Architecture Overview | Owlat Docs

Owlat follows a modern serverless architecture with real-time capabilities.

System Architecture

FrontendNuxt 4 + Vue 3

PagesRouter

ComposablesState

Component LibraryUI Components

Real-time subscriptionsMutations / Actions

Convex BackendServerless

QueriesReal-time

MutationsACID

ActionsExternal APIs

SchemaDatabase

BetterAuthAuth

HTTP HandlersREST API

Owlat MTADefault — Direct SMTP delivery

Intelligence pipelineIP warmingBounce processing

AWS SES

Resend

WebhooksEvents

PostHogAnalytics & Errors

← Client (posthog-js)← Server (posthog-node)

Monorepo Structure

Apps

App	Description
`apps/web`	Main web application (Nuxt 4 + Vue 3)
`apps/api`	Backend (Convex — serverless functions, database, auth)
`apps/docs`	Developer documentation (VitePress)
`apps/marketing`	Marketing / landing page site (Nuxt)
`apps/mta`	Custom Mail Transfer Agent (Hono + GroupMQ + direct SMTP)
`apps/nest`	Platform administration dashboard (Nuxt 3)
`apps/nest-api`	Control plane backend (Convex — VPS provisioning, billing, health monitoring)

Packages

Package	Description
`packages/shared`	Shared types (block types, editor types, compatibility data)
`packages/email-builder`	Email builder Vue components (Notion-like editor)
`packages/email-renderer`	Email HTML rendering engine (table-based, VML, CSS inlining)
`packages/email-scanner`	Email security scanning (content analysis, file validation, URL reputation, ClamAV client)
`packages/email-previewer`	Email client preview components (compatibility analysis, Can I Email data)
`packages/ui`	Nuxt layer providing shared UI components and composables
`packages/sdk-js`	JavaScript SDK for the Owlat API
`packages/sdk-java`	Java SDK for the Owlat API

Data Flow

Real-time Updates

Convex provides automatic real-time updates:

// Frontend - automatically re-renders when data changes
const contacts = useConvexQuery(api.contacts.listFromSession, {});

// Backend - changes automatically push to subscribed clients
export const create = mutation({
    handler: async (ctx, args) => {
        await ctx.db.insert('contacts', { ...args });
        // Clients subscribed to list queries automatically update
    },
});

Authentication Flow

User LoginCredentials submitted

BetterAuthAuthentication provider

Session CreatedJWT token issued

Organization SetactiveOrganizationId stored in session

Backend queries extract organizationId from session

Data scoped to organization automatically

Email Sending Flow

Template CreatedJSON Blocks → @owlat/email-renderer → HTML

Domain AddedSES Registration → DNS Records Generated → User Configures DNS

Campaign CreatedAudience Selected → Domain Verified (DNS + SES)

Owlat MTA (default)Direct SMTP · Intelligence pipeline · IP warming

Webhooks → Status Updates → Analytics

Multi-tenancy

Owlat has two levels of multi-tenancy:

Platform-level — The control plane (apps/nest-api) manages multiple VPS instances, one per customer organization. Each VPS runs an isolated Docker Compose stack.
Tenant-level — Within each VPS, the Convex backend scopes all data to organizations via BetterAuth (the pattern below).

All data is scoped to organizations via BetterAuth:

// Schema pattern - every table has organizationId
contacts: defineTable({
    organizationId: v.string(),
    // ... other fields
}).index('by_org', ['organizationId']);

// Query pattern - always filter by organization
const contacts = await ctx.db
    .query('contacts')
    .withIndex('by_org', (q) => q.eq('organizationId', organizationId))
    .collect();

Authentication Architecture

BetterAuth

UsersAuth

SessionsJWT

OrganizationsTeams

Convex Adapter

Stores user/session data in Convex
Provides auth routes via HTTP handlers
Links sessions to organizations

Email System Architecture

Email Builder

Inline Editor

Blocks (JSON)

