Arcjet JavaScript security SDK reaches stable v1.0 release

Arcjet's JavaScript security SDK hits version 1.0

Arcjet has released the stable v1.0 of its JavaScript SDK, moving the security tool out of beta. The platform embeds AI-powered security directly into a developer's codebase to analyze every request.

The SDK performs attack detection, bot mitigation, rate limiting, and form spam prevention. It is designed to integrate natively into modern applications to simplify the process of shifting security left in development.

A focus on stability over speed

The v1.0 release follows more than two years of public alpha and beta testing. Founder and CEO David Mytton said the goal was to ensure stability and reduce maintenance burdens for developers who adopt it.

“We’ve treated it as ‘production’ since the beginning, but this is the official label,” Mytton said. The company states it introduced only three breaking changes over the entire two-year testing period, maintaining backward compatibility wherever possible.

Mytton argues that reliability is critical for security tool adoption, especially in the JavaScript ecosystem. “Security tooling only helps if it stays installed,” he said, noting that constant version churn often leads to libraries being removed.

Addressing the shift-left gap

Arcjet first released its JavaScript SDK in alpha in 2023. It moved to beta in January 2025 after proving its core API design in real-world use.

The company says thousands of developers have now deployed the SDK to production. Analyst James Governor of RedMonk said the focus on developer experience is key to making security work.

“We have spent a lot of time talking about shift left security in the last 10 years, but it’s mostly been bullshit,” Governor said. “Unless you make the right thing the absurdly easy thing nobody is going to do it.”

New features and language support on the way

With the stable JavaScript foundation, Arcjet is planning several new releases. Mytton outlined the immediate roadmap, which includes:

• A public release of Arcjet’s local AI model, announced last year, within the next couple of months. This model runs inside the application environment to reduce false positives.
• Richer threat intelligence exposure, allowing teams to see the “why” behind security decisions and feed that data into their own risk analysis pipelines.
• Support for more programming languages, with Java and Go versions in development following the recent beta release of its Python SDK.

The company started with JavaScript and TypeScript because “that’s where most new applications are being built with full stack development,” Mytton explained last month.

How the technology works

Arcjet’s approach involves embedding a WebAssembly (Wasm) module within its SDK. This allows for local analysis of incoming requests at near-native speed without requiring a round-trip to an external service.

Beta user Chris Ellis, co-founder and CEO of Thatch, praised the visibility the tool provides. “Unlike a separate security service that gives us little visibility into its impact on our system, Arcjet gives us rich application-level insights at runtime,” Ellis said.

Mytton positioned the v1.0 release as a commitment to reducing developer toil. “Security should not introduce more work,” he said. “It should quietly remove an entire class of problems so teams can focus on building features instead of maintaining tooling.”