Skip to main content

SaaS Platform

EdgeFlow SaaS Platform — manage thousands of edge devices from the cloud. Authentication, organizations, device provisioning, shadows, tunneling, fleet management, deployments, OTA updates, billing, alerts, audit logging, and real-time telemetry.

Overview

The EdgeFlow SaaS Platform extends the edge runtime into a complete cloud management solution. Each EdgeFlow device connects to the cloud via a secure WebSocket tunnel, enabling remote control, configuration sync, fleet-wide operations, and real-time monitoring — all from a centralized dashboard.

Authentication & Users

JWT authentication, multi-factor auth (TOTP), session management, API keys, and user profile management.

Learn more →

Organizations & Teams

Multi-tenant organizations with role-based access control, team management, and subscription plans.

Learn more →

Device Provisioning

Zero-touch onboarding with one-time provisioning codes. Devices auto-register with hardware and network info.

Learn more →

Device Shadows

AWS IoT-style desired/reported state synchronization. Push configuration from the cloud, get state updates from devices.

Learn more →

WebSocket Tunneling

Secure, persistent tunnels from cloud to device. Remote command execution, flow management, and GPIO control.

Learn more →

Remote Commands

Execute commands on devices from the cloud — start/stop flows, query metrics, read GPIO states, manage shadows.

Learn more →

Fleet Management

Group devices, apply bulk operations, monitor fleet health, and enforce policies across thousands of devices.

Learn more →

Telemetry & Monitoring

Real-time system metrics, flow execution history, resource monitoring, and Prometheus-compatible metric export.

Learn more →

Flow Deployments

Deploy flows with rolling, canary, and blue-green strategies. Auto-rollback, health checks, and per-device tracking.

Learn more →

OTA Updates

Over-the-air firmware updates with S3 storage, SHA256 verification, presigned URLs, and fleet-wide distribution strategies.

Learn more →

Alerts & Notifications

Configurable alert rules with metric thresholds, anomaly detection, and multi-channel notifications (email, Slack, webhooks, SMS).

Learn more →

Billing & Subscriptions

Stripe-powered billing with four plan tiers, usage tracking, quota enforcement, invoices, and payment management.

Learn more →

Audit Logging

Immutable audit trail with 30+ action types covering user, device, deployment, billing, and security events.

Learn more →

Cloud API Reference

Complete REST API with 50+ endpoints covering auth, devices, flows, deployments, billing, alerts, and edge node management.

Learn more →

Architecture

The SaaS platform uses a hub-and-spoke architecture. The cloud server acts as the hub, while each EdgeFlow device runs a lightweight SaaS client that maintains a persistent WebSocket tunnel back to the cloud. 

┌──────────────────────────────────────────────────────────────┐
│                      EdgeFlow Cloud                          │
│                                                              │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌───────────────┐   │
│  │ REST API │ │  Auth &   │ │  Shadow  │ │    Fleet      │   │
│  │ Gateway  │ │  Billing  │ │ Service  │ │  Management   │   │
│  └────┬─────┘ └────┬─────┘ └────┬─────┘ └───────┬───────┘   │
│       │             │            │               │            │
│  ┌────┴─────────────┴────────────┴───────────────┴─────────┐ │
│  │    Deployment Engine  |  OTA Service  |  Alert Engine    │ │
│  └────┬─────────────────────────────────────────┬──────────┘ │
│       │                                         │            │
│  ┌────┴─────────────────────────────────────────┴──────────┐ │
│  │              WebSocket Tunnel Server                     │ │
│  └──────┬──────────────────┬──────────────────┬────────────┘ │
│         │                  │                  │              │
│  ┌──────┴──────┐   ┌──────┴──────┐   ┌───────┴─────┐       │
│  │ PostgreSQL  │   │    Redis    │   │  S3 / MinIO │       │
│  │ TimescaleDB │   │  Sessions   │   │  Firmware   │       │
│  └─────────────┘   └─────────────┘   └─────────────┘       │
└─────────┬──────────────────┬──────────────────┬─────────────┘
          │ wss://           │ wss://           │ wss://
     ┌────┴────┐        ┌────┴────┐       ┌────┴────┐
     │ Device  │        │ Device  │       │ Device  │
     │ Pi #1   │        │ Pi #2   │       │ Pi #N   │
     └─────────┘        └─────────┘       └─────────┘

SaaS Client Components

Each EdgeFlow device runs these SaaS client components internally:

Component Purpose
Tunnel Agent Maintains persistent WebSocket connection to cloud server with heartbeat, auto-reconnect, and exponential backoff
Shadow Manager Synchronizes desired/reported device state between cloud and device via HTTP API
Command Handler Processes incoming commands from cloud (start/stop flows, query metrics, GPIO state)
Provisioning Client Handles zero-touch device registration with hardware/network auto-discovery
System Adapter Exposes system metrics (CPU, memory, temperature, disk) to the cloud

Cloud Server Components

The cloud server runs these services:

Component Technology Purpose
REST API Go / Fiber v2 50+ endpoints for device, flow, deployment, and billing management
Tunnel Server WebSocket Manages persistent device connections and command routing
Database PostgreSQL + TimescaleDB Primary data store with time-series extensions for metrics
Cache & Sessions Redis Session storage, caching, and rate limiting
Object Storage S3 / MinIO Firmware binary storage for OTA updates
Job Queue Asynq Async workers for deployments, OTA distribution, and cleanup
Billing Stripe Subscription management, payments, and invoicing
Monitoring Prometheus + Grafana Platform-level metrics and dashboards

Enabling SaaS

Enable the SaaS client on any EdgeFlow device via environment variables:

# Required
EDGEFLOW_SAAS_ENABLED=true
EDGEFLOW_SAAS_URL=saas.edgx.cloud:443

# Option 1: Pre-provisioned credentials
EDGEFLOW_DEVICE_ID=device_abc123
EDGEFLOW_API_KEY=efk_your_api_key_here

# Option 2: Auto-provision with one-time code
EDGEFLOW_PROVISIONING_CODE=PROV-XXXX-XXXX

# Optional
EDGEFLOW_SAAS_TLS=true
EDGEFLOW_SAAS_HEARTBEAT_INTERVAL=30s
EDGEFLOW_SAAS_MAX_RECONNECT_ATTEMPTS=5

Connection Lifecycle

  1. Provisioning — Device registers with cloud using a one-time code or pre-assigned credentials
  2. Tunnel Connect — WebSocket tunnel established with TLS encryption
  3. Authentication — Device sends Device ID + API Key; cloud validates within 10s timeout
  4. Shadow Sync — Initial shadow fetch and reported state update
  5. Heartbeat — 30-second ping/pong keeps connection alive
  6. Command Loop — Cloud sends commands, device responds via tunnel
  7. Periodic Sync — Shadow state re-synced every 5 minutes

REST API Endpoints

The device exposes SaaS management endpoints locally:

Method Endpoint Description
GET /api/v1/saas/config Get current SaaS configuration
PUT /api/v1/saas/config Update SaaS configuration
GET /api/v1/saas/status Connection status and heartbeat info
POST /api/v1/saas/provision Provision device with cloud
POST /api/v1/saas/connect Initiate cloud connection
POST /api/v1/saas/disconnect Disconnect from cloud

Security

  • TLS/WSS — All tunnel connections encrypted with TLS
  • API Key Authentication — SHA256-hashed keys with prefix-based identification (efk_)
  • JWT Tokens — Role-based access control for the REST API
  • AES-256-GCM — Credentials encrypted at rest using PBKDF2 key derivation
  • One-time Provisioning — Codes are single-use and expire