brisk

Hosting Brisk

Brisk is one Cloudflare Worker plus R2, D1, and Durable Objects. Stand up your own instance, point it at a domain, and decide who gets in. This is the operator's page — building sites on an instance is in the docs.

Stand it up

From the repo: create the resources, apply the schema, ship the Worker. 

cd worker
npx wrangler d1 create brisk          # paste the id into wrangler.jsonc
npx wrangler r2 bucket create brisk
npx wrangler d1 migrations apply brisk --remote
pnpm --filter @brisk/sdk build        # bundle the SDK into the worker assets
npx wrangler deploy

That alone gives path-mode URLs (https://brisk.<account>.workers.dev/s/foo/) with no auth — fine on a private network. The full experience adds wildcard subdomains and a login.

Wildcard subdomains

Serve foo.brisk.example.com by adding routes on your zone and pointing BASE_HOST at the host your sites hang off of: 

"routes": [
  { "pattern": "brisk.example.com", "custom_domain": true },
  { "pattern": "*.brisk.example.com/*", "zone_name": "example.com" }
],
"vars": { "BASE_HOST": "brisk.example.com" }

You also need a wildcard DNS record (*.brisk → CNAME to the apex). The matching TLS certificate is the one part that can cost money — see Cost for the free path (keep sites one level deep, or use a dedicated domain).

Google login

Optional single sign-on for the whole instance: Google OAuth on the apex, with the session cookie scoped to the parent domain so one login covers every site subdomain.

  1. Create an OAuth client (web application) in Google Cloud Console with redirect URI https://brisk.example.com/auth/callback.
  2. Set the secrets: 
    npx wrangler secret put GOOGLE_CLIENT_ID
npx wrangler secret put GOOGLE_CLIENT_SECRET
npx wrangler secret put SESSION_SECRET     # any long random string
npx wrangler secret put DEPLOY_TOKEN       # optional, for CI
  3. In wrangler.jsonc set "AUTH": "google" and restrict who gets in: "ALLOWED_EMAIL_DOMAINS": "yourco.com" for a company, or "ALLOWED_EMAILS": "you@gmail.com" for a personal instance (never allowlist all of gmail.com). Either list admits; both empty admits anyone with a Google account.

Browsers get bounced to Google; the CLI logs in as a real person with brisk login brisk.example.com, and deploys are attributed to that email. The DEPLOY_TOKEN secret is the CI credential (BRISK_TOKEN, shows up as ci@brisk). The default "AUTH": "none" skips all of this and treats every visitor as a trusted dev user — only do that on a network you trust.

AI keys

Set the provider keys as secrets and brisk.ai works on every site with no per-site setup — keys stay on the server. 

npx wrangler secret put ANTHROPIC_API_KEY   # and/or OPENAI_API_KEY

Usage bills against your own provider account at their rates — see Cost.

Cost

Brisk is built to run inside Cloudflare's free tier. At personal or small-team scale the whole platform — hosting, database, file storage, and realtime — fits inside it, so it costs nothing. Here's what each piece uses and the free allowance it draws from (per Cloudflare account):

Product Brisk uses it for Free tier
Workers every request to every site and API 100k requests/day, 10 ms CPU/request
R2 site files + brisk.fs uploads 10 GB stored, 1M writes + 10M reads/mo, zero egress
D1 the site registry + brisk.db documents 5 GB, 5M row-reads/day, 100k row-writes/day
Durable Objects one realtime room per site (brisk.channel, db events, presence) included on the free plan (SQLite-backed)

Realtime stays free even idle. Each site's room is a SQLite-backed Durable Object using WebSocket hibernation, so empty rooms bill nothing — you only pay while messages actually flow. And on a public instance, signed-out static views are edge-cached (max-age=300), so demo traffic mostly never reaches R2 or D1 at all.

When you'd cross into paid. 100k requests/day is a lot of headroom for an internal instance. Exceed it and you're on Workers Paid ($5/mo), which turns the daily caps into a forgiving monthly pool (10M requests + 30M CPU-ms included, cheap overage after). At that point R2, D1, and Durable Object usage beyond the included amounts also start metering, but for most instances the $5 base is the whole story.

The one catch is wildcard TLS. Cloudflare's free Universal SSL covers a domain's apex and one level of subdomain. Sites one level deep — foo.example.com, with BASE_HOST=example.com — are covered for free. Nest them under a label — foo.brisk.example.com — and that second-level wildcard needs an advanced certificate (~$10/mo). Two ways around it: register a dedicated domain (~$10/year at Cloudflare Registrar, at cost) and point BASE_HOST at its apex so every *.yourdomain site gets free TLS; or skip subdomains entirely and serve path-mode URLs (/s/foo/), which never need a wildcard.

AI is pass-through. brisk.ai calls bill against the server's own Anthropic or OpenAI key at provider rates — the only cost here with no ceiling, so set a spend limit on the provider side if your sites lean on it.

Bottom line for a personal instance: $0/mo on path mode with no AI, or about $10/year (a dedicated domain) for clean subdomain URLs with free TLS — plus whatever AI tokens your sites spend.