How secureFlows is deployed and connected in production: clients and automation tools on the left, edge
protection and the Render Docker stack in the center, encrypted storage and external services on the right. Use
this diagram when you need infrastructure detail — for a component overview see
System Components; for the product-level view (hosted login,
session vault, admin console), see Platform Architecture.
How to read this diagram
Traffic flows left to right. Browsers, mobile apps, and the JS SDK call the Session API over
HTTPS. Cloudflare terminates TLS and applies WAF rules before traffic reaches Nginx on Render.
Spring Boot handles session and management APIs, envelope encryption, and role checks before anything touches
PostgreSQL. Backups land in Backblaze B2 as ciphertext; Firebase Auth and Paddle sit behind the API — integrators
never talk to them directly.
Phase 1 (workspace setup) happens in the dashboard only — no application code.
Phase 2 (runtime) is Session API usage with a sessionToken. The legend at the
bottom lists integration rules that are architectural, not optional style choices.
Production topology — clients, edge, Render (Nginx + Spring Boot), storage, and internal services. Zoom or
scroll horizontally on narrow screens.
What each zone represents
Clients — Web, mobile, secureflows-js, and automation (n8n / Make / Zapier) using
ai-safe session endpoints. Tokens stay in memory; no identity in request bodies.
Edge — Cloudflare WAF, DDoS protection, TLS termination, and host-header checks so traffic
cannot bypass the intended entry point.
Server (Render) — Nginx gateway, Spring Boot Session API and Management API, envelope
encryption, and JWT role hierarchy (OWNER / ADMIN / USER / ANONYMOUS).
Storage — PostgreSQL for ciphertext sessions and audit metadata, daily encrypted backups to
B2, Firebase Auth for identity (internal), Paddle for billing webhooks.