DEV Community

Levani Gventsadze
Levani Gventsadze

Posted on

I built a Cloudflare Workers SaaS starter — auth, D1, rate limiting, no Auth0

Every time I start a project on Cloudflare Workers I end up rebuilding the same plumbing: sessions, a D1-backed API, rate limiting. So I packaged it into a small starter called EdgeKit (Hono + D1 + KV). Sharing the approach here in case it's useful.

Auth without an external bill

No Auth0, no per-MAU pricing — just PBKDF2 via Web Crypto (runs natively on Workers) plus sessions in KV:

const salt = crypto.getRandomValues(new Uint8Array(16));
const key = await crypto.subtle.importKey("raw", enc(password), "PBKDF2", false, ["deriveBits"]);
const bits = await crypto.subtle.deriveBits(
  { name: "PBKDF2", salt, iterations: 100_000, hash: "SHA-256" }, key, 256,
);
// store `pbkdf2$iters$salt$hash`; verify with a constant-time compare
Enter fullscreen mode Exit fullscreen mode

The session token lives in an HttpOnly cookie and maps to a user id in KV with a TTL. Logout just deletes the KV key.

What's in it

  • Session auth (KV) + a tenant-scoped D1 CRUD API with migrations
  • A KV fixed-window rate limiter guarding the auth routes
  • Typed, tested, one-command wrangler deploy

Live demo (a real Worker you can hit): https://edgekit-storefront.xok.workers.dev

Happy to answer anything about the D1 schema or the rate-limiter design in the comments.



Enter fullscreen mode Exit fullscreen mode

Top comments (1)

Collapse
 
marouaneks profile image
Marouane K

Hi, I noticed you discussed building a Cloudflare Workers SaaS starter and publishing to multiple platforms. Clypify can help you manage your content across multiple platforms, including WordPress and Medium. We also support RSS feeds. Free plan at clypify.com — no card needed.