Documentation

How Zolea is built

A complete, honest walkthrough of what Zolea is, the decisions behind it, the technology that runs it, and the security model that keeps communities clean and funds untouchable. Read top to bottom, or jump around with the menu.

01 · Overview

What Zolea is

Zolea is a community platform built for crypto. It pairs familiar community tooling — servers, channels, roles, DMs, moderation — with one thing chat apps don't have: when someone shares a token, it doesn't arrive as a dead link. It unfurls into a live coin card with price, market cap, liquidity, volume and a chart, updating in real time.

That single idea ripples outward. A network-wide Global feed lets anyone share a coin to everyone; a Trending board ranks tokens by how often the network actually talks about them; a buy botstreams live purchases into a community's chat. The result is a place where the conversation and the market are the same surface.

Live, not links

Shared tokens become real-time, interactive cards.

Non-custodial

Your wallet, your keys, your funds — always.

Network effects

A shared global feed and cross-community Trending.
02 · Philosophy

The idea & the guardrails

Crypto communities live in chat apps that were never built for tokens. Links rot, charts live elsewhere, and scams hide behind look-alike URLs. Zolea's thesis is that market context belongs inside the conversation — verifiable, live, and one tap from action.

The project is built around a small set of guardrails that are deliberately never crossed:

  • No custody. Zolea never holds keys or funds. Sign-in is by wallet; payments are on-chain from your own wallet.
  • No trading engine. Coin data is read-only and informational. We don't mint, swap or route orders — trading links out to pump.fun.
  • No financial advice. Every coin card carries an explicit “informational only, not an endorsement” disclaimer.
  • Privacy by default. Row-level security, signed media, masked account details and encrypted personal spaces.
03 · Technology

The tech stack

Zolea runs on a deliberately lean, modern, mostly free-tier stack. Each layer was chosen for performance, developer ergonomics and the ability to enforce security at the lowest possible level.

Next.js 16 · React 19

App Router with React Server Components and Server Actions. Turbopack for builds; middleware lives in proxy.ts on the Node runtime. cookies() and headers() are async. The marketing site is statically prerendered.

Supabase (Postgres)

Auth, Postgres, Realtime and Storage in one. Every table is guarded by row-level security policies — the database itself is the security boundary, not the app code.

Tailwind CSS v4

Utility-first styling with a small set of design tokens (pure-black surfaces, a Vercel-blue accent, Inter + Azeret Mono type). The marketing visual system adds frosted-glass and glow helpers.

Solana

Wallet sign-in (Phantom) and on-chain SOL payments for sponsorships and donation drives — all non-custodial, executed in the user's own wallet.

DexScreener API

Free, key-less market data for coin cards: price, market cap, liquidity, 24h volume and chart data. Snapshotted on share, refreshed on view.

PumpPortal WebSocket

A live subscribeNewToken stream powers the pump.fun live dock — newest launches roll in client-side, no database writes.

Hosting: Vercel for the app, Supabase for data. Icons by lucide-react; QR codes via qrcode. No paid third-party services.

04 · Architecture

How it fits together

The app is a single Next.js project. Server Components fetch data directly from Supabase on the server (so secrets never reach the browser), and Server Actions handle mutations — creating servers, posting messages, applying moderation — with the auth'd user's session.

Two domains share one deployment. The proxy inspects the request host: web.zolea.fun is rewritten to the public /web marketing routes (no auth), while the app domain runs the auth gate, refreshing the Supabase session on every request and redirecting logged-out users to /login.

request ──▶ proxy.ts
   ├─ host = web.*  ──▶ rewrite to /web/*   (public marketing + docs)
   └─ app host      ──▶ updateSession() ──▶ /login if signed out

Live chat is powered by Supabase Realtime: each open channel subscribes to INSERT/UPDATE/DELETE on its messages and patches the list in place. Optimistic sends keep the UI instant; the realtime echo reconciles. Typing indicators and live buy alerts ride the same realtime broadcast layer.

