Arcjet vs Unkey vs Zuplo: API Security and Rate Limiting 2026

API abuse is not a theoretical risk. Gartner projected that API attacks would become the most frequent attack vector by 2025, and that has proven accurate. Credential stuffing, inventory scraping, fake account creation, and automated fraud funnel through APIs every second of every day. The collective cost to businesses now exceeds $75 billion annually, and it is accelerating as more companies expose more endpoints to the public internet.

The core problem is that traditional security tools were built for websites, not APIs. A WAF might catch SQL injection in a form field, but it will not stop a bot that is making 10,000 legitimate-looking API calls per minute to scrape your pricing data. Rate limiting sounds simple until you realize you need per-user, per-endpoint, per-IP, and per-API-key limits all working simultaneously without adding latency to every request.

Three tools have emerged with meaningfully different approaches to this problem: Arcjet embeds security directly into your application code, Unkey manages API keys with built-in per-key rate limits, and Zuplo adds protection at the gateway layer using OpenAPI-first policies. Each one makes a different architectural bet about where security enforcement should live. That bet has real consequences for your latency, your developer experience, and your ability to stop sophisticated attacks.

If you are building APIs that handle sensitive data or serve external consumers, the choice between these three tools shapes your entire security posture. This is not a decision you can easily reverse once you have built your enforcement logic around one approach.

Arcjet takes the most opinionated stance of the three: security rules should live in your application code, not in a separate proxy or gateway. You install the Arcjet SDK (available for Node.js, Next.js, Bun, SvelteKit, and other frameworks), define your rules in code, and Arcjet enforces them at the request level before your route handlers execute.

How It Works

Arcjet runs a lightweight WebAssembly module locally in your application process for low-latency decisions, combined with a cloud API for more complex analysis like bot detection and email validation. When a request hits your application, Arcjet evaluates it against your rules (rate limits, bot detection, email validation, sensitive data detection) and returns an allow or deny decision in single-digit milliseconds.

The key architectural insight is that Arcjet has access to application context that a gateway never sees. It knows which user is making the request, what their subscription tier is, and what data they are trying to access. That lets you write rules like "free tier users get 100 requests per hour on this endpoint, paid users get 10,000" without any gateway configuration.

Core Features

• Rate limiting: Fixed window, sliding window, and token bucket algorithms. Per-user, per-IP, or per-custom-key limits. Configurable in code with full type safety.
• Bot detection: Fingerprinting and behavioral analysis to distinguish humans from automated clients. Categorizes bots by type (search engines, scrapers, AI crawlers) so you can allow Googlebot while blocking everything else.
• Email validation: Checks for disposable addresses, MX record validity, and known spam domains. Useful for blocking fake signups at the API level.
• Shield (attack detection): Detects common attack patterns like SQL injection, cross-site scripting, and path traversal in API request bodies.
• Sensitive data detection: Scans request and response payloads for PII like credit card numbers, social security numbers, and email addresses to prevent accidental data exposure.

Strengths and Tradeoffs

The biggest advantage of Arcjet is granularity. Because rules live in your code, you can apply different policies to different endpoints, different user tiers, and different request types with zero infrastructure changes. You get full type safety, version control, and the ability to test your security rules in CI/CD just like any other code.

The tradeoff is that Arcjet only protects what it is installed in. If you have five microservices, you need to install and configure Arcjet in each one. It also means malicious traffic reaches your application process before being rejected, which is fine for rate limiting but less ideal for volumetric DDoS attacks where you want traffic dropped at the edge.

Unkey solves a different problem than Arcjet, though the two overlap on rate limiting. Unkey is fundamentally an API key management platform. It handles key creation, validation, revocation, and rotation, and it attaches rate limits and usage quotas directly to individual keys.

How It Works

You create API keys through Unkey's API or dashboard, assigning each key metadata like the owner, permissions, rate limits, and expiration. When a request arrives at your API, you call Unkey's verification endpoint with the key. Unkey responds with a valid or invalid decision plus the key's metadata, remaining rate limit quota, and any custom data you attached. The entire verification round-trip typically completes in under 40ms thanks to Unkey's global edge infrastructure.

Core Features

• Per-key rate limiting: Attach rate limits to individual API keys. One customer might get 1,000 requests per minute while another gets 50,000. Limits travel with the key, not with your infrastructure configuration.
• Usage analytics: Track how each key is being used, which endpoints are hit most frequently, and how close each consumer is to their quota. This data feeds directly into billing and capacity planning.
• Key rotation: Generate new keys, set overlap periods where both old and new keys are valid, and revoke old keys on a schedule. This eliminates the "big bang" key rotation problem where you need all consumers to update simultaneously.
• Temporary keys: Create keys with automatic expiration for short-lived use cases like trial access, webhooks, or CI/CD pipelines.
• Ratelimit namespace API: A standalone rate limiting service you can use without Unkey's key management. Useful if you need distributed rate limiting but handle key management yourself.

