Arcjet MCP

analyze-traffic

Analyze request traffic for an Arcjet site over a configurable time period (1-30 days). Returns total requests, denials, denial rate, top paths, top IPs, top denial reasons, and trend vs the previous period. Use this for a high-level security overview, to spot which paths or IPs generate the most denials, or to identify IPs worth investigating further with investigate-ip.

create-rule

# Create remote rule Create a new remote rule for an Arcjet site. Supports four rule types: rate_limit (throttle request volume), bot (detect and control automated traffic), shield (WAF — block injection attacks and other OWASP threats), and filter (allow/deny by IP, country, headers, or other request attributes). Rules apply globally to all requests. Always create in DRY_RUN mode first, verify behavior with list-requests or get-dry-run-impact, then use promote-rule to switch to LIVE. ## Bot categories allow/deny values are named bots (e.g. GOOGLE_CRAWLER, CURL) or categories: CATEGORY:SEARCH_ENGINE, CATEGORY:AI, CATEGORY:SOCIAL, CATEGORY:MONITOR, CATEGORY:GOOGLE, CATEGORY:AMAZON, CATEGORY:META, CATEGORY:MICROSOFT, CATEGORY:TOOL, CATEGORY:PROGRAMMATIC, CATEGORY:PREVIEW, CATEGORY:FEEDFETCHER, CATEGORY:WEBHOOK, CATEGORY:VERCEL, CATEGORY:SLACK, CATEGORY:ARCHIVE, CATEGORY:ACADEMIC, CATEGORY:ADVERTISING, CATEGORY:OPTIMIZER, CATEGORY:APPLE, CATEGORY:YAHOO, CATEGORY:BOTNET, CATEGORY:UNKNOWN. ## Filter expressions Each allow/deny entry is a single expression string. Max 10 per rule, each ≤ 1024 bytes. **IP fields**: ip.src (IP), ip.src.country, ip.src.continent, ip.src.city, ip.src.region, ip.src.postal_code, ip.src.asnum, ip.src.asnum.name, ip.src.asnum.type, ip.src.asnum.domain **Boolean fields**: ip.src.vpn, ip.src.tor, ip.src.proxy, ip.src.relay, ip.src.hosting, ip.src.crawler **HTTP fields**: http.host, http.request.method, http.request.uri.path **Map fields**: http.request.headers["name"], http.request.cookie["name"], http.request.uri.args["name"] **Operators**: == != contains matches/~ (regex) in {set} wildcard not/! and/&& or/|| **Functions**: len() lower() upper() Country codes are ISO 3166-1 alpha-2. Multiple countries use `in` with space-separated values: `ip.src.country in {"US" "CA" "GB"}`. **Expression examples**: `ip.src.country == "US"`, `ip.src in { 1.2.3.4 5.6.7.8/24 }`, `ip.src.vpn or ip.src.tor`, `http.request.uri.path wildcard "/api/*"`, `not ip.src.country in {"US" "CA" "GB"}`, `http.request.headers["x-custom"] == "value"`. ## Rate limit match pattern The optional `match` field is a glob-style path pattern restricting which requests the rate limit applies to. Examples: `/api/*`, `/api/v1/users`. If omitted, the rate limit applies to all paths. ## Rate limit characteristics Default: ip.src. Other options: http.host, http.method, http.request.uri.path, http.request.headers["name"], http.request.cookie["name"], http.request.uri.args["name"].

create-site

Create a new Arcjet site within a team. Use this when onboarding a new application to Arcjet protection. Returns the site ID and SDK key (ARCJET_KEY) ready to add to your application's environment. After creating a site, use create-rule to add security rules.

delete-rule

Delete a remote rule from an Arcjet site. Takes effect immediately — requests previously blocked by this rule will start being allowed. This cannot be undone; use create-rule to re-create the rule if needed. Use list-rules first to get the rule ID.

explain-decision

Explain why Arcjet allowed or denied a specific request in natural language. Returns a plain-English summary, per-rule breakdown, and actionable next steps. Use this instead of get-request-details when the goal is to understand or troubleshoot a security decision — for example, when a user reports being blocked, or to verify that a newly created rule behaves as expected.

