oakallow runs on four layers:
- Cloudflare Worker handles authentication, API key verification, and permission resolution at the edge. Uses D1 for permission data and KV for key lookups.
- Fly.io hosts the API server (Node.js/Express) for tool management, token minting, approvals, execution logging, and billing.
- Supabase provides the PostgreSQL database (with Row Level Security), authentication, and file storage.
- Vercel hosts the developer dashboard and documentation.
All communication between layers uses HMAC-signed headers with a 30-second drift window for timing-safe validation.