Edge Computing
Authrim is an edge-native Identity & Access Platform. Every authentication request — login, token exchange, session validation — is processed at Cloudflare’s edge network, close to the user. This page explains why edge matters for identity, how Authrim leverages the Cloudflare Workers platform, and what performance and cost characteristics this architecture achieves.
Why Edge for Identity?
Traditional identity platforms run on centralized servers in one or a few regions. This creates inherent limitations:
| Challenge | Centralized Approach | Edge Approach |
|---|---|---|
| Latency | 100–300ms round-trip to distant server | <50ms from nearest edge location |
| Cold start | Container/VM startup adds 200ms–2s | No cold start (V8 isolates) |
| Scaling | Vertical scaling or complex auto-scaling | Automatic horizontal scaling per-request |
| Single point of failure | Region outage = full outage | Distributed across 300+ locations |
| Global users | Poor experience for distant users | Consistent experience worldwide |
Authentication is on the critical path of every user interaction. A slow login flow or token validation directly impacts user experience and application performance. Moving authentication to the edge eliminates the geographic penalty.
Cloudflare Workers Platform
Authrim runs on Cloudflare Workers, a serverless platform with unique characteristics:
V8 Isolates (Not Containers)
Workers execute in V8 isolates — the same JavaScript engine used by Chrome. Unlike containers or VMs:
- No cold start — isolates spin up in under 5ms (vs. 200ms–2s for containers)
- Lightweight — each isolate uses ~2MB memory (vs. 50–200MB for containers)
- Secure — hardware-level isolation between tenants
Global Distribution
Workers run on Cloudflare’s network of 300+ locations across 100+ countries. There is no “region selection” — code runs everywhere, automatically.
Platform Primitives
Authrim leverages the full Workers ecosystem:
| Primitive | Usage in Authrim |
|---|---|
| Workers | Stateless request processing (auth flows, token validation) |
| Durable Objects | Stateful storage (sessions, auth codes, challenges) |
| D1 | Relational database (users, clients, roles, policies) |
| KV | Global key-value cache (JWKS, configuration, settings) |
| Service Bindings | Inter-worker communication (zero-network-cost RPC) |
| Queues | Async processing (webhooks, SCIM sync, audit log export) |
Stateless Workers + Stateful Durable Objects
Authrim’s architecture cleanly separates concerns:
flowchart TB
subgraph Stateless["Stateless Layer — Workers"]
w1["Request routing"]
w2["Token signing"]
w3["OIDC validation"]
w4["Policy eval"]
w5["Claim mapping"]
end
subgraph Stateful["Stateful Layer — Durable Objects"]
do1["Session storage"]
do2["Auth code lifecycle"]
do3["Challenge state"]
do4["Refresh tokens"]
do5["Rate limit counters"]
end
Stateless -- RPC --> Stateful
Stateless --> D1["D1 (SQL)"]
Stateful --> DOS["DO Storage (per-shard)"]
Workers handle stateless computation — parsing requests, validating tokens, evaluating policies, constructing responses. They scale horizontally with zero configuration.
Durable Objects handle stateful operations — storing sessions, managing auth code lifecycle, enforcing rate limits. Each DO instance is a single-threaded actor with strongly consistent storage, distributed via region sharding.
This separation means the stateless layer can scale infinitely (Cloudflare handles it), while the stateful layer scales through explicit sharding (Authrim manages it).
Performance Characteristics
Measured under load testing against a production-equivalent deployment:
| Metric | Value | Notes |
|---|---|---|
| End-to-end latency | <50ms | Authorization code exchange (P95) |
| Worker CPU time | 1–4ms | Per request (P50) |
| Token validation | <5ms | JWT signature verification |
| Throughput | 2,500–3,500 RPS | Per worker instance, sustained |
| Cold start | <5ms | V8 isolate initialization |
| D1 query | 1–3ms | Simple SELECT with index |
| DO access | 2–8ms | Intra-region RPC |
Why Sub-50ms Matters
For comparison, traditional identity providers typically show:
- Auth0: 100–300ms (varies by region and plan)
- AWS Cognito: 50–200ms (within-region), 200–500ms (cross-region)
- Self-hosted Keycloak: 20–100ms (same datacenter), 100–500ms (remote)
Authrim’s sub-50ms latency is consistent regardless of user location, because processing always happens at the nearest edge.
Scaling
Horizontal Scaling
Workers scale automatically — Cloudflare instantiates as many isolates as needed to handle incoming requests. No provisioning, no capacity planning.
For Durable Objects, Authrim uses region sharding to distribute load. Each resource type (sessions, auth codes, etc.) is partitioned across multiple shards in multiple geographic regions. See Architecture — Durable Object Region Sharding for details.
The result:
flowchart TB
req["Incoming requests"]
req --> W1["Worker 1"] & W2["Worker 2"] & WN["Worker N"]
W1 & W2 & WN --> DO0["DO s:0
(enam)"] & DO1["DO s:1
(enam)"] & DO2["DO s:2
(weur)"] & DO3["DO s:3
(apac)"]
Smart Placement
Cloudflare Workers Smart Placement automatically runs Workers closer to their backend services (D1 databases) rather than at the nearest edge. Authrim enables Smart Placement on database-heavy Workers like ar-management and ar-token, reducing D1 query latency by co-locating compute with storage.
For Durable Object operations, locationHint serves a similar purpose — placing DOs in the region closest to the target user population.
Cost Efficiency
Running an identity platform on Cloudflare Workers is significantly more cost-efficient than traditional infrastructure:
Cost Breakdown (5M Monthly Active Users)
| Component | Monthly Cost | Notes |
|---|---|---|
| Workers (requests) | ~$25 | 50M requests/month on Workers Paid |
| D1 (storage + reads) | ~$20 | 3 databases, ~10GB total |
| KV (reads) | ~$5 | Cache reads for config/JWKS |
| Durable Objects | ~$25 | Storage + requests across shards |
| Total | ~$75–85 |
For comparison, equivalent capacity on traditional platforms:
| Platform | Estimated Monthly Cost |
|---|---|
| Auth0 (B2C, 5M MAU) | $2,300+ |
| AWS Cognito (5M MAU) | $27,500 (at $0.0055/MAU) |
| Self-hosted (3 regions) | $500–2,000 (compute + DB + ops) |
| Authrim on Workers | ~$80 |
Edge vs. Traditional — Summary
| Aspect | Traditional (Central) | Authrim (Edge) |
|---|---|---|
| Latency | 100–500ms (varies by distance) | <50ms (consistent globally) |
| Cold start | 200ms–2s | <5ms |
| Scaling | Manual / auto-scale (minutes) | Automatic (milliseconds) |
| Regions | 1–3 (provisioned) | 300+ (automatic) |
| Cost (5M MAU) | $500–$27,500/month | ~$80/month |
| Ops burden | Servers, scaling, patching, certs | Zero infrastructure management |
| Data locality | Limited by region choice | PII partitioning + DO locationHint |
| Availability | Region-bound SLA | Global anycast network |
Next Steps
- Architecture — System design, database abstraction, and DO sharding details
- Identity Hub — Unified identity federation concept