System Architecture
The Sign Relay system is built on Cloudflare's edge infrastructure for maximum performance and reliability.
High-Level Architecture
Component Breakdown
API Gateway (Cloudflare Workers + Hono)
The API layer is built on Cloudflare Workers using the Hono framework. This provides:
- Zero cold starts - Requests handled at the edge
- Automatic scaling - From 0 to millions of requests
- Global distribution - Low latency worldwide
- Native integrations - Direct binding to D1, KV, R2, Queues
Middleware Stack
Each request passes through:
- IP Filter - Whitelist-based access control
- Auth Check - API key validation
- Rate Limiter - Token bucket algorithm using KV
- Request Logger - Async audit logging to D1
Database Layer (D1)
SQLite-based serverless database for metadata storage:
| Table | Purpose |
|-------|---------|
| documents | Signature request metadata |
| signers | Signer information and status |
| files | File references and storage keys |
| request_logs | Audit trail |
| rate_limits | Rate limiting counters |
Queue System
Cloudflare Queues handle asynchronous operations:
Object Storage (R2)
S3-compatible storage for:
- Original documents
- Signed documents
- Temporary file storage
Zero egress fees make R2 ideal for document downloads.
Data Flow
Creating a Signature Request
Handling Webhooks
Provider Abstraction
The key to provider swapping is the SignatureProvider interface:
interface SignatureProvider {
readonly name: string;
// Core operations
createDocument(request: CreateRequest): Promise<Document>;
getStatus(id: string): Promise<Status>;
// Webhook handling
parseWebhook(payload: unknown): Promise<WebhookEvent>;
verifySignature(headers: Headers, body: string): boolean;
}
Each provider implements this interface, translating between their native format and our common format.
Deployment
All components deploy to Cloudflare:
Security Considerations
- All traffic encrypted with TLS 1.3
- API keys stored in Cloudflare Secrets
- IP whitelisting at edge
- Webhook signatures verified
- Audit logging for all operations
- Rate limiting per API key