Please enable JS and disable any ad blocker
10 interesting stories served every morning and every evening.
10 interesting stories served every morning and every evening.
Please enable JS and disable any ad blocker
We read an entire scroll — without ever opening it
PHerc. 1667, sealed since the eruption of Vesuvius in 79 AD, has been virtually unwrapped and read from beginning to end.
June 25th, 2026
Read the preprint: Complete virtual unwrapping and reading of a rolled Herculaneum papyrus (PDF). The data is openly available at scrollprize.org/data, and the code on GitHub.
For almost 2,000 years, the carbonized library of Herculaneum has kept a cruel bargain: its scrolls survived the eruption of Mount Vesuvius, but only by becoming too fragile to open. To read one was to destroy it. Hundreds of rolls have therefore remained sealed, their contents preserved yet unreachable.
Today that changes. We have completely virtually unwrapped and read PHerc. 1667 — the scroll the Vesuvius Challenge community knows as Scroll 4 — without ever touching its pages. It is the first Herculaneum papyrus to be digitally unrolled and read in full, end to end, and made available for sustained scholarly study.
From a sealed lump to a readable book
PHerc. 1667 began as a blackened, rolled mass of carbonized papyrus. To read it, we never unrolled it physically. Instead, we scanned it with high-resolution X-rays, reconstructed the wound sheet inside the volume, flattened it into a readable surface, and used machine learning to bring out the faint traces of ancient ink.
The work reaches beyond a single scroll. Alongside the complete reading of PHerc. 1667, the research establishes a method that holds up under independent checks and scales to other rolls.
PHerc. 1667 — read in full
PHerc. 1667 is what survives of a larger roll: earlier attempts to open it by hand — in the nineteenth century, and again in 1969 and the 1980s — destroyed its outer layers and left only the compact inner core, about 8 cm of an original height of 19 – 24 cm. From that surviving portion we have now recovered and read the text in full — the lower parts of some twenty-two columns, transcribed and reviewed by papyrologists. It is the first time the preserved text of a rolled Herculaneum scroll has been read continuously, end to end, rather than in isolated words or patches.
The recovered text is a philosophical treatise on ethics, and the evidence points to a Stoic work: it turns on human nature, impulse, and the moral progress of human beings, and its final preserved column names Aristocreon — nephew and disciple of the great Stoic Chrysippus — which, together with the language and themes of the text, places it in a Stoic context and dates it to the 2nd century BC.
Because the papyrus is damaged, the readings are fragmentary, with gaps where the surface is lost. Even so, several passages can be read clearly for the first time in two thousand years:
“…we will inquire into something, but we will not grasp it, if in some way we depart from ourselves and from our own nature…”
“Having…strained ourselves to the utmost through research and learning…possessing the same practical wisdom…”
“…such being the goods for us, even from the opposite evils there will be neither anything good — let alone beautiful — nor anything bad — let alone ugly — nor happiness…”
Translated from the Greek; the full column-by-column transcription is in the preprint.
PHerc. Paris 4 — ink made visible by higher resolution
In a second scroll — PHerc. Paris 4, the scroll the Vesuvius Challenge community knows as Scroll 1 — a higher-resolution imaging technique makes the ink directly visible inside the scroll itself, in the three-dimensional X-ray data, for the first time. Segmented in 3D and projected back onto the unwrapped page, that ink matches the text read in the 2023 Grand Prize one-to-one — an independent confirmation, from better data, that the reading is real.
PHerc. 139 — a title, and an author
In a third scroll, PHerc. 139, we recover the scroll’s title and author attribution: the work is identified as Philodemus, On Gods, Book 8 — a treatise by the Epicurean philosopher whose works fill so much of this library. Reading the title of a closed scroll tells scholars what a roll contains before a single column of its body is studied.
How it was done
The scans were acquired with high-resolution phase-contrast X-ray microtomography on the BM18 beamline at the European Synchrotron Radiation Facility (ESRF) in Grenoble — an instrument able to resolve the wafer-thin, densely packed layers of a Herculaneum roll. The work was carried out in collaboration with the National Library of Naples “Vittorio Emanuele III”, which safeguards the Herculaneum papyri. From those volumes, the team reconstructed the scroll’s geometry, traced and flattened its surface into a readable sheet, and trained machine-learning models to detect ink that is almost indistinguishable from the carbonized papyrus beneath it. Each reading was then examined and transcribed by papyrologists.
