I built a financial terminal in the browser because Bloomberg costs $24k/year and I have opinions

The financial data industry runs on vibes and legacy software. Bloomberg Terminal: $24,000/year for a keyboard from 1983 and a UI that looks like it was designed by someone who genuinely hates users. Koyfin: prettier, but $600/year and you're still just renting access to the same SEC filings that are public domain.

I built Finterm — a keyboard-first browser terminal for stocks and crypto. Free tier is actually free, data comes from public sources, and the whole thing runs on Cloudflare Workers at the edge. Here's what building it taught me.

The platform constraint that broke all my dependencies

I deployed to Cloudflare Workers instead of a Node.js server. This was either the smartest or dumbest decision depending on the day.

Workers runs V8 isolates, not Node. This means: no fs, no crypto module (as you know it), no bcrypt, no axios, no cheerio, no jsdom. Half of npm just... doesn't work.

Password hashing is where I have to be honest: bcryptjs actually runs on Workers if you enable the nodejs_compat flag, which exposes most of node:crypto including crypto.randomBytes. Not a hard blocker. But I swapped it out for @noble/hashes anyway — pure JS Argon2id, zero Node-compat surface area, and OWASP currently recommends Argon2id over bcrypt for new password storage because it's more memory-hard. The platform pushed me to look at the options, and the better option was right there.

The SEC data layer was next. The old code used axios and cheerio to scrape HTML. Both fail on Workers. But scraping was wrong anyway — SEC's EDGAR has a proper JSON API at data.sec.gov that barely anyone uses. You get typed company facts, filing histories, the whole thing. No parsing required. The constraint forced the right architecture.

Getting financial data for free (and why Bloomberg is a scam)

Bloomberg's entire moat is: we have the data and you don't. But for US equities, the SEC requires public companies to file machine-readable XBRL data. Every quarterly earnings number, every balance sheet line item, every cash flow figure — it's all in the public domain at data.sec.gov/api/xbrl/companyfacts/.

The fun part is that companies don't all use the same GAAP concept names. Apple reports revenue under RevenueFromContractWithCustomerExcludingAssessedTax. Other companies use Revenues. Some use SalesRevenueNet. You have to build a concept alias map and pick the first one that has data for the period you're looking for:

const CONCEPT_MAP = {
  revenue: [
    'Revenues',
    'RevenueFromContractWithCustomerExcludingAssessedTax',
    'RevenueFromContractWithCustomerIncludingAssessedTax',
    'SalesRevenueNet',
    'SalesRevenueGoodsNet',
  ],
  // ...30 more metrics
};

The other gotcha: SEC only gives you Q1, Q2, Q3, and FY. There's no Q4 row. You have to synthesise it: Q4 = FY - (Q1 + Q2 + Q3). But this only works for flow metrics (revenue, net income, cash flow). Balance sheet metrics are point-in-time stocks — you just carry the FY close value as Q4 because it's the same date.

Free cash flow isn't in XBRL at all. You derive it: FCF = operating cash flow - capex. And capex is reported as a positive outflow (you paid $X), so you subtract it, not add.

Bloomberg charges you $24k/year partly for someone to have already figured all this out.

A data gateway instead of Redis

The obvious architecture for caching upstream API responses is: Redis. Call upstream, cache in Redis, return to client. This is also the architecture that costs $40/month for Upstash before you've written a line of product code.

The alternative: route everything through a single Next.js API route and let Cloudflare cache it at the edge.

GET /api/data/binance/ticker24?symbol=BTCUSDT
GET /api/data/sec/quarterly?ticker=AAPL
GET /api/data/fred/series?id=DFF

Every endpoint returns Cache-Control: s-maxage=N, stale-while-revalidate=86400. Price feeds get s-maxage=5. SEC filings get s-maxage=3600. Cloudflare's CDN absorbs the cache hits before they ever reach the worker. Rate limiting only fires on cache misses — exactly the traffic you actually want to throttle.

No Redis. No Upstash. No cache invalidation logic. Just HTTP semantics working as designed.

Dual-layer rate limiting

Cloudflare Workers has a native rate limiting binding — sub-millisecond, sliding window, in-memory at the edge. But it's eventually consistent across colos. During the ramp-up window, a burst of 10-30 parallel requests from one IP can slip through before the state propagates.

