Architecture reference

System Components

secureFlows is a hosted per-user data layer: your application talks to a Session API over HTTPS while the platform handles identity, envelope encryption, tenant isolation, lifecycle policy, and audit. Nothing sensitive is trusted from the client — workspace context and roles are derived server-side from short-lived tokens.

Technical introduction

From an engineering perspective, secureFlows is not a library you embed for security. It is a managed boundary between your app and user-owned payload: clients hold a sessionToken in memory, call ai-safe session endpoints, and never send userId or workspaceId in request bodies. The Management API (workspaces, applications, invites, users, audit) is separate, JWT-gated, and intended for operators — not end-user runtime traffic.

Payload is encrypted with workspace-level keys before it reaches PostgreSQL. Backups, raw disk access, and cross-tenant queries only ever see ciphertext. Firebase Auth and Paddle are internal dependencies; integrators interact solely with secureFlows APIs. For the product-level view (hosted login, session vault, admin console), see Platform Architecture. For ports, endpoints, and deployment topology, see System Architecture.

secureFlows system components diagram — clients, Cloudflare edge, Nginx and Spring Boot application server, PostgreSQL and external services, with security and key management below
System components — secure by design. Traffic flows left to right; security controls span every layer.

The four zones

Read the diagram left to right. Each column is a trust boundary — not a box you wire up yourself, but a layer the platform owns and enforces.

Session usage flow

The component diagram above shows what exists. This sequence shows how runtime works once your app is integrated: hosted login establishes identity, your client holds a short-lived token, and every data operation goes through the Session API — never directly to storage or Firebase.

Session usage flow sequence diagram — user app, Cloudflare, Nginx, Session API, encrypted storage, and hosted login
Session usage flow — from first app open through hosted login, in-memory token, Session API calls, and UI update. Simple, secure, private.

Follow the numbered steps. Orange arrows are browser redirects (login); blue arrows are HTTPS API calls; green arrows are encrypted reads and writes inside the platform boundary.

  1. User opens the app No session yet — your application loads in the browser or on mobile. You do not show a login form or collect credentials; secureFlows owns authentication.
  2. Redirect to hosted login Send the user to secureFlows hosted login over HTTPS (typically via your app's registered redirect URI). Cloudflare and Nginx sit in front; the user never talks to Firebase or your backend for sign-in.
  3. Return sessionToken After successful authentication, hosted login redirects back to your app with a short-lived session JWT in the callback URL. Your app extracts it once — do not decode it client-side for identity or roles.
  4. Store token in memory only Keep the sessionToken in a JavaScript variable or in-memory app state — never in localStorage, sessionStorage, or cookies. This limits XSS blast radius: a stolen token expires; persisted tokens do not.
  5. Call the Session API Every read/write uses Authorization: Bearer <sessionToken> over HTTPS. Use ai-safe endpoints such as GET /sessions/get/{key} and POST /sessions/set/{key}. Do not send userId or workspaceId in the body — the server derives identity from the token.
  6. Validate token Spring Boot verifies the JWT signature, expiry, and tokenRevision (instant revocation). Invalid or expired tokens return HTTP 410 Gone — the session data is still intact; redirect the user through hosted login again to obtain a fresh token.
  7. Read / write encrypted session data On a valid token, the API decrypts workspace payload in memory, applies the operation, re-encrypts, and persists ciphertext to PostgreSQL. Raw database or backup access never yields readable content for another tenant.
  8. Return JSON response The API responds with JSON (session keys, values, or metadata as defined by the endpoint). The response travels back through Nginx and Cloudflare to your client — still over HTTPS only.
  9. Update the UI Your app renders state from the response. Repeat steps 5–9 for each operation. For browser logout, use a top-level redirect to GET /auth/logout — not fetch — so refresh tokens are revoked server-side.

What the flow enforces

HTTPS only All client traffic is TLS-terminated at the edge; no plaintext session operations.
Token in memory only No durable client-side token storage — architectural requirement, not a recommendation.
No localStorage Avoids long-lived token theft via XSS; pair with CSP and minimal third-party scripts in production.
Encrypted at rest Payload is envelope-encrypted per workspace before it reaches PostgreSQL or backups.
Identity from token User, workspace, application, and role context are resolved server-side — never trusted from request bodies.
Zero trust Each API call re-validates the token and tenant boundary; there is no implicit trust after login.

Security & key management

The bottom band summarizes controls that are architectural — not optional configuration. They are never exposed to client code or third-party integrators.

Envelope encryption Workspace-scoped keys; payload encrypted before write, decrypted in memory on read.
Short-lived JWT Session tokens with server-side revocation via tokenRevision; HTTP 410 means re-login, not data loss.
RBAC OWNER → ADMIN → USER → ANONYMOUS hierarchy enforced on every Management API call.
Audit & monitoring API access and admin payload reads are logged; analytics surfaces metadata only.
Least privilege Automation clients are restricted to ai-safe session endpoints; identity always from the token.
Zero trust Cross-tenant access is architecturally impossible — isolation is enforced in the API and storage layers, not by policy alone.