Crucially, all of this is open. The tomographic data, reconstructed surfaces and transcriptions are released under a Creative Commons licence at scrollprize.org/data and archived at the ESRF, and the code is on GitHub. Anyone can check the work, build on it, and apply it to the scrolls that remain.
A victory for open, global science
This is what open science makes possible. The virtual unwrapping of the Herculaneum scrolls was pioneered at EduceLab by its principal investigator, Professor Brent Seales. In 2023 Seales opened his lab’s imaging and software technology to the Vesuvius Challenge — a public, donation-funded effort he co-founded with Nat Friedman and Daniel Gross to read the scrolls in the open — and from there a global community took up the problem. The first letters and the 2023 Grand Prize were won by contestants from across the world.
What is less widely known is what happened next. Most of the Vesuvius Challenge research team first arrived as contestants. They entered the open competition, won prizes for the breakthroughs they made, and were then recruited onto the team that has now read an entire scroll. The people behind this breakthrough are, in large part, the global community the Challenge itself created.
What’s next
PHerc. 1667 is one scroll. Hundreds more remain sealed — an entire library of philosophy, poetry and prose waiting to be read for the first time since antiquity. The method shown here is built to scale, and everything needed to apply it is open.
If you want to help read the rest of the library:
Read the science: the preprint (PDF).
Get the data and code: scrollprize.org/data and GitHub.
Join the effort: get started and become part of the community reading the scrolls.
The thoughts of the ancient world, sealed in darkness for two millennia, are coming back into the light — a whole scroll at a time.
Downloading…
Hacker Trends - see how any topic, tool, or person trended across 18 years of Hacker News
Charts how often any topic, tool, or person has come up on Hacker News. Overlay a few terms to watch their traction rise and fall. Each line is a live date-histogram over 45M posts and comments, built on Upstash Redis Search. Below the chart sit the actual stories and comments behind the lines, filterable by term or author. How Hacker Trends works
click a month to filter, or drag across to pick a range
loading…
show
no matches for ”
openai
″.
Popular Comparisons
click to load above
The deploy-platform rivalry: Cloudflare carries the CDN/edge conversation for years, then Vercel surges on the Next.js wave and the two trade blows as both push into edge functions and full-stack hosting.
David vs Goliath of the lab era: OpenAI’s repeated towers lead from 2023, until a sudden 2026 Anthropic surge pulls level and the lead changes hands.
The silicon baton pass: AMD leads 2017 – 20 on the Ryzen/Zen comeback, then Nvidia overtakes with the 2020 – 23 GPU-and-AI surge.
A three-way relay across the JVM/mobile era: Scala is the hot language ~2011, Swift grabs the baton with iOS mid-decade, then Kotlin overtakes both as Android goes Kotlin-first.
Frontend’s generations in a line: Angular leads the framework wars ~2013 – 14, Vue rises 2016 – 19, then Svelte takes the newcomer crown 2020 – 22.
The database lead-swap: MySQL owns the conversation around 2009 – 11, then goes quiet as Postgres climbs to overtake it by 2017 – 20.
ML frameworks, generation by generation: TensorFlow launches the deep-learning gold rush 2015 – 16, PyTorch overtakes research 2019 – 21, then JAX becomes the cutting-edge favorite 2021 – 23.
Bundler changing of the guard: Webpack owns the build step 2015 – 20, then Vite arrives and overtakes it from 2022 on.
Crypto-exchange lead-swap: Coinbase is the exchange people talk about through 2013 – 21, then Binance takes over the headlines in 2022 – 23.
The editor wars, old guard vs new: Vim and Emacs trade the modal-vs-extensible argument year after year, then Zed bursts in and spikes hard across 2024 – 26.
The Twitter-alternative relay: Mastodon spikes with the 2022 acquisition exodus, then Bluesky overtakes it as the destination in 2024 – 25.
Node-alternative race: Deno is the buzzy replacement 2020 – 22, then Bun grabs the spotlight from 2023 onward.
A textbook changing of the guard: Flash burns hot across 2010 – 11, then HTML5 climbs past it into 2014 – 15, the open web eating the plugin alive.
Containerization handoff: Docker erupts 2014 – 15 as the new hotness, then Kubernetes inherits the spotlight from 2016 as orchestration becomes the story.
Succession within a dynasty: vim leads through the 2010s, then its own fork neovim ignites 2021 – 23 and takes the lead as the community migrates.
Two AI shockwaves, offset: ChatGPT’s late-2022 launch wall, then DeepSeek’s lone Jan-2025 tower, the “Sputnik moment” years later.