So there are two layers:

Layer 1 — Cloudflare's binding: 600 req/min for hot price feeds, down to 5 req/min for bulk registry fetches. Catches sustained abuse.

Layer 2 — Per-isolate in-memory burst cap: a Map<key, timestamp[]> that enforces a per-second limit from a single isolate's perspective. Doesn't share state across isolates, but nails the runaway curl loop and rogue browser tabs immediately while the CF binding catches up globally.

const BURST_PER_SEC = {
  heavy: 4,   // 4/sec/isolate
  bulk:  1,   // one registry fetch per second is plenty
};

The CF binding cap catches scraper farms. The in-memory burst catches the single idiot with a while(true) { fetch() } loop. Both are necessary.

WebGL charts (not TradingView widgets)

Koyfin's charts are TradingView widgets. They're fine. They're also somebody else's software bolted onto your product, and you can't touch the renderer.

Finterm's chart is a custom WebGL renderer — candlesticks, volume bars, crosshair, axes, drawings, indicators, all built from scratch. The reason to go WebGL is simple: you want 5,000 candles to render in under a frame at 60fps. Canvas 2D can't do it. The DOM definitely can't.

The tricky part was zoom/pan feel. The naive implementation is: on wheel event, call zoomAt(factor, x). This produces stair-step motion — each wheel tick snaps the view to a new discrete state. TradingView doesn't do that, and it's why TradingView feels smooth.

The fix is RAF-eased momentum. Wheel events accumulate into a target zoom level; each animation frame eases toward it with a decay function. Pan has a sub-pixel offset — fractional bar positions accumulate in a float, and only integer amounts get folded into the data slice. The residual is applied as a matrix translation so the candles actually slide between positions rather than jumping bar-by-bar.

Getting this right took two weeks and about forty rewrites of the interaction handler. "Don't touch ZOOM_DIVISOR = 2500 or MAX_DELTA = 0.012" is now in the codebase docs.

Indicators in a sandboxed Web Worker

Users can write custom indicators in JavaScript. This is a sandbox problem.

The solution is a Web Worker that evaluates user code with Function(), feeds it the candle history, and enforces a 1-second timeout. The worker is the sandbox — if the code hangs or throws, you terminate the worker and return an error, and the main thread never blocks.

The contract is deliberately minimal: candles in, { outputs, series } out. Users can implement VWAP, MACD, Supertrend, whatever they want, in ~10 lines of JS. The built-in presets (SMA, EMA, Bollinger Bands, RSI) ship as code strings evaluated through the same sandbox, so there's exactly one code path.

Pop-out windows and the ownerDocument problem

Every chart window has a popout button that calls window.open() and renders the full React component tree into the opened window's document via createRoot. This is not a common pattern.

The bug you hit immediately: addEventListener('mousemove', handler) resolves to the parent window's event target, not the popout's. So drag events stop working. matchMedia queries the parent window's viewport. innerWidth returns the wrong number.

The fix is useOwnerWindow:

export function useOwnerWindow(ref: RefObject<HTMLElement | null>): Window {
  const [win, setWin] = useState<Window>(() => window);
  useEffect(() => {
    const next = ref.current?.ownerDocument?.defaultView;
    if (next && next !== win) setWin(next);
  });
  return win;
}

Every component that attaches DOM events uses this instead of the global window. Similarly, any document.createElement for offscreen canvas nodes goes through node.ownerDocument.createElement so it belongs to the right document.

Plain JSX, fetch, and ResizeObserver are document-agnostic and just work. The only things that care about which window they're in are event listeners and layout queries.

The state of financial tooling

Bloomberg's defensible moat is mostly institutional inertia and the Excel add-in. Koyfin's moat is a better UX than Bloomberg, which is a low bar. Neither is particularly hard to build around for retail-scale use cases.

The data is out there. The EDGAR API is excellent and underused. Binance's REST and WebSocket APIs are clean and fast. FRED has decades of macro data at api.stlouisfed.org. CoinGecko's free tier is genuinely generous.

The hard part isn't access. It's building a data gateway that caches correctly, rate-limits sanely, and doesn't wake you up at 3am because you forgot to pay the Redis bill.

Finterm is live at finterm.xyz. Free to use.