Skip to content
Authrim

Cloudflare Platform Limits & Cost

Authrim runs entirely on Cloudflare Workers. This page documents the platform limits that affect Authrim’s operation and provides cost estimates for various usage scales.

Key Limits at a Glance

50 / 1,000

External Fetch Subrequests

Free plan: 50 per invocation. Paid plan: 1,000 per invocation.

1,000

Internal Service Calls

KV, DO, D1 calls per invocation — all plans.

10–30

Typical Internal Calls

Authrim’s typical internal subrequest count per single request.

$5/mo

Workers Paid Plan Base

Minimum monthly cost for Workers Paid Plan.

Subrequest Limits

Cloudflare Workers impose two distinct categories of subrequest limits:

CategoryFree PlanPaid PlanCounted Operations
External fetch50 / invocation1,000 / invocationfetch() to external origins
Internal service1,000 / invocation1,000 / invocationKV, DO, D1, R2, Queues, etc.

Key distinction: External fetch limits apply only to outbound HTTP requests to external origins. Internal service bindings (KV reads/writes, DO requests, D1 queries) have their own separate 1,000-call limit that applies equally across all plans.

flowchart LR
    W["Worker Invocation"]
    subgraph external["External Fetch (50/1,000)"]
        EF1["IdP Token Endpoint"]
        EF2["IdP UserInfo"]
        EF3["JWKS Fetch"]
    end
    subgraph internal["Internal Service (1,000)"]
        KV["KV Storage"]
        DO["Durable Objects"]
        D1["D1 Database"]
    end
    W -->|"fetch()"| external
    W -->|"binding"| internal

Authrim typically uses 10–30 internal service calls per request, well within the 1,000 limit. External fetches are only required during IdP federation flows (callback, token exchange with external providers).

Per-Flow Subrequest Analysis

Authorization endpoint — initiates the OAuth flow.

ResourceCountDescription
External HTTP0–2JWKS fetch (if cache miss), IdP redirect
KV3–5Session lookup, client config, OIDC metadata
DO1–2Session validation, auth code creation
D12–4User lookup, consent check
Total6–13

Risk Areas

Pricing Reference

Cloudflare Workers Paid Plan ($5/month base) pricing:

ServiceFree Tier IncludedOverage Rate
Workers requests10M/month$0.30 per million
KV reads10M/month$0.50 per million
KV writes1M/month$5.00 per million
D1 rows read25B/month$0.001 per million
D1 rows written50M/month$1.00 per million
DO requests1M/month$0.15 per million
DO duration400K GB-s/month$12.50 per million GB-s

Cost Model

Usage Patterns

MetricLight (internal tools)Standard (typical web app)Heavy (SPA/mobile)
Logins/MAU/mo4815
Silent Auth/Login51020
Refresh/Login236
API Calls/Login2510
Requests/MAU/mo36152555

Cost Estimates

LightStandardHeavy
Total Requests360K1.52M5.55M
Workers$5.00$5.00$5.00
KV$0.00$0.00$0.00
DO$0.00$0.08$0.68
D1$0.00$0.00$0.00
Monthly~$5~$5~$6

All usage falls within free tiers at this scale. Only Workers base cost applies.

Interactive Cost Calculator

10,000
$5.00 /month
Per User $0.0005
Total Requests/mo 1.5M
Workers $5.00
KV Total $0.00
KV Reads $0.00
KV Writes $0.00
Durable Objects $0.00
D1 Database $0.00

Optimization Tips

  1. Use Paid Plan — The Free plan’s 50 external fetch limit risks failure on OAuth callback flows. Paid plan ($5/month) raises this to 1,000.
  2. Minimize KV writes — KV write costs ($5/million) are 10x higher than reads ($0.50/million). Cache aggressively and batch updates where possible.
  3. Manage IAT token count — Limit active tokens per user to prevent unbounded KV.list() + KV.get() chains.
  4. Leverage JWKS caching — Authrim caches JWKS keys in Durable Objects, avoiding repeated external fetches. Ensure cache TTL is configured appropriately.
  5. Monitor DO request volume — Durable Object requests scale with authentication traffic. Use sharding to distribute load and monitor shard utilization.