Architecture Blueprint
This section specifies the architecture, design choices, data schemas, and cryptographic workflows for NexID Auth-DPoP, a high-performance, globally distributed authentication and authorization system designed to run entirely on the Cloudflare Edge Network.
1. Executive Summary
Traditional authentication systems introduce significant latency by forcing application servers to perform database roundtrips or centralized API calls to verify user permissions on every request.
NexID Auth-DPoP eliminates this latency by executing token generation and cryptographic proof-of-possession verification at the edge, while delegating local authorization rule checks and permissions directly to downstream application databases.
By using Ed25519 (EdDSA) for token signing, integer-based bitmask permissions for ultra-compact authorization payloads, and DPoP (Demonstrating Proof-of-Possession) to cryptographically bind tokens to clients, the system achieves sub-millisecond local token validation while remaining highly secure against token-theft and replay attacks.
2. Key Technology Stack
The following core technologies power the NexID Auth-DPoP runtime:
| Component | Technology | Purpose / Role |
|---|---|---|
| Compute Runtime | Cloudflare Workers (V8) | Global, low-latency execution of auth logic. |
| Primary Database | Cloudflare D1 (SQLite) | Storage for users, registered applications, and API keys. |
| Global Cache & Limit | Upstash Redis (via REST) | Globally replicated, low-latency rate limiting and DPoP proof handshake storage. |
| Fast-Path Verification | Bloom Filters | Fast client/user existence checks to prevent database resource exhaustion. |
| Cryptographic Suite | EdDSA (Ed25519) | Ultra-fast token signing with tiny key footprint and low CPU usage. |
| Security Standard | DPoP (RFC 9449) | Cryptographic proof-of-possession to prevent token hijacking. |
3. High-Level Request Lifecycle
Below is a conceptual flowchart illustrating how the actors interact. Once a browser is authenticated, subsequent API requests utilize local CPU validation rather than database queries.
4. Deep Dive Documentation
Explore detailed specifications for each component of the architecture:
- Backchannel Permission Upgrade: Detailed lifecycle of Phase 1, delegating permissions to downstream databases while securing the token exchange via private server-to-server calls.
- DPoP Session Binding: Restricting token hijacking and replay attacks using cryptographic Proof-of-Possession bound to the client’s public key.
- Database Blueprint & Key Security: SQLite schemas for Cloudflare D1, downstream application relational schemas, and zero-knowledge storage of application API keys.
- Cryptography, Bitmasks & Local Validation: Ed25519 key signing specs, permission bitwise arithmetic, and the validation checklist executed by resource servers in CPU memory.