Saved Blocks

Email Rendering

JSON Blocks@owlat/email-rendererHTML Email

Responsive layoutsCross-client compatibility

Email Delivery

Owlat MTADirect SMTP · Intelligence pipeline · IP warming

Default

Optional alternatives

ResendOptional

AWS SESOptional

SES Identity ManagersesIdentity.ts

Domain registration (VerifyDomainIdentity/DKIM)
MAIL FROM configuration
Verification status polling

resolveRoute() → getProviderByType()

DKIM signing

MX delivery

IP warming

Rate limiting

Health-aware failover

Domain management

Domain management (registration, DNS verification, SES identity setup) is handled through the dashboard UI. There is no public API for domain management.

Control Plane Architecture

The control plane (apps/nest-api/) manages the lifecycle of customer organizations. Each organization gets a dedicated VPS on Hetzner Cloud running a full Docker Compose stack.

Provisioning Flow

User signs upSelects tier and region

Stripe subscriptionPayment confirmed via Stripe Elements

Organization created (pending)Provisioning job queued

Hetzner APIServer created with cloud-init userdata

Docker Compose stackConvex + Web + MTA + Redis + ClamAV + convex-deploy

Smoke test passesConvex :3210, Web :3000 responding

Organization activeRouting table updated, instance accessible

Per-VPS Stack

Each provisioned VPS runs six Docker services:

Service	Image	Port	Purpose
`convex`	`ghcr.io/get-convex/convex-backend`	3210 (API), 3211 (site proxy)	Self-hosted Convex backend
`web`	`ghcr.io/owlat/web`	3000	Nuxt web application
`mta`	`ghcr.io/owlat/mta`	3100 (API), 25 (SMTP)	Mail Transfer Agent
`redis`	`redis:7-alpine`	6379	Queue and cache layer
`clamav`	`clamav/clamav:1.3`	3310	Antivirus scanning
`convex-deploy`	`ghcr.io/owlat/convex-deploy`	—	Schema deployment helper (run once)

A Caddy reverse proxy reads the routingTable in the control plane database to map organization slugs to VPS IP addresses. When an organization is suspended or deleted, its routing entry is deactivated.

Available Regions

VPS instances can be provisioned in six Hetzner Cloud datacenters:

Region	Location	Continent
`fsn1`	Falkenstein, Germany	EU
`nbg1`	Nuremberg, Germany (default)	EU
`hel1`	Helsinki, Finland	EU
`ash`	Ashburn, VA, USA	US
`hil`	Hillsboro, OR, USA	US
`sin`	Singapore	Asia

VPS Health Monitoring

The control plane runs health checks every 5 minutes against all running VPS instances, probing three services:

Service	Endpoint	Port
Convex	`/version`	3210
Web	`/`	3000
MTA	`/health`	3100

Status Levels

Status	Condition
`healthy`	All three services responding
`degraded`	Convex up + at least one other service up
`unhealthy`	Only one service responding
`unreachable`	No services responding

Auto-Recovery

Alert at 3 consecutive failures (15 minutes) — creates a health alert for admins
Auto-reboot at 6 consecutive failures (30 minutes) — triggers Hetzner server reboot via API

Database Schema Overview

The Convex schema (~30 tables) follows these patterns:

Core Tables

Table	Purpose
`userProfiles`	User profile data linked to BetterAuth
`organizationSettings`	Organization-level configuration

Contact Management

Table	Purpose
`contacts`	Email contacts
`contactProperties`	Custom field definitions
`contactPropertyValues`	Custom field values per contact
`topics`	Contact groupings
`contactTopics`	Many-to-many with DOI status
`segments`	Saved filter configurations

Email System

Table	Purpose
`emailTemplates`	Marketing/transactional templates
`emailBlocks`	Reusable content blocks
`campaigns`	One-time email sends (includes `archiveToken`, `archiveHtml`, `hardBounces`, `softBounces`)
`emailSends`	Per-recipient tracking
`transactionalEmails`	API-triggered templates
`transactionalSends`	Transactional delivery tracking