Strengths and Tradeoffs

Unkey excels when your primary challenge is managing API consumers. If you run a public API or a B2B SaaS product with dozens or hundreds of API consumers, the ability to manage keys, quotas, and usage from a single dashboard is extremely valuable. The per-key rate limiting model means your highest-value customers never compete for quota with free tier users.

The tradeoff is scope. Unkey does not do bot detection, does not scan for attack patterns, and does not inspect request payloads. It trusts the bearer of a valid API key and enforces the limits attached to that key. If someone steals a key, Unkey will happily serve requests until the key is revoked or the rate limit is hit. You still need something else (a WAF, Arcjet, or your own middleware) for request-level security. For teams already thinking about API-first development patterns, Unkey fits naturally into a well-designed key distribution workflow.

Zuplo takes the gateway approach, sitting in front of your API as a programmable reverse proxy. But unlike traditional gateways that use YAML or XML configuration, Zuplo is built around your OpenAPI specification. You define your API routes in OpenAPI format, attach policies (rate limiting, authentication, request validation) to each route, and Zuplo enforces them at the edge before traffic reaches your origin servers.

How It Works

Zuplo deploys to over 300 edge locations worldwide using Cloudflare Workers as the underlying runtime. When a request arrives, Zuplo routes it based on your OpenAPI spec, runs the attached policies in sequence, and forwards valid requests to your backend. Invalid requests are rejected at the edge with zero load on your origin. Custom policies are written in TypeScript, giving you full programmability without the constraints of declarative configuration.

Core Features

• Policy-based rate limiting: Attach rate limit policies to individual routes or groups of routes. Supports fixed window and sliding window algorithms with configurable keys (IP, API key, header value, custom function).
• OpenAPI-first request validation: Automatically validates incoming requests against your OpenAPI schema. Rejects requests with missing required fields, wrong types, or out-of-range values before they reach your backend.
• API key management: Built-in key creation, validation, and consumer management through a developer portal. Overlaps with Unkey's key management but bundled into the gateway.
• DDoS and bot protection: Because Zuplo runs at the edge on Cloudflare's network, you get baseline DDoS mitigation and bot management from the underlying infrastructure.
• Developer portal: Auto-generates API documentation and a key self-service portal from your OpenAPI spec. External developers can sign up, get keys, and explore your API without any custom portal work.

Strengths and Tradeoffs

Zuplo's edge deployment model is its biggest advantage for DDoS protection and global latency. Malicious traffic is dropped at the nearest edge location, never reaching your servers. The OpenAPI-first approach is also excellent for teams that already maintain detailed API specifications, since your security policies stay synchronized with your API contract.

The tradeoff is that Zuplo is a proxy in your request path. Every API call goes through Zuplo's infrastructure, which means you depend on their availability and their network performance. You also lose the application-level context that Arcjet has. Zuplo can rate limit by API key or IP, but it cannot easily rate limit by "user subscription tier" unless you pass that information in a header or implement a custom policy that calls your backend. For a broader comparison of gateway-level tools, see our analysis of Kong vs Apigee vs AWS API Gateway.

The single most important architectural difference between these three tools is where enforcement happens, because that determines both granularity and latency.

Arcjet: Application-Level Enforcement

Arcjet adds 1 to 5 milliseconds of latency per request for local rule evaluation. Bot detection and more complex analyses require a call to Arcjet's cloud API, which adds 10 to 30 milliseconds depending on your region. The benefit is that you have complete application context. You can rate limit by user ID, subscription tier, organization, or any custom attribute without any external configuration. Rules are evaluated after TLS termination and request parsing, so Arcjet sees the fully decoded request with all headers, body, and query parameters.

For most SaaS applications, the latency overhead is negligible. Your database queries, external API calls, and business logic typically take 50 to 500 milliseconds, so adding 5ms for security checks is not meaningful. The exception is ultra-low-latency APIs (financial trading, real-time gaming) where every millisecond matters.

Unkey: Verification-Level Enforcement

Unkey's key verification call adds approximately 20 to 40 milliseconds of latency, depending on the distance to the nearest edge node. This happens once per request when you validate the API key. The rate limit decision is included in the verification response, so you do not pay additional latency for rate limiting on top of key validation.

If you are already validating API keys on every request (which you should be), Unkey replaces your existing validation logic rather than adding to it. The net latency impact depends on how fast your current key validation is. If you are checking keys against a local database, Unkey might add latency. If you are checking against a remote auth service, it might actually be faster.

Zuplo: Edge-Level Enforcement

Zuplo adds the least latency for geographically distributed clients because enforcement happens at the nearest edge location. Typical overhead is 5 to 15 milliseconds for policy evaluation, and requests that fail validation never reach your origin at all. For clients close to an edge node, the total round-trip can actually be lower than going directly to your origin server.

