Skip to content

Edge Computing

Authrim is an edge-native Identity & Access Platform. Every authentication request — login, token exchange, session validation — is processed at Cloudflare’s edge network, close to the user. This page explains why edge matters for identity, how Authrim leverages the Cloudflare Workers platform, and what performance and cost characteristics this architecture achieves.

Why Edge for Identity?

Traditional identity platforms run on centralized servers in one or a few regions. This creates inherent limitations:

ChallengeCentralized ApproachEdge Approach
Latency100–300ms round-trip to distant server<50ms from nearest edge location
Cold startContainer/VM startup adds 200ms–2sNo cold start (V8 isolates)
ScalingVertical scaling or complex auto-scalingAutomatic horizontal scaling per-request
Single point of failureRegion outage = full outageDistributed across 300+ locations
Global usersPoor experience for distant usersConsistent experience worldwide

Authentication is on the critical path of every user interaction. A slow login flow or token validation directly impacts user experience and application performance. Moving authentication to the edge eliminates the geographic penalty.

Cloudflare Workers Platform

Authrim runs on Cloudflare Workers, a serverless platform with unique characteristics:

V8 Isolates (Not Containers)

Workers execute in V8 isolates — the same JavaScript engine used by Chrome. Unlike containers or VMs:

  • No cold start — isolates spin up in under 5ms (vs. 200ms–2s for containers)
  • Lightweight — each isolate uses ~2MB memory (vs. 50–200MB for containers)
  • Secure — hardware-level isolation between tenants

Global Distribution

Workers run on Cloudflare’s network of 300+ locations across 100+ countries. There is no “region selection” — code runs everywhere, automatically.

Platform Primitives

Authrim leverages the full Workers ecosystem:

PrimitiveUsage in Authrim
WorkersStateless request processing (auth flows, token validation)
Durable ObjectsStateful storage (sessions, auth codes, challenges)
D1Relational database (users, clients, roles, policies)
KVGlobal key-value cache (JWKS, configuration, settings)
Service BindingsInter-worker communication (zero-network-cost RPC)
QueuesAsync processing (webhooks, SCIM sync, audit log export)

Stateless Workers + Stateful Durable Objects

Authrim’s architecture cleanly separates concerns:

flowchart TB
    subgraph Stateless["Stateless Layer — Workers"]
        w1["Request routing"]
        w2["Token signing"]
        w3["OIDC validation"]
        w4["Policy eval"]
        w5["Claim mapping"]
    end
    subgraph Stateful["Stateful Layer — Durable Objects"]
        do1["Session storage"]
        do2["Auth code lifecycle"]
        do3["Challenge state"]
        do4["Refresh tokens"]
        do5["Rate limit counters"]
    end
    Stateless -- RPC --> Stateful
    Stateless --> D1["D1 (SQL)"]
    Stateful --> DOS["DO Storage (per-shard)"]

Workers handle stateless computation — parsing requests, validating tokens, evaluating policies, constructing responses. They scale horizontally with zero configuration.

Durable Objects handle stateful operations — storing sessions, managing auth code lifecycle, enforcing rate limits. Each DO instance is a single-threaded actor with strongly consistent storage, distributed via region sharding.

This separation means the stateless layer can scale infinitely (Cloudflare handles it), while the stateful layer scales through explicit sharding (Authrim manages it).

Performance Characteristics

Measured under load testing against a production-equivalent deployment:

MetricValueNotes
End-to-end latency<50msAuthorization code exchange (P95)
Worker CPU time1–4msPer request (P50)
Token validation<5msJWT signature verification
Throughput2,500–3,500 RPSPer worker instance, sustained
Cold start<5msV8 isolate initialization
D1 query1–3msSimple SELECT with index
DO access2–8msIntra-region RPC

Why Sub-50ms Matters

For comparison, traditional identity providers typically show:

  • Auth0: 100–300ms (varies by region and plan)
  • AWS Cognito: 50–200ms (within-region), 200–500ms (cross-region)
  • Self-hosted Keycloak: 20–100ms (same datacenter), 100–500ms (remote)

Authrim’s sub-50ms latency is consistent regardless of user location, because processing always happens at the nearest edge.

Scaling

Horizontal Scaling

Workers scale automatically — Cloudflare instantiates as many isolates as needed to handle incoming requests. No provisioning, no capacity planning.

For Durable Objects, Authrim uses region sharding to distribute load. Each resource type (sessions, auth codes, etc.) is partitioned across multiple shards in multiple geographic regions. See Architecture — Durable Object Region Sharding for details.

The result:

flowchart TB
    req["Incoming requests"]
    req --> W1["Worker 1"] & W2["Worker 2"] & WN["Worker N"]
    W1 & W2 & WN --> DO0["DO s:0
(enam)"] & DO1["DO s:1
(enam)"] & DO2["DO s:2
(weur)"] & DO3["DO s:3
(apac)"]

Smart Placement

Cloudflare Workers Smart Placement automatically runs Workers closer to their backend services (D1 databases) rather than at the nearest edge. Authrim enables Smart Placement on database-heavy Workers like ar-management and ar-token, reducing D1 query latency by co-locating compute with storage.

For Durable Object operations, locationHint serves a similar purpose — placing DOs in the region closest to the target user population.

Cost Efficiency

Running an identity platform on Cloudflare Workers is significantly more cost-efficient than traditional infrastructure:

Cost Breakdown (5M Monthly Active Users)

ComponentMonthly CostNotes
Workers (requests)~$2550M requests/month on Workers Paid
D1 (storage + reads)~$203 databases, ~10GB total
KV (reads)~$5Cache reads for config/JWKS
Durable Objects~$25Storage + requests across shards
Total~$75–85

For comparison, equivalent capacity on traditional platforms:

PlatformEstimated Monthly Cost
Auth0 (B2C, 5M MAU)$2,300+
AWS Cognito (5M MAU)$27,500 (at $0.0055/MAU)
Self-hosted (3 regions)$500–2,000 (compute + DB + ops)
Authrim on Workers~$80

Edge vs. Traditional — Summary

AspectTraditional (Central)Authrim (Edge)
Latency100–500ms (varies by distance)<50ms (consistent globally)
Cold start200ms–2s<5ms
ScalingManual / auto-scale (minutes)Automatic (milliseconds)
Regions1–3 (provisioned)300+ (automatic)
Cost (5M MAU)$500–$27,500/month~$80/month
Ops burdenServers, scaling, patching, certsZero infrastructure management
Data localityLimited by region choicePII partitioning + DO locationHint
AvailabilityRegion-bound SLAGlobal anycast network

Next Steps

  • Architecture — System design, database abstraction, and DO sharding details
  • Identity Hub — Unified identity federation concept