JS-superset succession: CoffeeScript’s 2011 – 14 hype cools, then TypeScript’s 2019+ rise shows which abstraction actually won.
The 2022 text-to-image explosion, month by month: DALL-E 2 opens the era in spring, Stable Diffusion’s open-source release detonates in late summer, then Midjourney becomes the household name into 2023.
A CPU-architecture shift: x86 dominates chip talk around 2020 – 23, then ARM surges with Apple Silicon and data-center ARM into 2024 – 26.
The text-editor crown, passed hand to hand: Sublime Text is the beloved editor of 2012 – 14, GitHub’s Atom takes over 2014 – 15, then VS Code eats the world from 2018 on.
Video calling, dynasty to dynasty: Skype owns the 2010s, then Zoom spikes hard in the single March-2020 lockdown month while Microsoft Teams rides the same remote-work wave on Office’s coattails.
CI changing of the guard: Jenkins is the CI tool of the mid-2010s, then GitHub Actions takes over from 2021 on.
The AI-coding-tool relay: Cursor is the editor everyone talks about in late-2024, Claude Code spikes hard across mid-2025, then OpenAI’s Codex takes its turn into early-2026.
The config-management wars: Chef leads the automate-your-servers era ~2011 – 12, Puppet trades blows through 2013, then Ansible’s agentless approach pulls ahead 2014 – 15.
The functional language HN couldn’t stop talking about: Clojure’s Lisp-on-the-JVM moment ~2009 – 11, Haskell’s purity debates ~2012, then Elixir rides the Erlang revival 2016 – 18.
API design, era by era: REST becomes the web’s default 2012 – 15, then the post-REST generation splits: gRPC for service-to-service from 2016, GraphQL for the client from 2017.
Web servers across the decades: Apache rules the 2010 – 12 conversation, nginx overtakes it for the high-traffic era 2011 – 13, then Caddy arrives with automatic-HTTPS 2017 – 22.
The front-end MVC wars: Backbone.js is the first to give the browser structure ~2011, then Ember and Angular escalate to full frameworks 2013 – 14, the fight that set up React.
A decade of face-computer hype, one tower each: Google Glass in 2013, Oculus with the Facebook deal in 2014, then Apple’s Vision Pro in 2024: three spikes, ten years apart.
The full-stack web framework baton: Django and Rails define the 2009 – 15 ‘MVC framework’ era, trading the spotlight, then Laravel inherits it for the PHP world and surges 2019 – 21.
The JS build pipeline, three generations: Grunt’s task-runner era 2013 – 14, Gulp’s streaming rewrite 2014 – 15, then Webpack absorbs the whole job as bundling becomes the story from 2016 on.
The ‘just deploy it’ platform, reinvented each era: Heroku defines push-to-deploy in the early 2010s (and spikes again at its 2022 free-tier sunset), Netlify owns the JAMstack 2018 – 20, then Vercel takes the Next.js era from 2023.
The NoSQL boom in order: CouchDB rides the early document-store wave ~2009, Cassandra carries the scale-out story 2010 – 12, then MongoDB becomes the era’s default 2011 – 13.
Browser test automation, three generations: Selenium is the way to drive a browser through the 2010s, Cypress reinvents it for the modern front-end ~2020, then Playwright pulls ahead and surges into 2025 – 26.
Cross-platform mobile, baton by baton: Xamarin carries the write-once dream ~2016, React Native takes over for the JS crowd 2017 – 18, then Flutter overtakes both and peaks into 2024.
The hybrid-app lineage, renamed each era: PhoneGap wraps web apps in a native shell ~2011, its open-source successor Cordova carries it 2014 – 15, then Capacitor inherits the job and spikes in 2024.
The post-Webpack bundler scramble: Parcel’s zero-config pitch lands ~2019, esbuild’s Go-speed rewrite grabs attention 2021, then Rollup re-enters as the library bundler of choice into 2022.
The observability stack, layer by layer: Prometheus owns metrics collection ~2020, Grafana takes the dashboards spotlight 2021, then Datadog rises as the all-in-one SaaS into 2023.
The cloud data-platform relay: Redshift defines the cloud warehouse ~2017, Databricks rides the lakehouse pitch into 2021, then Snowflake becomes the era’s default name by 2024.
Open-weight LLMs, release by release: Llama opens the floodgates in early 2023, Mistral’s European challenger surges late 2023, then Qwen carries the open-model crown into 2026.
