FabricFabricExperiments
Concepts

Manifests and signing

Delivery manifests are signed, versioned, tenant-scoped, and served from Cloudflare KV.

A manifest is the delivery artifact consumed by SDKs. It contains the experiments, variants, audience rules, and execution metadata needed for assignment.

Signing

Manifests are signed with tenant-scoped Ed25519 keys. Public keys are exposed through JWKS:

GET /.well-known/jwks/{orgId}

The Cloudflare manifest worker can proxy JWKS to the API and cache it at the edge.

Publishing

The API publishes signed manifests to Cloudflare via:

POST /admin/publish

In staging/production this path is HMAC-protected with timestamp and nonce headers to reduce replay risk.

Revocation

Revoked manifest versions are served from:

GET /.well-known/revocations/{orgId}

Assignment and sticky bucketing

Deterministic bucketing keeps users assigned consistently across SDKs.

Guardrails

SRM, metric decline, and error-rate checks protect experiments while they run.

On this page

SigningPublishingRevocation