Cloudflare's Greatest Hits

Transcript

1. Cloudflareʼs Greatest Hits 15 minutes of things worth knowing Ade

   Oshineye

2. Earned Secrets

3. Region: Earth One global network · 330+ cities · zero

   infrastructure to manage

4. Horizontal scaling by default No regions to pick, no servers

   to size — the network is the computer. No single point of failure Every request runs on the nearest available machine. No origin server, no load balancer bottleneck, no region to choose. Zero cold starts V8 isolates spin up in under 5ms. No containers to boot, no VMs to warm. Your code is always ready. Scale to any traffic shape From 1 request per day to millions per second. The platform handles concurrency — you write single-threaded code.

5. What's a Worker? Your code runs in a V8 isolate

   on the machine closest to the user. worker.ts export default { async fetch(request) { // Your code runs here return new Response("Hello!") }, } Near-zero cold starts V8 isolates spin up in under 5ms — no containers to boot, no VMs to provision. Runs everywhere Deployed to 330+ cities instantly, executing on the machine closest to each request. Standard web APIs fetch, Request, Response, Streams, WebSocket, WebCrypto — the APIs you already know. Scales to zero No idle costs. Pay per request, from zero to millions per second — the platform handles it.

6. Everything* is a Worker Everything composes up from one primitive.

   1 Worker The base primitive — a stateless HTTP server, one V8 isolate per request. 2 Durable Object A stateful, single-threaded singleton on the Workers runtime, with embedded SQLite. 3 Agents SDK · Workflows · Sandboxes · Artifacts Higher-level primitives — all built on Durable Objects and Workers. One primitive, composed all the way up

7. Durable Objects are units of coordination A single-threaded, strongly consistent,

   globally addressable unit of compute + storage. Single-threaded guarantee No concurrent access. One request at a time per object. Eliminates race conditions by design. Transactional storage Built-in key-value and SQLite storage with ACID transactions. State lives with the compute. Globally addressable Any Worker anywhere can reach any object by ID. The platform routes to the right location. WebSocket hibernation Hold thousands of WebSocket connections per object. Pay only when messages arrive.

8. Bindings: object capabilities meet RPC The connection layer between Workers

   and platform services combines two powerful ideas. SECURITY MODEL Object capabilities LEAST AUTHORITY A Worker can only access what it has been explicitly granted. NO AMBIENT CREDENTIALS No global secrets, no shared credential store. IF YOU DON'T BIND IT It simply doesn't exist for that Worker. INVOCATION MODEL RPC system REMOTE AS LOCAL Call methods on remote services as if they were in-process. TYPESAFE Zero-serialization overhead, fully typed across services. NATIVE TARGETS Workers, Durable Objects, and platform services. Bind to KV · Durable Objects · D1 · R2 · Service Bindings · Secrets · Browser · Queues

9. Brains and hands Anthropic asked us to rethink the separation

   of the agent and the world Harness and agent are the brain Everything else is the hands Whatʼs the right relationship for agents, harnesses and tools?

10. Gloves: Credential Brokering and Outbound Workers What about a place

    to store secrets? A broker that hands secrets to the correct Worker is good but not enough for todayʼs agents What about something that can safely use those secrets? Just another Worker Used as an intercepting proxy and a capability for doing dangerous work You write the code inside it

11. Composable primitives unlock new powers Code Mode: what if you

    could reduce the token overhead of the tools used in your MCP servers by 99%? Artifacts: what if you had Github as a service?

12. Flue and the principle of least power: sometimes all you

    need is a workflow Agents: non-deterministic, potentially expensive and controlled via evals Workflows: known set of deterministic and durable steps

13. The principle of least power and the Execution Ladder 1

    Tier 4  Sandbox Full Linux container. Spins up only for the rare task that truly requires it. 2 Tier 3  Browser Headless browsing and web interaction when the task needs the live web. 3 Tier 2  Worker + npm Run code with package dependencies in an isolate. 4 Tier 1  Dynamic Worker Execute generated code in a sandboxed isolate, no network. 5 Tier 0  Workspace Cheap, fast, fully sandboxed by default. Where most tasks live and finish. Secure by default · additive capability · cost follows need — escalation is the exception

14. What does the future look like?

15. None

16. New architectures, new economics and new Secrets