Voice assistants across the decade: Siri arrives first with the iPhone 4S in 2011, Google Assistant takes a turn ~2018, then Alexa peaks into 2022: three spikes, years apart.
Altcoin generations: Litecoin is bitcoin’s silver in the 2013 boom, Dogecoin spikes as the joke-coin of that same era, then Solana carries the next-gen-chain story into 2022.
Crypto’s serial manias: the ICO token-sale frenzy peaks in 2017, the NFT gold rush detonates in 2021, then DeFi carries the yield-farming hype into 2022.
Three game engines, one shared earthquake: all three spike together in the Sept-2023 Unity runtime-fee fiasco - Unity’s self-inflicted blow-up, with Unreal and Godot surging the same month as developers threatened to jump ship.
The eternal hardware trio: CPU and RAM are the staples HN has argued about since 2007, while GPU climbs out of the pack through the crypto-mining and deep-learning booms.
People
Founders, hackers and figures whose news moments spike the timeline.
AI & LLMs
The launch-by-launch staircase of the generative-AI era.
Products & hardware
Launch-day spikes for the chips and gadgets HN couldn’t stop debating.
Languages & dev tools
Languages, runtimes and editors rising on release-driven spikes.
JS frameworks
How JavaScript frameworks come and go: each era’s darling, in order.
Startups & companies
Launches, acquisitions, license blow-ups and the occasional implosion.
Cloud & hosting
The platforms we deploy on: hyperscalers, PaaS darlings and indie hosts, each with its own outage-and-launch rhythm.
Security incidents
The sharp, datable spikes of the bugs and breaches that ruined a weekend.
Crypto & hype cycles
Bull runs, blow-ups and the fads that came and went.
Internet & culture
Platform exoduses, federated protocols and moderation flashpoints.
Dev culture
The perennial HN arguments that resurface in waves, year after year.
Industry zeitgeist
Common words that crest in waves with the mood of the tech industry.
Science & frontier tech
Lab breakthroughs and moonshots: the spikes that briefly made HN a physics forum.
Open-source license wars
Relicensings, rug-pulls and the forks they spawned: each one a datable tower of outrage.
Gaming
Launch-day mania, GPU-scalping rage and the occasional licensing revolt.
Health & longevity
The biohacking, GLP-1 and sleep-optimization waves HN can’t stop relitigating.
We’ve detected unusual activity from your computer network
To continue, please click the box below to let us know you’re not a robot.
Why did this happen?
Please make sure your browser supports JavaScript and cookies and that you are not blocking them from loading. For more information you can review our Terms of Service and Cookie Policy.
Need Help?
For inquiries related to this message please contact our support team and provide the reference ID below.
Block reference ID:c8a8d21a-70da-11f1-b10f-16b568bde4c4
Get the most important global markets news at your fingertips with a Bloomberg.com subscription.
Please enable JS and disable any ad blocker
Apple has raised prices across the board for many of its products today. MacBook Neo now starts at $699 (up from $599), while MacBook Air now starts at $1299 (up from $1099). Other impacted products include MacBook Pro, iPad, iPad Air, and many more.
iPhone, Apple Watch, and AirPods pricing is unchanged.
Why is Apple increasing prices?
Apple CEO Tim Cook confirmed the company would increase product prices in an interview last week. Cook explained that price increases had simply become “unavoidable” amid skyrocketing component costs affecting things like memory and storage. While Apple tried to weather the storm itself, the situation was ultimately “unsustainable.”
“We’re doing our best to mitigate the huge increases that are being passed to us, and we’ve been trying to shield our customers from the increases, but the situation has become unsustainable,” Cook said in the interview.
Cook specifically called out the increasing amount of memory going to high-bandwidth memory used for AI servers. “There’s less supply at a time when consumers want devices and the memory guys are passing along huge price increases,” he said.
In a statement to Reuters today, Apple said:
“We have never seen a component price increase this much, this quickly. We have shielded our customers from these increases so far, but we have now reached a point where we need to begin raising prices on a number of products, including today’s increases for iPad and Mac. We know this is not welcome news, and we are working tirelessly to find solutions.”
“We have never seen a component price increase this much, this quickly. We have shielded our customers from these increases so far, but we have now reached a point where we need to begin raising prices on a number of products, including today’s increases for iPad and Mac. We know this is not welcome news, and we are working tirelessly to find solutions.”
How much is Apple increasing prices?
Today’s price increases affect a ton of different Apple products, including the base starting price on things like MacBook Air, MacBook Neo, and more.
