🏗️ Architecture
Sunray Architecture
Three independent components covering every layer of secure access.
The three components
Each component plays a precise role in the Zero Trust architecture
sunray-server
Central management
- Manage users and their WebAuthn credentials
- Configure protected applications
- Distribute configuration to workers
- Manage licences
Deployed once, it is not on the critical path of user requests.
sunray-worker-fastapi
On-premise / Classic cloud
Standalone Python/FastAPI worker, deployable on any infrastructure.
Ideal if: you host on-premise, on a VM, or in a container
- Independent of Cloudflare
- Full control over infrastructure
- Compatible with Docker / Kubernetes
sunray-worker-cloudflare
Native edge
Worker deployed on the Cloudflare Workers network (200+ global PoPs).
Ideal if: your DNS is already with Cloudflare
- Minimal latency (edge execution)
- Native Cloudflare WAF integration
- Automatic scalability
Request flow
Sunray intercepts transparently in front of your applications
Request flow 
Sunray Worker CF Edge or FastAPI sunray-server Central management off critical path
User Browser
HTTP request
Sunray Worker CF Edge or FastAPI if authenticated
Your App unchanged
config sync (off request path)
sunray-server Central management off critical path Critical path (user request)
Config sync (passkeys, rules, sessions)
The Worker verifies the passkey from its local cache, without a synchronous call to the Server. If the Server goes down, Workers continue serving — zero interruption. Your app never receives unauthenticated traffic.