated clients will receive a 403 response. `curl` is considered an
automated client by default so you can test it by clicking "Try it out"
below and alternating between testing it in your browser running the `curl`
command from your terminal.
Learn more about Arcjet Bot protection in the [Arcjet docs](https://docs.arcjet.com/bot-protection/).
"""
decision = await arcjet.protect(request)
print(decision, flush=True)
if decision.is_denied():
if decision.reason.is_bot():
return JSONResponse(
{"message": "No bots allowed"},
status_code=403,
)
# If the request was denied for any other reason, return a 403 Forbidden
return JSONResponse(
{"message": "Forbidden"},
status_code=403,
)
if decision.is_error():
# Fail open to prevent an Arcjet error from blocking all requests. You
# may want to fail closed if this route is very sensitive
print(f"Arcjet error: {decision.error}", flush=True)
return JSONResponse({"message": "Hello world!"})The Python SDK supports core application-layer protections, including rate limiting, bot detection, email validation, and signup spam prevention. Protections are evaluated using Arcjet's contextual decision engine and applied as part of normal request handling, allowing teams to tailor behavior based on user activity, request patterns, and application-specific signals.
Our JS SDK is approaching a stable release so we're excited to be able to bring Arcjet to other languages, starting with Python!
Sign up for a free trial to get started today.
Get the full posts by email every week.