Air Force Logo
Thundercats Logo
All projects
Live

Stratbeacon

A SaaS trading signals platform for retail traders. Founded, built, and operated solo.

  • Next.js
  • NextAuth
  • FastAPI
  • PostgreSQL
  • Prisma
  • SQLAlchemy
  • Stripe
  • Schwab API
  • Ghost CMS
  • n8n
  • Coolify
Stratbeacon

What it is

Stratbeacon delivers timing signals for leveraged-ETF and options-based strategies to retail traders. Subscribers get alerts when the underlying market state crosses thresholds their chosen strategy reacts to. Users connect their brokerage via OAuth so signals can be contextualised against actual positions.

Founded and operated solo. Lives at stratbeacon.com; the blog at blog.stratbeacon.com.

Stack

  • Frontend: Next.js with NextAuth-backed sessions
  • Backend: Python / FastAPI; PostgreSQL accessed through Prisma (Node side) and SQLAlchemy (Python side)
  • Financial data: Schwab API integration for live quotes, account state, and order placement
  • Payments: Stripe subscriptions and billing
  • Automation: n8n for workflow orchestration; background scheduler for strategy alerts
  • Content: Ghost CMS for the marketing blog
  • Infra: Self-hosted on a VPS via Coolify

Security

Financial applications have real security requirements: encrypted user OAuth tokens at rest, cross-stack session authentication, internal-endpoint protection against timing attacks, safety-critical input validation. Some of the techniques shipped on Stratbeacon are written up on this site:

  • Per-user OAuth token encryption with HKDF key derivation — a fix that replaced a length-extension-vulnerable SHA256(master || user_id) pattern.
  • NextAuth JWE session decryption in the Python backend, so a Next.js frontend can hand off authenticated requests to a FastAPI service without a parallel auth stack.
  • Internal-API endpoints (called by n8n) protected with secrets.compare_digestshared-secret comparison — timing-attack safe.
  • Pydantic input validation with explicit per-field risk documentation for safety-critical trading parameters (level spacing, allocation factors, price bounds).
  • A documented accepted-risk register so the deferred work is visible.

What it's taught me

Operating a real product on my own infrastructure has a different texture than shipping experiments — the failure modes are real, the security stakes are real, and the design decisions persist. A lot of what I write about cloud and security on this site comes from the things Stratbeacon makes me figure out.