Separate workers
2
UI on TanStack Start, API and ingest on the existing worker.
Cloudflare-native UI rollout
Add a real browser app without collapsing the API worker you already have.
This new TanStack Start worker owns the authenticated user experience. Your existing Hono worker keeps its API key traffic, ingest surface, queues, and background jobs.
Session auth
D1
Better Auth sessions, organizations, and members share your database with the backend.
User-ready
UI
Project dashboards, admin provisioning, and session-backed API management are now part of the app surface.
What the web app owns now
Control-plane workflows
Sign in and session continuity
Browser users authenticate with Better Auth while the backend validates sessions against the same D1 data.
Project creation and membership
New projects map to Better Auth organizations so the UI can reason about owners, admins, and members.
API key lifecycle
Admins can mint, rotate, and revoke project keys without exposing machine-client flows to the browser.
Service admin provisioning
Internal operators can backfill organization mappings for legacy projects that predate the UI layer.
Deployment split
Recommended hostnames
app.<domain>TanStack Start, Better Auth routes, browser UI
api.<domain>Hono API, session-backed /v1/app/*, machine clients
hooks.<domain>Ingestion endpoints and webhook public surfaces
Better Auth
Email/password works now, and OAuth buttons are wired for Google and GitHub once secrets are present.
Server Functions
Every privileged backend call stays in server-only functions, not isomorphic loaders.
Organization Mapping
Projects now carry their organization relationship so auth and product roles stay aligned.
Cloudflare Fit
D1 bindings, wrangler environments, and preview/prod worker separation are configured.