The latency story inverts for volumetric attacks. When a DDoS hits, Arcjet still processes malicious requests through your application stack before rejecting them. Zuplo drops them at the edge. This difference does not matter for everyday rate limiting, but it matters significantly when someone targets your API with millions of requests per second.

Beyond basic rate limiting, these tools diverge sharply on three operational concerns that matter in production: handling large-scale attacks, rotating credentials safely, and the effort required to integrate with your existing stack.

DDoS Mitigation

Zuplo has the strongest DDoS story because it inherits Cloudflare's network-level protection. Volumetric attacks are absorbed by Cloudflare's 300+ PoP network before they reach Zuplo's policy engine. Your origin servers see zero attack traffic. This is the same infrastructure that protects some of the largest websites on the internet.

Arcjet provides application-level DDoS protection through its Shield feature and rate limiting, but your servers still receive the traffic. If an attacker sends 100,000 requests per second, your application process handles 100,000 Arcjet evaluations per second (even though most will be rejected). You need upstream infrastructure (a CDN, load balancer, or cloud provider DDoS protection) to absorb volumetric attacks before they hit your application.

Unkey has no DDoS protection at all. It is a key verification service, not a traffic filter. You need a separate DDoS solution in front of any API that uses Unkey for key management.

Key Rotation Workflows

Unkey wins this category decisively. Key rotation is a first-class feature: create a new key, set an overlap window, notify the consumer, verify both keys work during the transition, then revoke the old key. The entire workflow is API-driven and can be automated through your CI/CD pipeline or triggered from your admin dashboard. If you need to comply with SOC 2 requirements for startups, automated key rotation with audit logs is essential.

Zuplo handles key rotation through its built-in key management, which covers the basics (create, revoke, set expiration) but lacks the overlap-window and gradual-migration features that Unkey provides.

Arcjet does not manage API keys at all. Key management is outside its scope. You handle keys with your own system, a service like Unkey, or your authentication provider.

Integration Complexity

Arcjet is the easiest to integrate if you are building a new project. Install the npm package, add a few lines to your request handler, and you are protected. For existing projects, you need to add Arcjet middleware to each service, which can range from a 30-minute task (single Next.js app) to a multi-week project (20 microservices in different frameworks).

Unkey requires minimal code changes. Replace your current API key validation with a call to Unkey's verify endpoint. If you do not have API key validation yet, you need to add the key check to each endpoint or route. The SDK is lightweight and works with any HTTP framework.

Zuplo requires the most architectural change because it adds a new component to your infrastructure. All traffic must route through Zuplo, which means DNS changes, SSL certificate configuration, and potential changes to your deployment pipeline. Once deployed, adding policies is straightforward, but the initial setup is a larger effort than either Arcjet or Unkey.

The right choice depends on what you are actually protecting against and where your API sits in its lifecycle.

Choose Arcjet If:

You are building a SaaS application where most API consumers are your own frontend or mobile app. You need bot detection, not just rate limiting. You want security rules in code, version-controlled and testable. You are comfortable with application-level enforcement and have upstream DDoS protection (Cloudflare, AWS Shield, or similar). Arcjet is particularly strong for Next.js and Node.js applications where the SDK integration is seamless.

Choose Unkey If:

You run a public API or B2B product with multiple external consumers. You need per-customer rate limits and usage tracking. You want clean key lifecycle management with rotation, expiration, and audit trails. You are building a developer platform and need usage-based billing data. Unkey pairs well with Arcjet or a WAF, since it handles the key management layer while something else handles request-level security.

Choose Zuplo If:

You need edge-level DDoS protection as a primary concern. You already maintain detailed OpenAPI specifications and want your security policies tied to your API contract. You need a developer portal with self-serve key registration. You prefer gateway-level enforcement where malicious traffic never reaches your servers. Zuplo is the strongest choice for teams exposing APIs to a large number of external developers who need documentation and self-service access.

Combining Tools

These tools are not mutually exclusive. A common pattern for high-security APIs is Zuplo at the edge (DDoS protection, request validation, basic rate limiting) with Arcjet in the application (bot detection, application-aware rate limiting, sensitive data scanning) and Unkey for key lifecycle management. That gives you defense in depth at each layer of the stack.

For most startups, though, pick one. Arcjet covers the broadest set of use cases for teams building products. Unkey is the right answer when key management is your primary pain point. Zuplo fits when you need a full gateway with edge protection and a developer portal.

The cost of getting API security wrong is measured in data breaches, customer trust, and regulatory fines. The cost of getting it right is a few hours of integration work and a modest monthly bill. If you are building APIs that handle sensitive data, process payments, or serve external consumers, this is not something to defer. Book a free strategy call and we will help you choose the right security architecture for your specific API landscape.