@hyperauth/sdk.
Prerequisites
- A Cloudflare account with Workers, Durable Objects, D1, R2, and Analytics Engine enabled
wranglerCLI installed (npm install -g wrangler) and authenticated (wrangler login)- Node.js 18+
Cloudflare resource setup
The Vault Worker requires the following Cloudflare resources. Create them before deploying. D1 database (session and DID registry):database_id into wrangler.toml under [[d1_databases]].
R2 bucket (WASM and CDN assets):
wrangler.toml and created automatically on first deploy. The SQLite-backed Vault class requires the new_sqlite_classes migration already present in the config.
Environment secrets
Set the required secrets withwrangler secret put. None of these should appear in source control.
apps/vault/.dev.vars (gitignored):
apps/vault/.dev.vars
Orchestrator (durable execution)
Async jobs — email code delivery and validation, session minting and revocation, payment intents, account recovery, and expiry sweeps — run on the self-hosted orchestrator as Absurd tasks: durable execution lives entirely in Postgres, pulled by a worker inside the orchestrator process. There is no external job service to deploy, no webhook endpoint to expose, and no event or signing keys to manage. The orchestrator needs a Postgres connection:DATABASE_MAX_CONNECTIONS (defaults to 10) for
HTTP traffic plus worker concurrency.
Build the portal (SPA assets)
The Vault Worker serves the portal SPA fromapps/portal/dist. Build it before deploying:
wrangler.toml points [assets] at ../portal/dist. The worker serves the SPA for all non-API routes.
Deploy the Vault Worker
From theapps/vault directory:
wrangler.toml already declares a route:
did.run with your own domain. Ensure the domain is added to your Cloudflare zone before deploying.
Upload the enclave WASM
The enclave WASM is served from R2. Upload it after each enclave build:ASSETS (the SPA bundle) if the R2 object is not present, so a missing WASM produces a 404 for /enclave.wasm rather than a worker crash.
Configure the SDK in your client app
Point the SDK at your deployed vault URL:D1 migrations
Apply schema migrations on first deploy and after schema changes:apps/vault/migrations/.
Indexer service binding
The vault proxies indexer queries to thehyperauth-indexer worker via a service binding. If you do not run a separate indexer worker, set INDEXER_URL instead:
[[services]] binding from wrangler.toml if you use INDEXER_URL exclusively.
Local development
http://localhost:8787. The SDK defaults (/api/bundler, /api/indexer, /enclave.wasm) resolve against the same origin, so a React app proxied to port 8787 works without any additional configuration.