Edge Service

The Edge Service is the authentication and routing layer that sits at the Cloudflare edge boundary protecting and proxying traffic to FloatMe’s identity provider (Auth0). It hosts four Cloudflare Workers that handle authentication proxying, mobile app deeplink routing, SMS text-me-the-app flows, and backoffice admin authentication. The service also manages Auth0 policy enforcement through three custom actions that layer security checks (MFA determination, IP capture, and MFA enablement) on top of Auth0’s base functionality.

What This Service Owns

Domain Responsibility

Domain	Responsibility
Auth Proxying	Cloudflare Worker proxy for all mobile app authentication requests to Auth0, with Castle fraud detection and scope/secret injection
Backoffice Authentication	Separate Auth0 proxy and authentication flow for internal administrative console access
Deeplink Routing	URL pattern matching and rewriting from `links.floatme.io` to `floatme://` deeplink format
SMS Text-Me-The-App	Twilio integration for sending app download links via SMS from floatme.com
Auth0 Policy Enforcement	Custom actions for MFA challenge determination, MFA enrollment flagging, and IP metadata capture

Auth Proxying

Cloudflare Worker proxy for all mobile app authentication requests to Auth0, with Castle fraud detection and scope/secret injection

Backoffice Authentication

Separate Auth0 proxy and authentication flow for internal administrative console access

Deeplink Routing

URL pattern matching and rewriting from links.floatme.io to floatme:// deeplink format

SMS Text-Me-The-App

Twilio integration for sending app download links via SMS from floatme.com

Auth0 Policy Enforcement

Custom actions for MFA challenge determination, MFA enrollment flagging, and IP metadata capture

Workers

Worker Domain Purpose

Worker	Domain	Purpose
Auth	`auth.floatme.io` (prod), `auth.test.floatme.io` (test)	Proxy for mobile app authentication requests to Auth0; injects credentials, scopes, and realms; consults Castle for fraud detection on login attempts
Backoffice Auth	`auth.backoffice.floatme.io` (prod), `auth.backoffice.test.floatme.io` (test)	Authentication endpoint for internal admin console; routes to Auth0 backoffice tenant
SMS (Text-Me-The-App)	`sms.floatme.io` (prod), `sms.test.floatme.io` (test)	Accepts SMS requests from floatme.com and dispatches Twilio messages with app download links
Links	`links.floatme.io` (prod), `links.test.floatme.io` (test)	Rewrites incoming URLs to `floatme://` deeplink format; hosts `.well-known/` files (AASA, assetlinks.json) for app ownership verification

Auth

auth.floatme.io (prod), auth.test.floatme.io (test)

Proxy for mobile app authentication requests to Auth0; injects credentials, scopes, and realms; consults Castle for fraud detection on login attempts

Backoffice Auth

auth.backoffice.floatme.io (prod), auth.backoffice.test.floatme.io (test)

Authentication endpoint for internal admin console; routes to Auth0 backoffice tenant

SMS (Text-Me-The-App)

sms.floatme.io (prod), sms.test.floatme.io (test)

Accepts SMS requests from floatme.com and dispatches Twilio messages with app download links

Links

links.floatme.io (prod), links.test.floatme.io (test)

Rewrites incoming URLs to floatme:// deeplink format; hosts .well-known/ files (AASA, assetlinks.json) for app ownership verification

Auth0 Components

Action Trigger Purpose

Action	Trigger	Purpose
`mfa_action.js`	Post-Login	Determines if the user login should require MFA challenge; skips MFA for new users (signup flow), integration test users, and refresh token flows; enforces MFA if user has `auth_require_mfa` flag set
`enable_mfa.js`	Pre-User Registration	Sets `auth_require_mfa` and `uses_new_mfa_action` flags on user app metadata during signup to enable MFA enforcement on future logins
`add_ip_to_metadata.js`	Post-Login	Captures the user’s login IP address into user metadata; used by downstream services for fraud detection and geographic tracking

mfa_action.js

Post-Login

Determines if the user login should require MFA challenge; skips MFA for new users (signup flow), integration test users, and refresh token flows; enforces MFA if user has auth_require_mfa flag set

enable_mfa.js

Pre-User Registration

Sets auth_require_mfa and uses_new_mfa_action flags on user app metadata during signup to enable MFA enforcement on future logins

add_ip_to_metadata.js

Post-Login

Captures the user’s login IP address into user metadata; used by downstream services for fraud detection and geographic tracking

Documentation

Architecture — System context, inbound/outbound traffic, external services, and secrets management
Feature Summary — Categorized capability reference
Auth Worker — Handler reference and Castle integration
Backoffice Auth Worker — Admin console authentication
SMS Worker — Text-me-the-app integration
Links Worker — Deeplink routing and .well-known hosting
Auth0 Actions — Custom action logic and deployment