Skip to main content
SuperBox is a cloud-native platform combining Next.js, Go, Cloudflare Workers, and Cloudflare R2 for scalable MCP server management.

Component Architecture

Frontend (Next.js 16)

The frontend is built with Next.js 16 and React 19, providing a modern, performant user interface with server-side rendering and optimal loading times.
  • Next.js 16: App Router with Server Components
  • React 19: Latest features including Actions and improved Suspense
  • TypeScript: Type-safe development
  • Tailwind CSS 4: Utility-first styling with JIT compilation
  • Framer Motion: Smooth animations and transitions
  • ServerCard: Displays server information in grid/list views
  • ServerDetail: Full server information with tabs
  • AuthModal: Firebase authentication integration
  • PublishModal: Server publishing workflow
  • PaywallModal: Razorpay payment integration
  • SecurityReport: Visualizes security scan results

Backend (Go + Gin)

The backend API is built with Go and the Gin web framework, providing high-performance REST endpoints with minimal latency. 
// Simplified architecture
package main

import (
 "github.com/gin-gonic/gin"
 "github.com/gin-contrib/cors"
)

func main() {
 router := gin.Default()
 router.Use(cors.Default())
 
 // API v1 routes
 v1 := router.Group("/api/v1")
 {
v1.GET("/servers", listServers)
v1.GET("/servers/:name", getServer)
v1.POST("/servers", authMiddleware, createServer)
v1.PUT("/servers/:name", authMiddleware, updateServer)
v1.DELETE("/servers/:name", authMiddleware, deleteServer)
 }
 
 router.Run(":8080")
}
  1. CORS: Cross-origin resource sharing
  2. Logger: Request/response logging
  3. Recovery: Panic recovery
  4. Auth: Firebase token validation
  5. Rate Limiter: API rate limiting
  6. Compression: Response compression

Storage Layer (Cloudflare R2)

Cloudflare R2 serves as the registry backend, storing server metadata and security reports via an S3-compatible API.

Registry Structure

superbox-mcp-registry/
+-- {server-name}.json
\-- ...
Flat-file layout - one JSON object per server.

Metadata Schema

{
"name": "server-name",
"version": "1.0.0",
"description": "...",
"author": "...",
"lang": "python",
"entrypoint": "main.py",
"repository": {
 "type": "git",
 "url": "..."
},
"pricing": {
 "currency": "INR",
 "amount": 0.0
},
"security_report": {
 "status": "passed"
}
}

Execution Layer (Cloudflare Workers + Durable Objects)

MCP servers run inside McpSession Durable Objects - one per session, keyed on the Mcp-Session-Id header. Sessions auto-evict after 30 minutes of inactivity. No local proxy process is needed; AI clients connect directly via HTTP.
Streamable HTTP Approach (MCP rev 2025-11-25):
  1. AI client sends POST /mcp?name=<server> to the Cloudflare Worker
  2. Worker routes the request to (or creates) the session’s Durable Object
  3. DO fetches server metadata from R2 to locate the entrypoint
  4. The embedded TypeScript interpreter executes the Python entrypoint in-process
  5. JSON-RPC response streams back over HTTP
  6. DELETE /mcp?name=<server> tears down the session
What the TypeScript interpreter supports:
  • requests-based HTTP calls
  • JSON parsing and serialisation
  • Common control flow and string manipulation
Not supported (use separate services if needed):
  • httpx, aiohttp, async def
  • C extensions, binary wheels
  • Class definitions, file I/O
Execution Flow:

Security Layer

SuperBox implements a five-stage security pipeline before any server enters the registry.
1

SonarCloud Analysis

Code quality metrics, bug detection, vulnerability scanning, maintainability rating
2

Tool Discovery

Clones the repository and validates reported MCP tools exist via regex scan for @*.tool() decorators
3

Snyk Dependency Scan

Known CVE detection in Python dependencies
4

GitGuardian Secrets Detection

API key, password, token, and certificate detection
5

Bandit Security Audit

Python-specific vulnerability detection with CWE mapping

Data Flow

Server Creation Flow

Server Execution Flow

Authentication Flow

SuperBox uses Firebase Authentication with JWT token validation.

Payment Integration

Razorpay handles all payment processing for paid MCP servers.
  1. User selects a paid server 2. Frontend creates Razorpay order 3. User completes payment 4. Webhook validates payment 5. Server access is granted
  2. Transaction recorded in database
  • PCI-DSS compliant payment processing - Webhook signature verification - Idempotency keys for duplicate prevention - Encrypted payment data - Secure refund handling