System Overview
What we actually built
ObitoX is an API that generates signed URLs. That's it. That's the core product.
Everything else—rate limiting, analytics, batch operations, JWT tokens—exists to make that core operation fast, secure, and not exploitable.
The actual architecture (no diagrams needed)
Where it runs
Backend: Node.js + Express (moving to Cloudflare Workers)
Database: Supabase (PostgreSQL with PostgREST)
Cache: Redis (Upstash-compatible)
Files: Your R2/Vercel/Supabase/S3 account (we don't store anything)
We're not "serverless" because it sounds cool. We're serverless because:
- No servers to maintain = no 3am outages
- Cloudflare handles scaling = we don't
- Pay per request = $0 until we actually have users
- 275 edge locations = low latency worldwide (not just US East)
What happens when you make a request
Example: Generate R2 signed URL for uploading photo.jpg
POST https://your-api.com/api/v1/upload/r2/signed-url
Headers:
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
Body:
{
"filename": "photo.jpg",
"contentType": "image/jpeg",
"r2AccessKey": "your_r2_key",
"r2SecretKey": "your_r2_secret",
"r2AccountId": "your_account_id",
"r2Bucket": "my-uploads"
}What we do (5-15ms total):
- Validate API key (check Redis cache, 10ms)
If invalid → 401 Unauthorized - Check rate limits (memory guard: 2ms, Redis: 15ms)
If exceeded → 429 Too Many Requests - Check quota (Redis cache, 15ms)
If over limit → 403 Quota Exceeded - Generate unique filename (crypto.randomBytes, 1ms)
Example: upl1704672000_a3f2b9.jpg - Create R2 signed URL (AWS SDK v3, pure crypto, 5-10ms)
No network call to Cloudflare—just cryptographic signing - Return response (0ms)
uploadUrl (for uploading), publicUrl (for accessing later) - Background: Log analytics (non-blocking, doesn't affect response time)
Queued in Bull/Redis for async processing
{
"success": true,
"uploadUrl": "https://account.r2.cloudflarestorage.com/...",
"publicUrl": "https://pub-account.r2.dev/upl1704672000_a3f2b9.jpg",
"uploadId": "upl1704672000_a3f2b9",
"expiresIn": 3600,
"provider": "r2"
}What you do next:
// In your browser/app:
const response = await fetch(data.uploadUrl, {
method: 'PUT',
body: fileBlob,
headers: { 'Content-Type': 'image/jpeg' }
});
// File goes directly to R2
// We never see it, never pay for bandwidth
// You pay R2's rates (~$0.015/GB)Why this is fast
1. No network calls to storage providers
We use cryptographic signing (AWS SDK v3). Generating an R2 signed URL doesn't require asking R2 for permission—we have your credentials, we sign the URL, done. 5-10ms of pure math, no HTTP requests.
Compare: Vercel Blob requires an API call to their servers (220ms). We're 40× faster for R2.
2. Multi-layer caching
API keys: Cached in Redis (5 min TTL)
Rate limits: Cached in memory first (instant), then Redis (15ms)
Quotas: Cached in Redis (5 min TTL)
Bucket lists: Cached in Redis (15 min TTL)
Cold cache (first request): 400-600ms
Warm cache (subsequent): 20-50ms
Hit rate: 95%+ (most requests are cached)
3. Edge deployment
Cloudflare Workers run in 275+ cities worldwide. Request from Tokyo? Your request hits a Tokyo edge server, not a US East data center.
Typical latency by region:
US/Canada: 10-30ms
Europe: 15-40ms
Asia: 20-60ms
Middle East: 30-80ms (we tested this on Iraq home WiFi—real numbers)
4. Files never touch our servers
Traditional services: Your file → Their server → Storage (2× bandwidth cost, 2× latency)
ObitoX: Your file → Storage (direct, 1× bandwidth, 0 latency from us)
This is why we can charge $9/month while Cloudinary charges $99/month. We're not paying for your bandwidth.
Why this is secure
1. Your credentials never leave your requests
We don't store your R2/Vercel/Supabase credentials in a database. You pass them in each request body. We use them to generate URLs, then discard them. No credential leaks possible from our side.
2. Signed URLs expire
Default: 1 hour (configurable 1 min - 7 days)
After expiry, the URL is useless. Can't be replayed, can't be shared long-term.
3. Rate limiting at every layer
Memory guard: 10 requests/min (blocks 90% of abuse instantly)
Redis: 50-200 requests/hour (depending on tier)
Database: Track daily/monthly totals, suspend accounts over quota
4. Email verification required
Before you can create domains or hit advanced features, we verify your email. Blocks disposable emails, tracks abuse patterns, forces real identity.
5. Abuse event logging
Every suspicious action is logged: rate limit hits, invalid credentials, quota exceeded, failed verifications. After 10 abuse events, we flag the account. After 50, we suspend it.
What we don't do (important)
- We don't store files
Your files live in your R2/Vercel/Supabase account. We never see them, never cache them, never proxy them. - We don't process images
Need thumbnails? Use R2's Image Resizing or Cloudflare Images. We're not Cloudinary—we don't compete with them, we complement them. - We don't store your storage credentials
You pass R2/Vercel keys in each request. More setup for you, but zero risk of our database being hacked and leaking your keys. - We don't guarantee 100% uptime
We aim for 99.9% (8.7 hours downtime/year). If Cloudflare goes down, we go down. If Supabase goes down, some features degrade. Enterprise tier gets 99.95% SLA with dedicated support. - We don't do magic
If R2 is slow, our signed URLs will be fast, but your uploads will still be slow. We can't fix your storage provider's performance—we just make the control layer fast.
The actual stack (no buzzwords)
Infrastructure cost at 0 users: $0/month
Infrastructure cost at 100 users: $0/month (still free tier)
Infrastructure cost at 500 users: ~$80/month (paid tiers)
Infrastructure cost at 5,000 users: ~$500/month
Revenue at 500 users: $7,000/month
Profit margin: 98.9%