Macs
MacBook Neo: $699 (up from $599)
13-inch MacBook Air: $1,299 (up from $1,099)
15-inch MacBook Air: $1,499 (up from $1,299)
M5 MacBook Pro: $1,999 (up from $1,699)
M5 Pro MacBook Pro: $2,499 (up from $2,199)
M5 Max MacBook Pro: $4,099 (up from $3,599)
iMac: $1,499 (up from $1,299)
M4 Max Mac Studio: $2,499 (up from $1,999)
M3 Ultra Mac Studio: $5,299 (up from $3,999)
iPads
iPad: $449 (up from $349)
11-inch iPad Air: $749 (up from $599)
13-inch iPad Air: $949 (up from $749)
11-inch iPad Pro: $1,199 (up from $999)
13-inch iPad Pro: $1,499 (up from $1,299)
iPad mini: $599 (up from $499)
More products:
Apple TV 4K: $199 (up from $129)
HomePod: $349 (up from $299)
HomePod mini: $129 (up from $99)
Vision Pro: $3,699 (up from $3,499)
What do you think of these price increases from Apple? Are you surprised? Let us know down in the comments.
Amazon pricing on Apple products
The price increases haven’t yet hit some of Apple’s products being sold on Amazon — many of which were already discounted for Prime Day. This includes:
MacBook Neo: $589
13-inch MacBook Air: $949
15-inch MacBook Air: $1,149
M5 MacBook Pro: $1,549
iPad Air: $519
iPad Pro: $899
iPad: $299
More to come …Here’s a complete look at Prime Day pricing before the price hikes hit Amazon:
Here’s a complete look at the Prime Day deals still live at Amazon ahead of official price increases:
MacBook Neo
MacBook Neo Citrus 256GB $590 (Now Reg. $699)
MacBook Neo Citrus 512GB $690 (Now Reg. $799)
MacBook Neo Silver 256GB $590 (Now Reg. $699)
MacBook Neo Silver 512GB $690 (Now Reg. $799)
MacBook Neo Indigo 256GB $590 (Now Reg. $699)
MacBook Neo Indigo 512GB $690 (Now Reg. $799)
MacBook Neo Blush 256GB $590 (Now Reg. $699)
MacBook Neo Blush 512GB $690 (Now Reg. $799)
M5 MacBook Air
13-inch M5 MacBook Air 16GB/512GB from $949 (Now Reg. $1,299)
13-inch M5 MacBook Air 16GB/1TB from $1,149 (Now Reg. $1,499)
13-inch M5 MacBook Air 24GB/1TB from $1,349 (Now Reg. $1,699)
15-inch M5 MacBook Air 16GB/512GB from $1,149 (Now Reg. $1,499)
15-inch M5 MacBook Air 16GB/1TB from $1,349 (Now Reg. $1,699)
15-inch M5 MacBook Air 24GB/1TB from $1,549 (Now Reg. $1,899)
M5 MacBook Pro
14-inch M5 MacBook Pro 16GB/1TB $1,549 (Now Reg. $1,999)
Or $1,529 at B&H with bonus $20 coupon
14-inch M5 MacBook Pro 24GB/1TB $1,749 (Now Reg. $2,199)
14-inch M5 MacBook Pro 32GB/1TB $1,944 (Now Reg. $2,399)
M5 Pro MacBook Pro
14-inch M5 Pro MacBook Pro 24GB/1TB $2,034 (Now Reg. $2,499)
Or $2,000 over at B&H with bonus $40 coupon
14-inch M5 Pro MacBook Pro 24GB/2TB 15-Core $2,399 (Now Reg. $2,899)
14-inch M5 Pro MacBook Pro 24GB/2TB 18-Core $2,583 (Reg. $2,799)
16-inch M5 Pro MacBook Pro 24GB/1TB $2,494 (Now Reg. $2,999)
16-inch M5 Pro MacBook Pro 48GB/1TB $2,857 (Now Reg. $3,399)
14-inch M5 Max MacBook Pro 36GB/2TB $3,300 (Now Reg. $4,099)
16-inch M5 Max MacBook Pro 36GB/2TB $3,649 (Now Reg. $4,399)
16-inch M5 Max MacBook Pro 48GB/2TB $4,149 (Now Reg. $4,999)
M4 iPad Air
11-inch M4 iPad Air 128GB $519 (Now Reg. $749) – Matching all-time low
11-inch M4 iPad Air 256GB $610 (Now Reg. $849) – Matching all-time low
11-inch M4 iPad Air 512GB $839 (Now Reg. $1,049)
11-inch M4 iPad Air 1TB $1,019 (Now Reg. $1,249)
13-inch M4 iPad Air 128GB $700 (Now Reg. $949) – Matching all-time low
13-inch M4 iPad Air 256GB $790 (Now Reg. $1,049) – Matching all-time low
13-inch M4 iPad Air 512GB $999 (Now Reg. $1,249)
13-inch M4 iPad Air 1TB $1,199 (Now Reg. $1,449)
iPad 11
iPad 11 128GB $299 (Now Reg. $449)
iPad 11 256GB $399 (Now Reg. $549)
iPad 11 256GB $597 (Now Reg. $749)
FTC: We use income earning auto affiliate links. More.
