How to bolt on AI safety in Next.js with 30 lines of code

Next.js route handlers that pipe user input straight into an LLM are sitting ducks for prompt injection, PII leaks, and mission hijacking. OWASP’s 2026 Agentic Top 10 now lists these risks in ASI01 Goal Hijack and ASI02 Memory Poisoning, pushing developers toward a separate validation layer before the model even sees the prompt. Lakera Guard delivers that layer as a one-call SaaS, giving you production-grade AI safety without rewriting your prompt engineering or spinning up custom filter code.

Four threat vectors Lakera Guard neutralizes before they reach your model

Lakera Guard scans each incoming message and returns a per-category risk score from 0.0 to 1.0. Standard policy blocks anything scoring 0.5 or higher.

• Prompt Injection: Overrides your system prompt or shifts the model’s goal—mapped to OWASP ASI01 Goal Hijack.
• Jailbreak Attempts: Phrases like "ignore previous instructions" or DAN-style escapes, also covered under ASI01.
• Personally Identifiable Info: Automatic detection of email addresses, phone numbers, Social Security numbers, and credit card details—flagged by ASI02 Memory Poisoning.
• Content Policy Violations: Violence, self-harm, hate speech, and sexually explicit material—mapped to OWASP ASI05 Cascading Hallucination.

The free tier handles up to 10,000 calls per month, enough to validate a side project or small SaaS before you scale.

Five-minute setup: API key, environment variable, and a 14-line helper

Start by grabbing your key from the Lakera dashboard under API Keys; keys begin with the lak_ prefix. Plug that key into your local .env.local as shown below, then push the same variable to your host (for example, Vercel’s Project Settings → Environment Variables).

# .env.local
LAKERA_GUARD_API_KEY=lak_your_key_here

With the key in place, drop the 14-line helper into /lib/lakera.ts. It uses native fetch so it works on both Node and Edge runtimes without additional dependencies.

// lib/lakera.ts
type GuardCategory =
  | "prompt_injection"
  | "jailbreak"
  | "pii"
  | "moderation";

type GuardResult = {
  flagged: boolean;
  categories: Record<GuardCategory, number>;
};

export async function lakeraGuard(input: string): Promise<GuardResult> {
  const res = await fetch(" {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Bearer ${process.env.LAKERA_GUARD_API_KEY}`,
    },
    body: JSON.stringify({ messages: [{ role: "user", content: input }] }),
  });
  if (!res.ok) throw new Error(`Lakera Guard ${res.status}`);
  return res.json() as Promise<GuardResult>;
}

That single file becomes the one-stop safety check reused across every route handler that touches an LLM.

A 30-line chat endpoint that blocks risky prompts instantly

The simplest POST handler wires the guard in series: user message → Lakera Guard → if clean, call the LLM → if blocked, send a 422 Unprocessable Entity.

// app/api/chat/route.ts
import { NextResponse } from "next/server";
import { generateText } from "ai";
import { lakeraGuard } from "@/lib/lakera";

export const runtime = "edge";

export async function POST(req: Request): Promise<Response> {
  const { message } = (await req.json()) as { message: string };
  const guard = await lakeraGuard(message);

  if (guard.flagged) {
    return NextResponse.json(
      { error: "Input blocked by safety check" },
      { status: 422 }
    );
  }

  const { text } = await generateText({
    model: "openai/gpt-5.4",
    prompt: message,
  });

  return NextResponse.json({ reply: text });
}

The entire defense boils down to if (guard.flagged) return 422, which stops the LLM call before any tokens are wasted. The model string is kept provider-agnostic ("openai/gpt-5.4"), letting Vercel’s AI Gateway handle routing and authentication without exposing provider keys in your codebase.

Streaming chat without opening the floodgates mid-stream

Live chat interfaces need streaming responses, but the guard must run before the stream opens. Output-side validation should sit in its own layer after the stream completes.

// app/api/chat-stream/route.ts
import { streamText, convertToModelMessages, type UIMessage } from "ai";
import { lakeraGuard } from "@/lib/lakera";

export const runtime = "edge";

export async function POST(req: Request): Promise<Response> {
  const { messages } = (await req.json()) as { messages: UIMessage[] };
  const lastUser = messages.filter((m) => m.role === "user").pop();
  const lastUserText = lastUser?.parts
    .filter((p) => p.type === "text")
    .map((p) => p.text)
    .join("\n");

  if (!lastUserText) {
    return new Response("No user text", { status: 400 });
  }

  const guard = await lakeraGuard(lastUserText);
  if (guard.flagged) {
    return new Response(
      JSON.stringify({ error: "blocked" }),
      { status: 422, headers: { "Content-Type": "application/json" } }
    );
  }

  const result = streamText({
    model: "openai/gpt-5.4",
    messages: convertToModelMessages(messages),
  });

  return result.toUIMessageStreamResponse();
}

Two details in AI SDK v6 make this integration smooth: the client sends UIMessage[] where text content lives inside parts, and the new toUIMessageStreamResponse method ensures compatibility with useChat on the frontend. Once the stream starts, aborting mid-flight is painful and costly, so guard early and keep the model innocent of risky prompts.

Next steps: lock it down before you scale

Adding Lakera Guard to a Next.js route handler takes fewer than 30 lines of code and zero SDK sprawl. The guard runs in the critical path between user input and LLM call, stopping prompt injection, PII leaks, and jailbreak attempts before they reach the model. Start with the free tier, tighten thresholds as you learn your traffic patterns, and keep output-side checks separate to avoid streaming disruptions. With this layer in place, your AI endpoints can ship with confidence—and without rewriting your prompt library every time OWASP publishes an update.