get-anomalies

Detect unusual security patterns for an Arcjet site by comparing a recent period to the previous period of equal length. Identifies traffic spikes, geographic shifts, new threat activities, new bot signatures, risk escalation, and suspicious IP surges. Returns anomalies sorted by severity with period-over-period metrics. Use this to proactively surface emerging threats, investigate sudden traffic changes, or as a daily check alongside get-security-briefing.

get-dry-run-impact

Analyze the potential impact of promoting dry-run rules to live. Shows precisely how many currently-allowed requests would have been blocked by each dry-run rule type, which IPs would be most affected, and a false-positive estimate. Use this before calling promote-rule to understand the impact of making a dry-run rule live.

get-request-details

Get full details for a specific request, including headers, rule execution results, IP, and fingerprint. Use this when you need raw request data for debugging — for example, checking which headers triggered a rule or confirming the SDK version. Prefer explain-decision when the goal is to understand why a request was allowed or denied. Common sensitive headers (Authorization, X-Api-Key, etc.) are redacted, but headers may still contain application-specific sensitive data — do not log or display header values without user confirmation.

get-security-briefing

Get a comprehensive security briefing for an Arcjet site in a single call. Composes active rules, traffic analysis, threat landscape, anomaly detection, dry-run promotion readiness, quota status, and prioritized recommendations into one response. Designed for periodic (e.g. daily) consumption — use this as a starting point when reviewing a site's security posture, then drill into specific areas with analyze-traffic, get-anomalies, or investigate-ip as needed.

get-site-key

Get the SDK key (ARCJET_KEY) for an Arcjet site. Use this when setting up Arcjet in a new application or retrieving the key for environment configuration. The returned key initializes the Arcjet SDK in your application code.

get-site-quota

Get quota usage and limits for an Arcjet site. Shows the current plan, usage by category (e.g. protected requests, bot detection), and whether any quotas are exceeded. Use this to check if a site is approaching plan limits before they cause service degradation, or to determine whether a plan upgrade is needed.

investigate-ip

Investigate an IP address in the context of a specific Arcjet site. Returns threat intelligence (network type, threat activities, entity classification, risk level), geolocation, and the IP's recent request activity on the site (conclusion breakdown, denial reasons, targeted paths, daily timeline). Use this for incident response — e.g. a user reports abuse from an IP, or analyze-traffic/list-requests surfaces a suspicious IP. Combine findings with create-rule to block the IP or its network if warranted.

list-requests

List recent requests for an Arcjet site, filtered by decision (ALLOW/DENY/ERROR). Use this to analyze traffic patterns, identify attacks, debug rate limit or bot denials, verify that new rules are working correctly in DRY_RUN mode, or find specific request IDs for deeper investigation with get-request-details or explain-decision. Supports pagination via cursor.

list-rules

List all remote rules configured for an Arcjet site. Returns each rule's ID, type, mode (LIVE/DRY_RUN), and configuration summary. Use this to audit the current security posture, find rule IDs for update-rule/delete-rule/promote-rule, or verify that rules created with create-rule are configured correctly.

list-sites

List all Arcjet sites belonging to a team. Each site represents one application protected by Arcjet (e.g. your API, dashboard, or marketing site). Use this to find site IDs needed by most other tools, or to verify which applications are already onboarded to Arcjet.

list-teams

List all Arcjet teams the authenticated user belongs to. This is the entry point — call this first to get team IDs required by list-sites and create-site. Most workflows start here: list-teams → list-sites → (other tools).

promote-rule

Promote a remote rule from DRY_RUN to LIVE mode. Convenience wrapper — reads the existing rule, changes its mode to LIVE, and saves it. Use get-dry-run-impact first to assess how many requests would be blocked and check for false positives. Returns an error if the rule is already in LIVE mode.

update-rule

Update an existing remote rule for an Arcjet site. This is a full replacement, not a partial patch — all fields must be provided, not just the changed ones. Use list-rules first to get the current rule ID and configuration, modify what you need, and pass the complete updated configuration. Common use cases: adjusting rate limits, adding bot categories, widening/narrowing filter expressions.