LastPass users are once again being warned about stolen personal data, though this time the breach happened through one of the company’s outside partners. Here are the details.
LastPass says password vaults not affected
As reported by TechCrunch, LastPass is emailing users affected by a breach at market research firm Klue, which allowed hackers to access customer information and support case data.
The news came as LastPass shared more information on a blog post, where it explained:
The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
LastPass said that upon learning about the incident, the company revoked employee access to Klue, rotated the exposed API tokens, notified law enforcement, and launched “a detailed investigation into the scope of the event, working with our contacts at both Klue and Salesforce.”
The company explains that Klue’s platform integrates with Salesforce and Gong systems.
As a result, LastPass is recommending that customers “remain vigilant of potential phishing attacks or social engineering attempts” leveraging the compromised information. LastPass also shared the following IP addresses and email sender domains associated with the attackers, which companies can use to search for related activity in their systems:
IP Addresses:
138.226.246[.]94
94.154.32[.]160
159.183.215[.]61
159.183.181[.]239
Email Sender Domains:
baccarat.com[.]au
robinskitchen.com[.]au
house.com[.]au
IP Addresses:
138.226.246[.]94
94.154.32[.]160
159.183.215[.]61
159.183.181[.]239
Email Sender Domains:
baccarat.com[.]au
robinskitchen.com[.]au
house.com[.]au
This is the latest in a series of security incidents affecting LastPass. In 2015, hackers obtained account email addresses, password reminders, authentication hashes, and cryptographic salts, although LastPass said encrypted vault data was not accessed.
In 2022, an attacker compromised a developer account and stole source code and technical information. The attacker later used that information to access cloud backups containing customer records and encrypted password vaults, along with unencrypted details such as names, billing addresses, email addresses, and phone numbers.
To learn more about the Klue breach and LastPass’s response, follow this link.
Worth checking out on Amazon
Geoffrey Cain — ‘Steve Jobs in Exile’
David Pogue — ’Apple: The First 50 Years’
MacBook Neo
Logitech MX Master 4
AirPods Pro 3
AirTag (2nd Generation) — 4 Pack
Apple Watch Series 11
Wireless CarPlay adapter
FTC: We use income earning auto affiliate links. More.
John Gruber writes about those annoying popups every website seems to have now and while he does a great job tearing into these ubiquitous, user-hostile patterns, one of the things that stood out to me about his piece was this meta commentary on blogging. Here’s John:
If you visit a website you should … see the website. See its content. Be able to read the article whose page you are attempting to visit. Showing a “subscribe to our newsletter” or “accept our fucking cookies” dickover to someone trying to read an article on the web makes no more sense than sending out an email newsletter that only contains a link to read the newsletter on a webpage. A webpage should show the webpage. An email should show the email. I should not have to explain this.
If you visit a website you should … see the website. See its content. Be able to read the article whose page you are attempting to visit. Showing a “subscribe to our newsletter” or “accept our fucking cookies” dickover to someone trying to read an article on the web makes no more sense than sending out an email newsletter that only contains a link to read the newsletter on a webpage. A webpage should show the webpage. An email should show the email. I should not have to explain this.
It’s funny how often blogging feels like being the little child in the story of The Emperor’s New Clothes. You’re just stating what seems obvious to you.
I often look at my own posts and think, “There’s nothing novel, or important, or deep in here at all — is this even worth saying?”
A post’s point can seem so glaringly obvious to me (and thus, I presume, others) it feels like a waste of time to even say it. As John says:
A webpage should show the webpage. An email should show the email. I should not have to explain this.
A webpage should show the webpage. An email should show the email. I should not have to explain this.
But then real-world examples of annoyance pile up around you and nobody talks about it, so you finally just have to say it in a post and bring receipts.
