Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar

https://blog.cloudflare.com/serverless-matrix-homeserver-workers/

Let me just pick a few examples from the code, because this is so bad

This is a core part of the protocol, that's not exactly simple (https://spec.matrix.org/v1.17/server-server-api/#authorization-rules)

They just have TODO comments, and happily accept anything, even if it's blatantly forged

Rather than implementing the critical state resolution algorithm that's the core of Matrix, they just directly insert the latest state into the database. That'll instantly lead to diverging views of the room and incompatibility with every other implementation - and it's also a massive security hole.

Oh and to top things off, they make trivially false claims in their post. Tuwunel and its predecessors do not and have never used Postgres or Redis.

Honestly this is almost insulting to me, as someone who has spent a nontrivial amount of effort developing a Matrix homeserver, with how low effort it is. And what’s the point? Marketing? I’m not gonna be trusting anything Cloudflare after this.

The pricing comparisons are stupid, by the way, too - a bunch of us in the matrix chatrooms got out how many HTTP requests per day we were serving and the per-request cost of Workers would be more expensive than dedicated VPSs - not even counting CPU time or storage costs!

For those of you that don't know, I develop https://continuwuity.org - a Rust based Matrix homeserver that actually works, and that you can run on a Raspberry Pi, rather than someone else's centralized cloud infrastructure

I'm also giving a talk about some of the actual work that goes into building this software in a few days at FOSDEM, if you want to learn more:

https://tech.lgbt/@JadedBlueEyes/115956965835059690

Oh look, they’re trying to cover up what they did too

https://github.com/nkuntz1934/matrix-workers/commit/2d3969dd5e795caa3641d0e237e2b52ca0502463

Archive link for posterity:

https://web.archive.org/web/*/https://github.com/nkuntz1934/matrix-workers/commit/2d3969dd5e795caa3641d0e237e2b52ca0502463

@JadedBlueEyes it’s wildebeest (cloudflare fedi software that leaked dms to the public) all over again

@JadedBlueEyes eeeew yuck that’s so fucking embarrassing. not like those feds had any reputation to worry about whatsoever, but still

@JadedBlueEyes

I’m not gonna be trusting anything Cloudflare after this.

as if you should’ve been doing this in the first place

@JadedBlueEyes And even if they did, centralize a decentralised system on cloudflare what a good idea

@lexinova @JadedBlueEyes I think it is fundamentally interesting to try and port software to run on cloudflare workers. Like, it’s a stack with very different assumptions and tradeoffs. Having alternatives is always nice. I don’t think it’s bad for this to exist. I don’t see how that leads to centralization.

But the execution is bad. Lmao.

@sodiboo @JadedBlueEyes because Cloudflare own half of internet ?

if it's not centralizing even more ... what is this ?

@tauon @JadedBlueEyes true but this is the giant rock excavator hitting a whole new substrate of rock bottom

@JadedBlueEyes slopflare

@JadedBlueEyes The comments under this commit make it at least a bit funnier

@wyldtom @JadedBlueEyes for me the funniest part is

> a serverless architecture where operations disappear, costs scale to zero when idle, and every connection is protected by post-quantum cryptography by default.

I don't know about the post-quantum cryptography, but I'll grant them that their homeserver is serveless and costs scale to zero (on account of it not existing)

@elilla @wyldtom @JadedBlueEyes Not even a quantum computer can get your data from the system without authorisation.

@flesh @wyldtom @JadedBlueEyes Cloudflare truly has mastered the definite Matrix security approach (not sending messages at all)

@JadedBlueEyes We need more of this kind of public shaming!

And what happened to CloudFlare implementing AI training countermeasures etc.?

@JadedBlueEyes We published a response on the Matrix side at https://matrix.org/blog/2026/01/28/matrix-on-cloudflare-workers/

@matrix @JadedBlueEyes I do understand that matrix.org should really not pile on and at least maintain a good relationship with cloudflare, but this blogpost seems a bit too starry-eyed about cloudflare building a shitty excuse for a matrix server and having the audacity of calling their crap a "serverless" matrix server.

Also, like mentioned elsewhere in this thread: even if cf built something halfway decent, that really just gives them a position where they can vendorlock anyone who uses it.

@JadedBlueEyes this whole thing is so bad. The title makes it seem like they updated the matrix protocol to use post-quantum cryptography, but all they did was toggle a switch for cloudflare TLS connections

@JadedBlueEyes This is literally how some of the pull requests look today at work. People vibe code; don't even look at the output; git push if the app works; ask for review/approvals; get annoyed, when you question why there are two identical files; pass your comments to the bot; push again without checking when it finishes; manager advises you to tame down your perfectionism; also asks why do you do less tickets than others.

@spyke god this is so real

@JadedBlueEyes So, in layman's terms, does this mean they claimed they did a thing but did not actually do the thing, and no one checked whether they did the thing before they published the blog claiming they did the thing?

@Legit_Spaghetti Yep. They claimed to do an extremely hard thing which is notorious for having security issues, and did not do it.

@JadedBlueEyes I stopped reading after:
"But there is a "tax" to running it. Traditionally, operating a Matrix homeserver has meant accepting a heavy operational burden. You have to provision virtual private servers (VPS), tune PostgreSQL for heavy write loads, manage Redis for caching, configure reverse proxies, and handle rotation for TLS certificates. It’s a stateful, heavy beast that demands to be fed time and money, whether you’re using it a lot or a little."

Mine runs on a small NAS 🤷‍♂️

@JadedBlueEyes don't worry

"* This post was updated at 11:45 a.m. Pacific time to clarify that the use case described here is a proof of concept and a personal project. Some sections have been updated for clarity."

@JadedBlueEyes

"build a serverless home server" is the most fucking brainrot, dipshit, nonsense thing ive read in a while

@JadedBlueEyes It started off okay, mostly because they said it was a proof of concept and an experiment, but then I saw that “it is arguably one of the most secure ways to deploy a homeserver today” and just
lmfao

@JadedBlueEyes This is almost a minor criticism in comparison to all the other crap, but I am so sick of companies calling things 'serverless' when what they really mean is "servers, but only ours and they're really opaquely billed and impossible to replace with someone else's servers so you're stuck with us, and also they're managed in a totally custom way so none of your normal sysadmin skills are portable to it but you still have to learn how to manage it"

@JadedBlueEyes @dcousineau Nothing like :checks notes: three THOUSAND lines BS in one file: https://github.com/nkuntz1934/matrix-workers/blob/main/src/admin/dashboard.ts and it's not even good code.

@JadedBlueEyes @joepie91 we've just gone back to managed databases again: overpriced, billed by metrics that aren't easy to price, and totally impossible to manage.

@JadedBlueEyes I remember how they did same thing for activitypub, and it looked (and worked lol) like a very, very cheap & bad mastodon clone

To scale: it showed DMs in public timelines

https://github.com/cloudflare/wildebeest

@josh @dcousineau oh god I didn't even look at the client code

@JadedBlueEyes

What in absolute fuck is a serverless server

@ivan @JadedBlueEyes someone elses server