Case Study

aioflare

A privacy-first Cloudflare management platform designed for secure multi-account operations.

aioflare simplifies Cloudflare management across multiple accounts while maintaining strong security guarantees.

It enables bulk DNS operations, structured workspace management, and protects API credentials through a controlled server-side encryption system.

SaaS Multi-tenant Cloudflare API Encryption
01 / 06

Product context

Overview

The Problem

  • Multiple Cloudflare accounts with no unified view
  • DNS configuration is repetitive and time-consuming
  • High risk of errors across wrong accounts or domains
  • Changes and activities are difficult to track
  • Bulk operations are error-prone without proper tooling

Our Solution

aioflare brings all your Cloudflare management into one secure, structured dashboard:

  • Manage zones, DNS, and redirects in bulk
  • DNS templates & zone profiles for fast, consistent setup
  • Queue system for large-scale operations without timeouts
  • Full activity log for complete change visibility
  • Sensitive data encrypted at rest, isolated per user

Who It’s For

  • Individual operators managing multiple domains
  • Freelance developers & sysadmins
  • Small to medium-scale hosting providers
  • SEO specialists & domain investors
  • Agencies managing multiple Cloudflare accounts

Real Impact

  • 5–10x faster on bulk DNS and zone operations
  • Significantly reduced risk of misconfiguration
  • Faster domain setup and migration
  • Structured, auditable account management at any scale
02 / 06

Architecture

How it’s put together.

Next.js Supabase Cloudflare Workers Cloudflare Queues Vercel

aioflare is built as a distributed system combining a Next.js application layer with Supabase for data storage, and Cloudflare Workers for secure cryptographic operations.

The architecture is designed to separate concerns between user interaction, background processing, and sensitive key handling.

Application Layer

The frontend and API are handled by Next.js, deployed on Vercel, providing a unified interface for managing Cloudflare resources across multiple accounts.

Data Layer

Supabase is used for structured data storage, including users, workspaces, zones, and encrypted fields.

Sensitive data is never stored in plaintext and is always processed through controlled encryption flows.

Crypto Layer

All encryption and decryption operations are handled through a dedicated Cloudflare Worker.

This isolates the master key and ensures sensitive operations are executed outside the main application runtime.

API Boundary

All Cloudflare API interactions are routed through a controlled service layer, ensuring credentials are validated, scoped, and never exposed directly to the client.

03 / 06

Features

Core Capabilities

Overview

aioflare groups advanced Cloudflare workflows into clear capability areas—secure data handling, multi-account control, automation at scale, and collaboration—so complex estates stay manageable without sacrificing safety.

Use the dots below (or scroll vertically) to explore each area.

Secure Data Handling

All sensitive data is encrypted server-side using a dedicated crypto worker, ensuring credentials are never exposed in plaintext.

  • Per-user encrypted storage (DEK-based)
  • Field-level encryption for API credentials
  • Encrypted queue results stored in R2
  • Zero-knowledge-inspired architecture

Multi-Account Zone Management

Manage multiple Cloudflare accounts and zones from a single structured interface.

  • Add, delete, and transfer zones across accounts
  • Move zones while preserving DNS records and redirect rules
  • Organize zones using collections
  • Filter zones by account, record type, or content

Bulk Operations at Scale

Perform large-scale operations efficiently without manual repetition.

  • Bulk add zones and DNS records
  • Bulk edit IPs and proxy settings
  • Bulk delete records and zones
  • Select zones instantly via name-based input

Differentiator. This is one of aioflare’s strongest pillars—built for real throughput, not toy demos. Ini bagian kuat banget — jangan diremehkan.

DNS & Redirect Automation

Standardize configurations using reusable templates and profiles.

  • Create reusable DNS record templates
  • Use {{zone}} placeholders for dynamic values
  • Zone profiles for one-click setup (records + config + destination)
  • Redirect templates with pre-defined configurations

Queue-Based Processing

Long-running operations are handled asynchronously to ensure reliability and responsiveness.

  • Cloudflare Queue-based processing
  • Server-side worker execution
  • Job tracking with detailed result logs
  • Encrypted result storage and retrieval

Collaboration & Access Control

Enable structured collaboration without exposing sensitive credentials.

  • Collection-based sharing system
  • Role-based access (read, DNS edit, admin)
  • Secure invite flow with verification code
  • Full activity logging per user action

Observability & Control

Gain visibility and control over infrastructure changes and performance.

  • Activity logs with executor tracking
  • DNS and zone analytics (traffic, threats, cache ratio)
  • Queue history with result inspection
  • Pagination for handling large datasets

Workflow Enhancements

Small features designed to improve real-world usability.

  • Jump between zones without leaving the page
  • Zone notes for internal tracking
  • Quick Google site verification
  • Card and list view modes
04 / 06

Trust model

Security Architecture

Security Architecture

aioflare is built with a security-first approach, ensuring sensitive data is protected at every stage — from storage to processing.

Use the dots below (or scroll, then wheel) to move through each topic.

1. Security Principles

Core Principles

  • Sensitive data is never stored in plaintext
  • Encryption is enforced by default across all user data
  • Access to encrypted data is strictly controlled
  • Security is handled server-side, not delegated to the client

2. Encryption Model

Data Encryption

All sensitive data is encrypted using a per-user key model.

Ciphertext = AES-256-GCM(DEK, IV, Plaintext)
  • Each user has a unique Data Encryption Key (DEK)
  • Encryption uses AES-256-GCM with a unique IV per operation
  • Data is stored only as encrypted payloads

3. Key Management

Key Management

Encryption keys are isolated and protected using a layered approach.

  • DEKs are wrapped using a master key (AES-KW)
  • Master key is never exposed to the main application layer
  • Key operations are isolated in a dedicated crypto worker
  • Per-user key isolation prevents cross-tenant access

4. Secure Processing Layer

Secure Processing

Cryptographic operations are handled in an isolated environment.

  • Encryption/decryption is executed via Cloudflare Worker
  • Sensitive operations never run directly in the main app runtime
  • Background jobs use encrypted payloads and keys
  • Queue results are stored encrypted and decrypted only when needed

5. Additional Protections

Additional Safeguards

  • API credentials are always encrypted at rest
  • Activity logs track all user actions
  • Role-based access limits data exposure
  • Multi-tenant isolation enforced at the data layer
05 / 06

Wrap-up

What this demonstrates.

aioflare is a practical SaaS slice: multi-tenant data, integrations with a real external API, background processing, and a security posture that matches the sensitivity of the domain.

It’s the kind of system where small design choices — encryption, queues, explicit tenancy — compound into something you can run for real users, not just a demo.

Back to portfolio ↗ GitHub
06 / 06
Scroll to explore