DEV Community: Vibe-Start The latest articles on DEV Community by Vibe-Start (@brandon-vibestart). https://dev.to/brandon-vibestart https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3909225%2F010839dd-b260-40f5-9703-df13160013fc.png DEV Community: Vibe-Start https://dev.to/brandon-vibestart en Lakera Guard in 30 Lines — Production-Ready AI Safety for Next.js Route Handlers (2026) Vibe-Start Sat, 02 May 2026 15:31:58 +0000 https://dev.to/brandon-vibestart/lakera-guard-in-30-lines-production-ready-ai-safety-for-nextjs-route-handlers-2026-4j70 https://dev.to/brandon-vibestart/lakera-guard-in-30-lines-production-ready-ai-safety-for-nextjs-route-handlers-2026-4j70 <h2> 🛡 Why Your AI Route Handlers Need a Guard Layer </h2> <p>The moment you ship <code>/api/chat</code> in Next.js App Router, you have a structural security problem. User input flows directly into your LLM prompt, which means prompt injection, PII leakage, and system-prompt overrides are exposed without a single line of malicious code. OWASP's 2026 Agentic Top 10 (ASI) covers exactly this surface in ASI01 (Goal Hijack) and ASI02 (Memory Poisoning).</p> <p>Regex blocklists fall apart against variant inputs (<code>"!gnore previous instructions"</code>, base64-encoded payloads, newline tricks), and writing "refuse harmful requests" in your system prompt is trivially bypassed. The 2026 standard is a separate validation layer in front of the LLM call: only validated inputs reach the model. Lakera Guard delivers that validation as a one-call SaaS — the lowest-friction option on the market.</p> <h2> 📋 The 4 Risks Lakera Guard Catches </h2> <p>POST text to the Lakera Guard API and you get back a per-category risk score (0.0 to 1.0). Standard policy: block above 0.5, pass below.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Risk it catches</th> <th>OWASP ASI mapping</th> </tr> </thead> <tbody> <tr> <td><code>prompt_injection</code></td> <td>System-prompt override, mission swap</td> <td>ASI01 Goal Hijack</td> </tr> <tr> <td><code>jailbreak</code></td> <td>Safety guideline bypass (DAN, "ignore previous")</td> <td>ASI01 / ASI06</td> </tr> <tr> <td><code>pii</code></td> <td>Emails, phone, SSN, card numbers in input</td> <td>ASI02 Memory Poisoning</td> </tr> <tr> <td><code>moderation</code></td> <td>Violence, self-harm, hate, sexual content</td> <td>ASI05 Cascading Hallucination</td> </tr> </tbody> </table></div> <p>The free tier covers 10,000 calls per month — plenty for personal projects or a side SaaS during validation. Switch to paid when production traffic crosses that line.</p> <h2> 🔑 Setup — 5 Minutes End to End </h2> <h3> 1. Get an API key </h3> <p>Sign up at <a href="https://www.lakera.ai/" rel="noopener noreferrer">lakera.ai</a> → Dashboard → <strong>API Keys</strong> → create a new key. Keys start with the <code>lak_</code> prefix.</p> <h3> 2. Add the env var </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env.local</span> <span class="nv">LAKERA_GUARD_API_KEY</span><span class="o">=</span>lak_your_key_here </code></pre> </div> <p>Don't commit <code>.env.local</code>. On Vercel, add the same variable in Project Settings → Environment Variables. LLM calls in this guide route through <strong>Vercel AI Gateway (OIDC)</strong> — no OpenAI/Anthropic provider keys in code. One <code>vercel env pull .env.local</code> provisions the <code>VERCEL_OIDC_TOKEN</code> and you're done.</p> <h3> 3. Use fetch directly — zero dependencies </h3> <p>Lakera ships an SDK, but for Edge Runtime compatibility plain <code>fetch</code> is the safer choice. No <code>node_modules</code> bloat and the same code runs identically on Edge.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/lakera.ts</span> <span class="kd">type</span> <span class="nx">GuardCategory</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">prompt_injection</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">jailbreak</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">pii</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">moderation</span><span class="dl">"</span><span class="p">;</span> <span class="kd">type</span> <span class="nx">GuardResult</span> <span class="o">=</span> <span class="p">{</span> <span class="na">flagged</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">categories</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="nx">GuardCategory</span><span class="p">,</span> <span class="kr">number</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">lakeraGuard</span><span class="p">(</span><span class="nx">input</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">GuardResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.lakera.ai/v2/guard</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">LAKERA_GUARD_API_KEY</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">input</span> <span class="p">}]</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Lakera Guard </span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">as</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">GuardResult</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>That's the entire helper. Reuse this 14-line file from every Route Handler that touches an LLM.</p> <h2> 💻 30-Line Integration — App Router Route Handler </h2> <p>The simplest one-shot chat endpoint with Lakera Guard wired in. User message arrives → ① Lakera validates → ② if allowed, OpenAI is called → ③ if blocked, return 422.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/chat/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateText</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">ai</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">lakeraGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/lakera</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">runtime</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">edge</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Response</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">message</span> <span class="p">}</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="k">as</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="kr">string</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">guard</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">lakeraGuard</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">guard</span><span class="p">.</span><span class="nx">flagged</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Input blocked by safety check</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">422</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">text</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateText</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openai/gpt-5.4</span><span class="dl">"</span><span class="p">,</span> <span class="na">prompt</span><span class="p">:</span> <span class="nx">message</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">reply</span><span class="p">:</span> <span class="nx">text</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The entire defense is <code>if (guard.flagged) return 422</code>. Closing the gate before the LLM call prevents wasted tokens, latency, and log pollution all at once. The model is specified as a plain <code>"provider/model"</code> string — AI SDK v6 routes this through the AI Gateway automatically, with no provider SDK import and no API key in code. In production, omit category names from the 422 body — exposing them gives bypass attempts a free training signal.