You feel like someone gone mad: “Is anyone else seeing the same thing I’m seeing? And we’re just ok with this?”
Very often, those are the best posts I read from others.
So it must be that a key ingredient to blogging is simple: have a willingness to state something that seems obvious to you but nobody else is saying it.
Or if someone else is saying it, just link to them and say, “Yes!!! This!!!”
Unlocking the Cloudflare app ecosystem with OAuth for all
2026 – 06-24
6 min read
Cloudflare provides services that help run 20% of the web, but we don’t do it alone. Developers on our platform use a myriad of tools and services from other companies too. Cloudflare provides a rich API for our platform that enables developers to create automations, CI/CD, and integrations that glue together the various parts of their infrastructure. Earlier this month, we announced self-managed OAuth, making it easier for customers to create and manage their own OAuth clients for delegated access to the Cloudflare API.
Cloudflare isn’t new to OAuth. If you’ve used Wrangler, or used integrations from partners like PlanetScale, then you’ve already used it. However, until now, third-party OAuth was only available through a small number of manually onboarded integrations, and was not available to developers more broadly. That meant developers building their own integrations had to rely on API tokens, which are harder to manage and a poor fit for many delegated application flows.
Over the last year, we onboarded a growing number of early partners while improving the consent, revocation, and security model behind Cloudflare OAuth. But as our Developer Platform grew and agentic tools drove demand for delegated access, it became clear that opening up OAuth to all customers was critical to the success of our platform.
With self-managed OAuth, developers can now offer a standard OAuth flow where customers grant scoped access directly, making it easier to build SaaS integrations, internal developer platforms, and agentic tools while giving users clearer consent, easier revocation, and more control over what an application can do.
Scaling the ecosystem securely
While our earlier OAuth solution was sufficient for a small number of carefully managed partners, we realized that our permissions model, our consent experience, and our ways of mitigating potential abuse vectors were not mature enough.
Earlier this year we updated our consent experience to make it clearer which application is requesting access, and what permissions it will receive. We also added revocation to the dashboard so developers can easily control which applications have access to their data, and made app ownership more visible to prevent OAuth phishing attacks.
Opening self-managed OAuth to all customers also required major upgrades to our underlying OAuth engine. This process required a large amount of planning to do with minimal user interruption, while also ensuring data stability and security.
Planning the upgrade to our OAuth engine
Years ago, we deployed Hydra, an open-source OAuth engine, to power Cloudflare OAuth under the hood. That deployment served us well when usage was limited, but as the developer platform grew and agentic workflows became more common, it became clear that we needed a major upgrade to unlock new capabilities and improve performance.
As we planned the upgrade, we decided to do two smaller sequential upgrades rather than doing one large upgrade. First, we would move to the latest 1.X release, evaluate any behavior or performance changes, and then proceed with the 2.X upgrade.
During our upgrade planning, it became clear that even the 1.X upgrade would still impact customers because the Hydra database required extensive schema migrations that:
Created indexes in a manner that would claim an exclusive lock on critical tables, preventing active users from performing important OAuth operations
Created indexes in a manner that would claim an exclusive lock on critical tables, preventing active users from performing important OAuth operations
Added columns to critical tables, and moved other columns to new tables
Added columns to critical tables, and moved other columns to new tables
There was also a quirk in the version of Hydra we were using in which the SDK would perform SELECT * operations, causing deserialization issues with the schema changes.
To prevent user impact, we rewrote the SQL migrations to use features such as CREATE INDEX CONCURRENTLY, and built a custom version of Hydra which selected explicit columns rather than SELECT *.
With the latest 1.X upgrade planned out, we now needed to create a plan for the even larger 2.X upgrade. We identified three potential options, and weighed the benefits and drawbacks of each one. Doing an in-place upgrade was not going to work for us, due to the sheer amount of schema changes the major version bump brought with it. We decided that a blue-green strategy would work, but there was more that needed to be done than simply flipping a switch to start using the new version. The upgrade and migration process would take multiple hours, and we needed the system to continue functioning correctly in that time window.
The first blue-green option would involve disabling writes to the database, preventing any new authorizations from occurring. This means they would not be lost in the transition, but it also meant that nobody would be able to use existing OAuth apps unless they already had a valid credential. It also presented another large problem: if users needed to revoke access from an application for any reason, it would not be possible while the upgrade was being performed.
