Cloudflare Workers

Cloudflare Workers is the entire edge platform for Tessera, and each concern maps to the primitive that fits its consistency needs. The engine, SCIM endpoint and OIDC Provider run as a Rust/WASM Worker. Sessions are opaque tokens backed by a single-writer Durable Object, so “log out everywhere” and revocation are strongly consistent and instant — KV is only ever a read-cache, never the sole revocation authority because it is eventually consistent.

The audit log is the system of record on R2 with Bucket Locks (WORM-style, though not S3 Compliance mode, so an app-level hash chain is added). Discovery and JWKS documents are cached in KV and the Cache API with single-flight refresh to absorb DoS, and the engine respects the platform’s hard limits: a 3 MB free bundle, a 400 ms startup-CPU budget, and outbound calls only through fetch.

// Sessions are OPAQUE tokens backed by a single-writer Durable Object, so
// "log out everywhere" / revocation is instant. KV is a read-cache only —
// never the sole revocation authority (it is eventually consistent).
#[durable_object]
pub struct SessionStore { state: State }

impl SessionStore {
    pub async fn revoke_all(&self, subject: &str) -> Result<()> {
        // strong consistency: subsequent reads see the revocation immediately
        self.state.storage().delete_all().await
    }
}