</p> <h2> 🌊 Streaming Chat — Vercel AI SDK Integration </h2> <p>Real chat UIs stream. With Vercel AI SDK's <code>streamText</code>, the question is where to put the guard, and the answer is <strong>before the stream opens</strong>. Output validation belongs in a separate layer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/chat-stream/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">streamText</span><span class="p">,</span> <span class="nx">convertToModelMessages</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">UIMessage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">ai</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">lakeraGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/lakera</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">runtime</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">edge</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Response</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">messages</span> <span class="p">}</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="k">as</span> <span class="p">{</span> <span class="na">messages</span><span class="p">:</span> <span class="nx">UIMessage</span><span class="p">[]</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">lastUser</span> <span class="o">=</span> <span class="nx">messages</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">m</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">m</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">).</span><span class="nf">pop</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">lastUserText</span> <span class="o">=</span> <span class="nx">lastUser</span><span class="p">?.</span><span class="nx">parts</span> <span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">text</span><span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">lastUserText</span><span class="p">)</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="dl">"</span><span class="s2">No user text</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">guard</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">lakeraGuard</span><span class="p">(</span><span class="nx">lastUserText</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">guard</span><span class="p">.</span><span class="nx">flagged</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">blocked</span><span class="dl">"</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">422</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">streamText</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openai/gpt-5.4</span><span class="dl">"</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="nf">convertToModelMessages</span><span class="p">(</span><span class="nx">messages</span><span class="p">),</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nf">toUIMessageStreamResponse</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>Two AI SDK v6 essentials are baked in here. ① The client sends <code>UIMessage[]</code>, where each message has a <code>parts</code> array (not a <code>content</code> string) — extract user text by filtering parts of <code>type: "text"</code>. ② <code>streamText</code> returns a result whose <code>toUIMessageStreamResponse()</code> is what <code>useChat</code> clients expect (the older <code>toDataStreamResponse()</code> was renamed in v6). Once a stream opens it's hard to cleanly cut tokens mid-flight, so blocking at the input stage wins on both UX and cost. Output-side risks (model emitting PII, model complying with jailbreak) belong in a downstream post-processing layer.</p> <h2> ⚙️ Cost &amp; Latency — Real Numbers </h2> <p>Numbers worth knowing before you adopt this, because they make decisions faster.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Value</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Average API latency</td> <td>80–120ms (us-east)</td> <td>Add ~100ms from APAC</td> </tr> <tr> <td>Free tier</td> <td>10,000 calls/month</td> <td>Enough for solo side projects</td> </tr> <tr> <td>Paid entry</td> <td>$99/month (50,000 calls)</td> <td>~$0.002 per call</td> </tr> <tr> <td>Edge Runtime</td> <td>✅ Fully compatible</td> <td>fetch-based, no cold start hit</td> </tr> <tr> <td>Response payload</td> <td>~300 bytes</td> <td>Negligible</td> </tr> </tbody> </table></div> <p>100–200ms of guard latency disappears next to first-token LLM latency (typically 500–1500ms). If you still want to shave it, pin your Edge Function region to us-east-1 to colocate with the Lakera endpoint.</p> <h2> 🚀 Production Checklist </h2> <p>Five things to verify before you ship. Five-minute review.</p> <ol> <li> <strong>Fail-open or fail-closed?</strong> What happens if the Lakera API is down? Decide explicitly: security-first → fail-closed (block on error); availability-first → fail-open (pass + log).</li> <li> <strong>Don't leak block reasons</strong> — Strip categories and scores from the 422 response. Exposing them hands bypass attempts a feedback loop.</li> <li> <strong>Mask blocked input in logs</strong> — Persisting raw blocked content puts log readers in front of malicious payloads. Hash or truncate.</li> <li> <strong>Track separately from rate limits</strong> — Lakera blocks are likely intentional attacks. Count them per-IP/per-account distinct from generic rate limits, and ramp blocking duration on repeat offenders.</li> <li> <strong>Alert on quota</strong> — Wire an alert at 80% of your monthly quota. A traffic spike that you only notice on next month's invoice is an avoidable surprise.</li> </ol> <p>For the broader OWASP ASI checklist that covers permissions, logging, and human-approval gates, pair this article with the <a href="https://1daymillion.com/owasp-agentic-top-10-2026/" rel="noopener noreferrer">5-minute audit guide</a>.</p> <h2> 📝 Next Layers </h2> <p>Lakera Guard is the first input-validation layer. Once your runtime is stable, layer in:</p> <ul> <li> <strong>Output validation</strong> — Verify model responses don't contain PII (Lakera can score outputs too)</li> <li> <strong>Call logging</strong> — Langfuse or Helicone auto-records every call's I/O, cost, and latency (covers ASI09 Untraceability)</li> <li> <strong>Human-approval gates</strong> — Wire Slack-bot approval for risky tools like payment, external send (covers ASI06 / ASI10)</li> <li> <strong>NeMo Guardrails</strong> — Policy-as-code over conversation flow itself. YAML overhead, but strong for complex agents</li> </ul> <p>Stack all four and you cover ~90% of OWASP ASI Top 10 in production.</p> <p><em>Originally published on <a href="https://vibe-start.com/en/blog/lakera-guard-nextjs-integration" rel="noopener noreferrer">vibe-start.com</a>. I'm building <a href="https://vibe-start.com" rel="noopener noreferrer">VibeStart</a> — a 30-minute path for non-developers to start AI-assisted coding.</em></p> nextjs ai security webdev