To combat these issues, we came up with a way to leave writes to the database enabled, at the cost of losing some of them in the switch to the green version. The first thing to solve was minimizing the number of writes for new tokens. There was an operational lever we pulled: increasing the expiry time of tokens to multiple hours. This would allow apps that received new tokens before the upgrade to continue using them without needing to refresh.
With reducing writes solved, we needed to come up with a way to not lose any revocations our users performed during the upgrade window. To do this, we created a queue system (using Cloudflare Queues!) which, after a revocation event, would have a record written into the queue with information about that revocation. This would allow us to drain the queue with the database flipped to the green version, replaying all revocation events that took place in the time window in which they would have been lost. This was critical to get right, otherwise applications that users had revoked would inadvertently have their access restored.
Executing the upgrade
Upgrading to 1.X
From an operational point of view, our first upgrade to the last 1.X release went off without any hitches. Our custom database migrations ran faster than we expected, with no user impact. We had to do a hard cutover to the new version because the old version was unable to introspect tokens that were created by the newer version.
After the cutover, we saw an increase in refresh token errors that we had not seen before. This ended up being due to stricter refresh invalidation behaviors in the new version; if a refresh token was reused, Hydra would invalidate the whole access and refresh token chain. This is problematic for Wrangler and MCP clients. These clients both have a high request volume, and a single reused refresh token would invalidate the entire session.
We mitigated this by adding refresh token coalescing behavior to our Worker which routes OAuth traffic to the correct destination. This allowed us to briefly cache the refresh token request before it reached Hydra, so that if we detected a retry we could short-circuit the request and respond without invalidating the tokens. Fortunately, 2.X versions of Hydra have a configurable “refresh token grace period”, which resolves this by allowing a refresh token to be retried for a period of time without invalidating the whole chain.
Upgrading to 2.X
Since multiple hours of high user-facing impact would not be acceptable, we had our blue-green upgrade strategy set. At a high level, this sounds simple; the migrations would run on a copy of our production database, and then cut over along with the new Hydra version after they complete. In reality, there were a lot more moving parts:
Enable revocation replay capture queue
Enable revocation replay capture queue
Copy and restore our database to the new target
Copy and restore our database to the new target
Targeted data cleanup — existing data violated some new constraints introduced in the newer versions, which could prevent migrations from succeeding
Targeted data cleanup — existing data violated some new constraints introduced in the newer versions, which could prevent migrations from succeeding
Perform cutovers on the Hydra service along with two additional critical internal systems simultaneously to prevent any errors
Perform cutovers on the Hydra service along with two additional critical internal systems simultaneously to prevent any errors
Post-cutover monitoring and validation
Post-cutover monitoring and validation
We chose an upgrade window when Hydra had the lowest request volume per second to minimize lost token writes. Other than some timeout tuning, our production migrations ran well against the new database: the net runtime in production was approximately three hours. After the migrations completed, we carefully rolled out the new version of the Hydra service, along with two additional system configs to flip our systems to use the new SDK version.
Shortly after cutting traffic over, we observed that a data cleanup job in our authorization service (which relies on the Hydra consent session API) was being overeager in its purging of OAuth policy data. After investigation, we discovered that there was an issue in one of the Hydra migrations that corrupted the state of certain valid OAuth sessions, which resulted in the migration marking them as invalid. The valid sessions being corrupted caused a disagreement between Hydra and our authorization service, manifesting as an increase in 403s. To mitigate this, we did data restorations and began work on improvements for OAuth authorization behaviors to remove reliance on static policy data.
Beyond the data cleanup issue, there were some additional small fixes more driven by specific client behaviors which we landed quickly.
With the Hydra version upgrade complete, OAuth traffic has remained stable with improved system performance and reliability for our customers. It also brought production onto the same foundation our newer OAuth APIs had already been validated against in staging, clearing the way for our self-managed OAuth release on June 3.
Performance improvements
After completing a large upgrade like this, it is always rewarding and illuminating to look at some broad metrics about the impact. We gathered additional metrics during the database migrations, and observed considerable performance improvements after the upgrade was complete.
Database
Hydra performance
Self-managed OAuth for all
Opening up OAuth to all customers is an important step toward a broader Cloudflare app ecosystem. Today, any Cloudflare customer can create their own OAuth applications and build integrations on top of Cloudflare. We’re extremely excited to launch Cloudflare self-managed OAuth for all.
To get started, take a look at our documentation or jump straight to the OAuth apps page in the dashboard and create your first OAuth app.
To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".
10HN is also available as an iOS App
If you visit 10HN only rarely, check out the the best articles from the past week.
Visit pancik.com for more.