I built a financial terminal because Bloomberg costs $24k/year
Pulling SEC EDGAR data instead of paying Bloomberg $24k/year, caching with Cloudflare's edge instead of Redis, and building a WebGL chart renderer instead of bolting on TradingView widgets.
The financial data industry runs on vibes and legacy software. Bloomberg Terminal: $24,000/year for a keyboard from 1983 and a UI that looks like it was designed by someone who genuinely hates users. Koyfin: prettier, but $600/year and you're still just renting access to the same SEC filings that are public domain.
I built Finterm — a keyboard-first browser terminal for stocks and crypto. Free tier is actually free, data comes from public sources, and the whole thing runs on Cloudflare Workers at the edge. Here's what building it taught me.
The platform constraint that broke all my dependencies
I deployed to Cloudflare Workers instead of a Node.js server. This was either the smartest or dumbest decision depending on the day.
Workers runs V8 isolates, not Node. This means: no fs, no crypto module, no bcrypt, no axios, no cheerio, no jsdom. Half of npm just doesn't work.
Password hashing is where I have to be honest: bcryptjs actually runs on Workers if you enable the nodejs_compat flag, which exposes most of node:crypto including crypto.randomBytes. Not a hard blocker. But I swapped it out for @noble/hashes anyway — pure JS Argon2id, zero Node-compat surface area, and OWASP currently recommends Argon2id over bcrypt for new password storage because it's more memory-hard. The platform pushed me to look at the options, and the better option was right there.
The SEC data layer was next. The old code used axios and cheerio to scrape HTML. Both fail on Workers. But scraping was wrong anyway — SEC's EDGAR has a proper JSON API at data.sec.gov that barely anyone uses. You get typed company facts, filing histories, the whole thing. No parsing required. The constraint forced the right architecture.
Getting financial data for free (and why Bloomberg is a scam)
Bloomberg's entire moat is: we have the data and you don't. But for US equities, the SEC requires public companies to file machine-readable XBRL data. Every quarterly earnings number, every balance sheet line item, every cash flow figure — it's all in the public domain at data.sec.gov/api/xbrl/companyfacts/.
The fun part is that companies don't all use the same GAAP concept names. Apple reports revenue under RevenueFromContractWithCustomerExcludingAssessedTax. Other companies use Revenues. Some use SalesRevenueNet. You have to build a concept alias map and pick the first one that has data for the period you're looking for:
The other gotcha: SEC only gives you Q1, Q2, Q3, and FY. There's no Q4 row. You have to synthesise it: Q4 = FY minus (Q1 + Q2 + Q3). This works for flow metrics like revenue and net income. Balance sheet metrics are point-in-time — carry the FY close value as Q4 because it's the same date.
Free cash flow isn't in XBRL at all. You derive it: FCF = operating cash flow minus capex. Capex is reported as a positive outflow, so you subtract it.
A data gateway instead of Redis
The obvious architecture for caching upstream API responses is: Redis. Call upstream, cache in Redis, return to client. This is also the architecture that costs $40/month for Upstash before you've written a line of product code.
The alternative: route everything through a single Next.js API route and let Cloudflare cache it at the edge.
Every endpoint returns Cache-Control: s-maxage=N, stale-while-revalidate=86400. Price feeds get s-maxage=5. SEC filings get s-maxage=3600. Cloudflare's CDN absorbs cache hits before they reach the worker. Rate limiting only fires on cache misses — exactly the traffic you want to throttle.
No Redis. No Upstash. No cache invalidation logic. Just HTTP semantics working as designed.
Dual-layer rate limiting
Cloudflare Workers has a native rate limiting binding — sub-millisecond, sliding window, in-memory at the edge. But it's eventually consistent across colos. During the ramp-up window, a burst of parallel requests from one IP can slip through before the state propagates.
So there are two layers:
- Layer 1 — Cloudflare's binding: 600 req/min for hot price feeds, down to 5 req/min for bulk registry fetches. Catches sustained abuse.
- Layer 2 — Per-isolate in-memory burst cap: a Map that enforces a per-second limit from a single isolate's perspective. Doesn't share state across isolates, but nails the runaway curl loop and rogue browser tabs immediately while the CF binding catches up globally.
The CF binding catches scraper farms. The in-memory burst catches the single person with a while(true) { fetch() } loop. Both are necessary.
WebGL charts (not TradingView widgets)
Koyfin's charts are TradingView widgets. They're fine. They're also somebody else's software bolted onto your product, and you can't touch the renderer.
Finterm's chart is a custom WebGL renderer — candlesticks, volume bars, crosshair, axes, drawings, indicators, all built from scratch. The reason to go WebGL is simple: you want 5,000 candles to render in under a frame at 60fps. Canvas 2D can't do it. The DOM definitely can't.
The tricky part was zoom/pan feel. The naive implementation: on wheel event, call zoomAt(factor, x). This produces stair-step motion — each wheel tick snaps the view to a new discrete state. TradingView doesn't do that, which is why TradingView feels smooth.
The fix is RAF-eased momentum. Wheel events accumulate into a target zoom level; each animation frame eases toward it with a decay function. Pan has a sub-pixel offset — fractional bar positions accumulate in a float, and only integer amounts fold into the data slice. The residual is applied as a matrix translation so candles slide between positions rather than jumping bar-by-bar.
Indicators in a sandboxed Web Worker
Users can write custom indicators in JavaScript. This is a sandbox problem.
The solution is a Web Worker that evaluates user code with Function(), feeds it the candle history, and enforces a 1-second timeout. If the code hangs or throws, you terminate the worker and return an error — the main thread never blocks.
The contract is minimal: candles in, { outputs, series } out. Users can implement VWAP, MACD, Supertrend in ~10 lines of JS. The built-in presets — SMA, EMA, Bollinger Bands, RSI — ship as code strings evaluated through the same sandbox, so there's exactly one code path.
Pop-out windows and the ownerDocument problem
Every chart window has a popout button that calls window.open() and renders the full React component tree into the opened window's document via createRoot. This is not a common pattern.
The bug you hit immediately: addEventListener('mousemove', handler) resolves to the parent window's event target, not the popout's. Drag events stop working. matchMedia queries the parent viewport. innerWidth returns the wrong number.
The fix is useOwnerWindow:
Every component that attaches DOM events uses this instead of the global window. Any document.createElement for offscreen canvas nodes goes through node.ownerDocument.createElement so it belongs to the right document.
Plain JSX, fetch, and ResizeObserver are document-agnostic and just work. The only things that care about which window they're in are event listeners and layout queries.
The state of financial tooling
Bloomberg's defensible moat is mostly institutional inertia and the Excel add-in. Koyfin's moat is a better UX than Bloomberg, which is a low bar. Neither is particularly hard to build around for retail-scale use cases.
The data is out there. The EDGAR API is excellent and underused. Binance's REST and WebSocket APIs are clean and fast. FRED has decades of macro data at api.stlouisfed.org. CoinGecko's free tier is genuinely generous.
The hard part isn't access. It's building a data gateway that caches correctly, rate-limits sanely, and doesn't wake you up at 3am because you forgot to pay the Redis bill.
Finterm is live. Free to use.