Automations

Table	Purpose
`automations`	Workflow definitions
`automationSteps`	Steps within workflows
`automationRuns`	Contact progress through workflows
`automationStepRuns`	Individual step execution

Settings & Security

Table	Purpose
`domains`	Custom sending domains
`apiKeys`	API authentication
`webhooks`	Event notifications
`webhookDeliveryLogs`	Delivery tracking
`blockedEmails`	Bounce/complaint blocklist
`auditLogs`	Action history
`formEndpoints`	Public form configuration
`formSubmissions`	Form submission records
`mediaAssets`	Media library files
`contactActivities`	Contact activity tracking

Control Plane Tables (`apps/nest-api`)

Table	Purpose
`tiers`	Infrastructure pricing tiers (Starter/Growth/Enterprise) mapped to Hetzner server types
`organizations`	Tenant organizations with lifecycle states (pending → active → suspended → deleted)
`vpses`	VPS instances with Hetzner server IDs, IPs, health status
`routingTable`	Caddy slug-to-IP routing entries
`provisioningJobs`	Job queue for create/resize/delete/redeploy operations
`invoices`	Monthly billing invoices per organization
`healthAlerts`	VPS health alerts (unhealthy, auto-reboot, recovered)
`auditLogs`	Platform admin action logging
`platformAdmins`	Admin user accounts (admin/superadmin roles)

Background Jobs

Tenant Backend (`apps/api/convex/crons.ts`)

Job	Interval	Purpose
Process scheduled campaigns	1 min	Backup for scheduler-based sends
Process pending delays	5 min	Catch missed automation delays
Process account deletions	24 hours	Handle expired grace periods
Cleanup webhook logs	7 days	Remove logs older than 30 days
Refresh segment counts	30 min	Keep cached counts fresh

Control Plane (`apps/nest-api/convex/crons.ts`)

Job	Interval	Purpose
Health checks	5 min	Check all running VPS instances (Convex, Web, MTA)
Process provisioning jobs	1 min	Execute queued create/resize/delete/redeploy operations
Generate monthly invoices	24 hours	Create invoices for active organizations, mark overdue

Frontend Architecture

Layouts

default - Public pages (landing, auth)
dashboard - Authenticated pages with sidebar

Route Structure

/                               # Landing page
/auth/login                     # Login
/auth/register                  # Registration
/auth/forgot-password           # Password reset request
/auth/reset-password            # Password reset form
/dashboard                      # Main dashboard
/dashboard/mail/*               # Email templates, blocks, media library
/dashboard/mail/media           # Media library
/dashboard/emails/*             # Email editor
/dashboard/campaigns/*          # Campaign management
/dashboard/audience/*           # Contacts, lists, segments
/dashboard/automations/*        # Automation workflows
/dashboard/transactional/*      # Transactional templates
/archive/:token                 # Campaign archive (public)
/dashboard/settings/*           # Organization settings

State Management

Convex queries provide reactive data
useAuth() - Authentication state
useCurrentOrganization() - Current organization context
useMediaLibrary() - Media asset management
useToast() - Global toast notifications
useFocusMode() - Editor focus mode
usePostHog() - Product analytics (capture events, identify users)
usePostHogIdentity() - Auto-syncs auth/org state to PostHog

Feature Flags

Some features are toggled via environment variables and can be enabled or disabled at runtime without code changes.

Feature	Backend env var	Frontend env var	Pattern
Analytics	`POSTHOG_API_KEY`	`NUXT_PUBLIC_POSTHOG_API_KEY`	`usePostHog()` composable + `lib/posthog.ts` action

Backend helpers live in apps/api/convex/lib/. Frontend composables read from useRuntimeConfig().public and conditionally subscribe to Convex queries. The pattern:

Backend: a small lib/*.ts file reads process.env and exports boolean helpers.
Frontend: a useFeature() composable exposes reactive flags and conditional query subscriptions.
Middleware: auth.ts and guest.ts check the composable and redirect as needed.
UI: sidebar nav items and settings cards are conditionally rendered.