Overview
This article demonstrates how to port a Matrix homeserver from traditional infrastructure (Synapse on VPS) to Cloudflare Workers, creating a serverless, zero-maintenance deployment with automatic post-quantum cryptography protection. The proof of concept maps PostgreSQL to D1, Redis to KV, filesystem to R2, and uses Durable Objects for atomic operations, achieving dramatic cost reduction and global low-latency performance.
What You'll Learn
How to map traditional stateful infrastructure components (PostgreSQL, Redis, filesystem) to Cloudflare's serverless primitives (D1, KV, R2)
Why different data in a Matrix homeserver requires different consistency guarantees and how to choose the right storage primitive
How post-quantum TLS protection works automatically on Cloudflare Workers using X25519MLKEM768 hybrid key agreement
How to use Durable Objects to achieve strong consistency and atomicity for operations like one-time encryption key claims
When to remove foreign key constraints in favor of application-level referential integrity in eventually consistent databases
Prerequisites & Requirements
- Understanding of the Matrix protocol and homeserver architecture (event-based decentralized communication)
- Familiarity with serverless computing concepts and Cloudflare Workers platform
- Understanding of end-to-end encryption, TLS, and cryptographic key exchange
- Cloudflare account with access to Workers, D1, KV, R2, and Durable Objects
- Experience with TypeScript and deploying applications with Wrangler CLI
- Basic understanding of OAuth 2.0/OIDC authentication flows(optional)
Key Questions Answered
Can a Matrix homeserver run on Cloudflare Workers as a serverless application?
How does the serverless Matrix homeserver handle storage consistency without PostgreSQL?
What is post-quantum cryptography and how does it protect Matrix messages on Cloudflare Workers?
How much does a serverless Matrix homeserver cost compared to a traditional VPS deployment?
Why were foreign key constraints removed from the D1 database in the Matrix homeserver?
What is Sliding Sync and why does it matter for mobile Matrix clients?
How do Durable Objects handle atomic one-time key claims in Matrix E2EE?
What can the Matrix homeserver operator see when messages are end-to-end encrypted?
Key Statistics & Figures
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Key Actionable Insights
1Map traditional infrastructure components to Cloudflare serverless primitives based on their consistency requirements rather than trying to find a single replacement. PostgreSQL maps to D1 for relational queries, Redis maps to KV for ephemeral state with TTL, filesystem maps to R2 for object storage, and mutexes map to Durable Objects for atomic operations.This pattern applies broadly when porting any stateful application to serverless — analyze each storage component's consistency needs independently rather than seeking a one-size-fits-all solution.
2Remove foreign key constraints when using eventually consistent databases like D1, and enforce referential integrity in application code instead. Eventual consistency means a write to one table may not be visible when a subsequent write to a related table checks the foreign key, causing spurious constraint violations.This is a hard lesson the team learned during the port. Any application moving from strongly consistent PostgreSQL to eventually consistent storage will likely encounter this issue.
3Use Durable Objects (or equivalent single-threaded primitives) specifically for operations that require atomicity, such as one-time encryption key claims. Keep the scope narrow — only route operations through Durable Objects when eventual consistency would cause correctness issues, and let everything else flow through D1.The implementation uses Durable Objects for only three specific use cases: E2EE key management (UserKeysObject), real-time room events (RoomObject), and to-device message queues (UserSyncObject). Being selective avoids unnecessary coordination overhead.
4Leverage platform-provided post-quantum TLS rather than implementing it yourself. On Cloudflare Workers, X25519MLKEM768 is automatically negotiated on all TLS 1.3 connections, eliminating the need to upgrade OpenSSL/BoringSSL, configure cipher suites, test client compatibility, and monitor TLS negotiation failures.Chrome, Firefox, and Edge all support X25519MLKEM768, and mobile apps using platform TLS stacks inherit this support. The security posture improves automatically as Cloudflare's PQC deployment expands.
5Implement Sliding Sync for mobile Matrix clients to dramatically reduce initial sync payload size. Instead of transferring megabytes of room data on connection, serve only the 20 most recent rooms with minimal state and send deltas as users scroll through their room list.Combined with edge execution, this approach enables mobile clients to connect and render their room list in under 500ms even on slow networks, compared to the traditional full sync approach that drains battery and data plans.
6Design two independent encryption layers for communication systems: a transport layer (TLS) that protects data in transit and can be upgraded to post-quantum, and an application layer (E2EE) that protects message content end-to-end. This ensures the server operator never sees plaintext regardless of infrastructure trust level.In this architecture, the Worker terminates TLS but receives only Megolm ciphertext. Even if TLS were compromised, message content remains protected by E2EE. The layers operate independently so upgrading one doesn't affect the other.