Bitwage moves $400M+ in global payroll across 90,000+ workers and 4,500+ companies in nearly 200 countries — with a remarkable 10-year zero-breach record. But there's a single line in the response headers of api2.bitwage.com that tells a different story about what's standing between that record and a bad Tuesday. Cloudflare's developer platform is the production runtime that solves it without a re-architecture.
Server: header right now:
curl -sI https://api2.bitwage.com/ response · Flask docs: flask.palletsprojects.com/deploying/
You have a remarkable 10-year zero-breach record — which makes it more interesting, not less, that the public payments API is currently a Flask dev server with no edge in front of it. Cloudflare in front of api2.bitwage.com turns a 30-minute configuration into a defensible answer for the next SOC 2 audit, the next Stellar partnership review, and the next investor security questionnaire.
Each maps to a specific finding in the public DNS, the response headers, and the published product surface. The critical-tagged primitives are the ones that fix the Werkzeug exposure today. The next-tagged ones extend the perimeter to the rest of the Paystand family.
The fastest fix: a Cloudflare Worker in front of api2.bitwage.com terminates TLS, hides the Werkzeug signature, enforces per-key rate limits, and stops scraped-credential attempts before they hit the Flask process. The EC2 boxes go behind a Tunnel; nothing on 0.0.0.0 reaches public IPs anymore.
A public payments API at developer.bitwage.com is a magnet for credential stuffing, replay attempts, API-key farming, and synthetic-identity probes. Bot Management at the edge stops all of it before it touches the application layer. Turnstile on signup and key issuance prevents the abuse from creating valid keys in the first place.
Today, reaching the EC2 boxes behind api2.bitwage.com presumably means SSH or a VPN. Cloudflare Access + Tunnel lets engineers reach the boxes through an identity-aware proxy with full audit logging — no public SSH surface, no standing VPN, no shared bastion. Auditor-friendly by construction.
Bitwage is now part of a 5-brand family (Paystand AR, Teampay AP, Yaydoo LATAM, Bitwage FX, Paystand.org). Each brand has its own subdomain footprint, its own customer base, its own audit surface. Workers for Platforms gives each brand its own isolated Worker namespace inside one control plane — same edge, isolated state, separate billing dashboards.
Every disbursement, every FX conversion, every crypto-to-fiat swap generates an audit row. SOC 2 + financial-regulator audits require long-term, tamper-evident storage. R2 with object versioning + Workers for hash-chained writes gives you immutable storage at zero egress — auditor exports for free, no per-read cost.
Same-day payouts across nearly 200 countries means an FX engine quoting from a single us-east-1 region adds material latency to every quote in Asia, Europe, LATAM. Workers + Smart Placement runs the quote logic at the POP closest to the worker requesting payment — sub-30ms anywhere on earth.
A payment API running on bare EC2 IPs is a target. Cloudflare's standard DDoS protection — included with every Workers deployment — absorbs L3/L4/L7 attacks at edge POPs before they reach the origin. No paged on-call at 3am because someone in Russia decided to test the WAF you don't have.
When a payment confirms, Bitwage fires webhooks to employer accounting systems, Gemini, Stellar settlement, internal observability. Queues + Workflows give you durable, replayable, observable delivery pipelines without Redis + Celery sprawl — with automatic retry, dead-letter handling, and idempotency keys baked in.
Money-services businesses have to enforce OFAC sanctions, FATF travel-rule controls, and country-level embargoes. WAF custom rules can block requests from sanctioned IPs or with sanctioned BINs at the edge — before they ever appear in the audit log as a near-miss. Faster than backend-only enforcement, cheaper than dedicated geo-fencing infrastructure.
No re-architecture. No code change inside the Flask app. No migration. Cloudflare goes in front of api2.bitwage.com via a CNAME + Tunnel, the Werkzeug process stops talking to the public internet, and every existing API client keeps working unchanged.
The bill that matters for Bitwage isn't the AWS bill — it's the cost of the breach that didn't happen, the SOC 2 finding that didn't get raised, the partner pause that didn't get triggered. Cloudflare in front of api2 is the cheapest insurance policy a financial-services product can buy at this stage.
The top banner on bitwage.com today links to Paystand, Teampay, Yaydoo, Bitwage, and Paystand.org — a 5-brand financial-platform consolidation. Each brand has its own DNS, its own perimeter, its own customer base, its own compliance surface. Workers for Platforms is the architecture for one shared edge with five isolated brand tenants.
Every row is sourced from public DNS records and HTTP response headers on bitwage.com, www.bitwage.com, api.bitwage.com, api2.bitwage.com, and app.bitwage.com. The red-warning row is the Werkzeug exposure. The orange column is the overlay path.
"10 Years, Zero Breaches" is your headline. It's a remarkable claim and a remarkable record. But api2.bitwage.com serving Werkzeug/3.1.3 in front of $400M of payroll is the kind of single-line response header that turns a 10-year record into a Tuesday-afternoon postmortem. The fix takes one engineer one afternoon and is materially cheaper than the audit finding that surfaces it.
Paystand consolidation changes the perimeter shape. Five brands under one platform is five subdomains, five compliance footprints, five SOC 2 scopes. Picking the edge runtime that handles all five with one control plane — instead of five disconnected CloudFront distributions and five separate WAF configurations — is a now decision, not a 2027 decision.
The developer API is a public surface. A documented payments API at developer.bitwage.com with Postman verification is exactly the surface where credential-stuffing, API-key farming, and replay-attack defense matter most. Bot Management at the edge is the cheapest hour you can spend in front of that surface before it scales.
The interesting conversation is which of these is closest to your current sprint: Workers + Tunnel in front of api2 to retire the bare-EC2 surface, Bot Management on the developer API, Workers for Platforms across the new Paystand brand family, or Zero Trust to retire the SSH-to-EC2 access pattern. I'd rather hear what's actually on your roadmap than guess.