Skip to content

Edge Computing

Authrim is an edge-native Identity & Access Platform for Cloudflare Workers. Login, token exchange, session validation, federation, and management surfaces are split across Workers and connected with Service Bindings. This page explains why edge-native deployment matters for identity, how Authrim uses Workers-native primitives, and what performance and cost characteristics operators should evaluate.

Traditional identity platforms run on centralized servers in one or a few regions. This creates inherent limitations:

ChallengeCentralized ApproachEdge Approach
LatencyExtra round trips to a fixed regionWorkers can execute close to users or close to storage depending on workload
Cold startContainer/VM startup can add delayV8 isolate startup is lightweight
ScalingVertical scaling or complex auto-scalingAutomatic horizontal scaling per-request
Single point of failureRegion outage can affect the whole serviceRequests can be routed across Cloudflare’s global network
Global usersDistant users depend on central regionsDeployment can use global Workers plus explicit storage/residency profiles

Authentication is on the critical path of every user interaction. A slow login flow or token validation directly impacts user experience and application performance. Edge-native deployment reduces avoidable routing overhead, but actual latency still depends on workload shape, storage profile, Cloudflare plan limits, and network path.

Authrim runs on Cloudflare Workers, a serverless platform with unique characteristics:

Workers execute in V8 isolates — the same JavaScript engine used by Chrome. Unlike containers or VMs:

  • Lightweight startup — isolate startup is generally much lighter than container startup
  • Small runtime footprint — Workers avoid managing container images and VM fleets
  • Secure — hardware-level isolation between tenants

Workers run on Cloudflare’s global network. Authrim uses this for public protocol endpoints while keeping storage placement explicit through D1 bindings, runtime storage profiles, tenant-D1 routing, external database adapters, and Durable Object location hints where applicable.

Authrim leverages the full Workers ecosystem:

PrimitiveUsage in Authrim
WorkersStateless request processing (auth flows, token validation)
Durable ObjectsHot strongly consistent state (sessions, auth codes, challenges, PAR, DPoP, device/CIBA, SAML, flow state)
D1Deployment and tenant databases (DB, DB_PII, DB_ADMIN, generated tenant-D1 slots)
KVGenerated configuration, cache, consent cache, tenant runtime registry snapshots
Service BindingsInter-worker communication (zero-network-cost RPC)
QueuesAsync processing (webhooks, SCIM sync, audit log export)

Stateless Workers + Stateful Durable Objects

Section titled “Stateless Workers + Stateful Durable Objects”

Authrim’s architecture cleanly separates concerns:

flowchart TB
    subgraph Stateless["Stateless Layer — Workers"]
        w1["Request routing"]
        w2["Token signing"]
        w3["OIDC validation"]
        w4["Policy eval"]
        w5["Claim mapping"]
    end
    subgraph Stateful["Stateful Layer — Durable Objects"]
        do1["Session storage"]
        do2["Auth code lifecycle"]
        do3["Challenge state"]
        do4["Refresh tokens"]
        do5["Rate limit counters"]
    end
    Stateless -- RPC --> Stateful
    Stateless --> D1["D1 (SQL)"]
    Stateful --> DOS["DO Storage (per-shard)"]

Workers handle stateless computation — parsing requests, validating tokens, evaluating policies, constructing responses. They scale horizontally with zero configuration.

Durable Objects handle stateful operations — storing sessions, managing auth code lifecycle, enforcing rate limits, and maintaining protocol state. Each DO instance is a single-threaded actor with strongly consistent storage, scaled by explicit shard settings where supported. See Architecture — Durable Object State and Sharding.

This separation lets the stateless layer scale with Workers while the stateful layer scales through explicit Durable Object sharding and storage profile choices.

Measured under K6 Cloud load tests against representative Authrim workloads:

MetricValueNotes
Token-oriented endpoints2,500–3,500 RPSTested token/introspection-style workloads
Full OAuth login flow~150 logins/secRepresentative login workload
Worker CPU time1–4ms typicalObserved in tested runs
Error rate0% in tested runsFor the measured scenarios

Identity operations sit in login, token refresh, API authorization, and federation paths. Authrim’s architecture reduces avoidable network hops by keeping protocol workers close to the request path and by using Service Bindings for worker-to-worker calls. Storage-heavy paths still need capacity planning around D1, Durable Objects, tenant-D1, external databases, and audit sinks.

Workers scale automatically — Cloudflare instantiates as many isolates as needed to handle incoming requests. No provisioning, no capacity planning.

For Durable Objects, Authrim uses explicit shard counts for high-traffic auth state such as sessions, authorization codes, refresh token rotation, and challenges. See Architecture — Durable Object State and Sharding for details.

The result:

flowchart TB
    req["Incoming requests"]
    req --> W1["Worker 1"] & W2["Worker 2"] & WN["Worker N"]
    W1 & W2 & WN --> DO0["Session shard 0"] & DO1["Session shard 1"] & DO2["Auth code shard 0"] & DO3["Refresh shard 0"]

Authrim separates compute placement from storage selection:

  • Worker routing is handled through ar-router and Service Bindings.
  • Storage locality is selected through runtime storage profiles (shared-d1, tenant-d1, external database profiles).
  • Durable Object locationHint can guide initial placement, but it is not a latency guarantee.
  • Tenant-D1 deployments must plan generated tenant database slots, migrations, and registry snapshots.

Authrim has no per-user vendor fee, but it is not free to operate. Cloudflare usage and operational requirements drive the cost.

Cost DriverWhat Affects It
WorkersRequest volume, CPU time, worker count, deployment profile
D1 / tenant-D1Read/write volume, database count, tenant slot count, storage size
KVCache reads/writes, generated config, tenant runtime registry snapshots
Durable ObjectsHot state requests, storage, shard counts
R2 / logging sinksAudit retention, archive policy, export volume
OperationsMonitoring, security review, compliance, support, backups, incident response
AspectTraditional (Central)Authrim (Edge)
LatencyDepends on chosen region and distanceDepends on worker routing, storage profile, and network path
Cold startContainer/VM startup may add delayWorkers isolate startup is lightweight
ScalingManual / auto-scale (minutes)Automatic (milliseconds)
RegionsExplicit provisioned regionsCloudflare global network plus explicit storage/residency choices
CostVendor and infrastructure model dependentCloudflare usage plus Authrim operational costs
Ops burdenServers, scaling, patching, certsCloudflare-managed primitives, with Authrim deployment and compliance operations still required
Data localityLimited by region choiceRuntime storage profiles, tenant-D1, external DB profiles, and location hints
AvailabilityRegion-bound architectureDepends on Cloudflare services, deployment design, and storage profile
  • Architecture — System design, database abstraction, and DO sharding details
  • Identity Hub — Unified identity federation concept