05 · Data

The data model

The schema is the single source of truth, applied in the Supabase SQL editor. Core tables:

Identity & membership

profiles, servers, server_members, roles, member_roles— who exists, which communities they belong to, and what they're allowed to do.

Messaging

channels, messages, reactions, and coin_embeds (cached market snapshots). DMs use dm_threads + dm_messages.

Monetization

sponsorships tracks on-chain feature purchases and donation-drive progress, read live from the chain.

Integrity triggers

Postgres triggers keep things consistent: DM previews recompute on delete, and a per-user rate limit is enforced in the database.

Every one of these tables has row-level securityturned on. A member can only read messages in servers they belong to; can only edit or delete their own messages; admins can moderate within their server and nowhere else. Because this is enforced in Postgres, a bug in the app layer can't leak data it was never permitted to see.

Two surfaces go further than access control. Regular server messages are access-controlled but still stored in a form the app can read to serve them. Your direct messages and your personal My Space notepad are end-to-end encrypted: sealed in your browser with your own key before anything is sent, so the database only ever holds ciphertext. And it's automatic — keys are generated and synced for you, with no passphrase or recovery codes to manage.

06 · Features

Every feature, in depth

Live coin cards

A token address or pump.fun / DexScreener link in any message is detected, fetched, snapshotted into coin_embeds, and rendered as a live card — price, market cap, liquidity, 24h volume, chart and a one-tap trade link. Refreshes on view.

Buy bot

Streams live purchases of a community's token into chat as green alerts with spend size, holder status and a custom banner. Configurable per channel, with a minimum-buy filter and a dollars-per-emoji scale.

Global feed

One public room for the whole network. Share a CA to spin up a card everyone sees; activity here feeds Trending.

Trending

A live leaderboard ranked by how often a token is shared across Zolea — real activity, not paid placement. Star a coin to build a watchlist; sponsored rows are clearly labeled.

Communities

Full-featured servers: channels, categories, owner / admin / mod / member roles, folders, and granular member rules (post, link, share-coins, GIFs, slow-mode), all enforced server-side.

Slash commands

In-chat commands — /coin, /price, /ca, /rules, /poll, /contribute, /setwelcome — plus GIF search and inline polls.

Sponsorships & donations

Feature a community on the home page or pin a token in Trending via on-chain SOL. Donation drives let members chip in toward a sponsor spot, with progress read live from the blockchain.

Search, DMs & more

Full message search within a channel, private one-to-one DMs, the pump.fun live launch dock, a reports/moderation queue, and an encrypted personal space.
07 · Security

The security model

Security in Zolea isn't a feature bolted on top — it's enforced at the database, the network and the cryptography layers. The four pillars:

Proof-of-work join gate

Every join requires solving a server-issued challenge: a random prefix and a difficulty (a number of leading hex zeros). The browser searches for a nonce where sha256(prefix + nonce)starts with that many zeros, then sends it back; the server re-hashes to verify, so it can't be faked. A hand-written synchronous SHA-256 runs the tight search loop. The point: each attempt costs real CPU, which makes mass bot sign-ups expensive and pointless — while staying invisible to a real person. A captcha backs it up.

End-to-end encrypted messages

DMs and your personal My Space are encrypted in the browser. Each user holds an ECDH P-256 keypair; the public half is published to profiles.dm_public_key and the private half is generated on-device and backed up encrypted, so it follows you to new devices with no prompts. A conversation key comes from ECDH(yours, theirs) (for My Space, from your key with itself); messages are sealed with AES-256-GCM(fresh IV each time) before they ever reach the database, so the server only ever sees ciphertext. It's fully automatic — no passphrase, no recovery codes. The trade for that seamless, multi-device experience is that key management is transparent rather than zero-knowledge against the host.

Row-level security everywhere

Postgres RLS policies on every table mean access is decided by the database, not trusted to app code. Members see only what their membership permits; ownership and admin checks run in the engine itself.

Non-custodial & hardened

Wallet sign-in means Zolea never holds keys or funds. Media is served via short-lived signed URLs; account details are masked; external links are defensively flagged. The service-role key never reaches the client or the edge, and developer-only routes return 404 outside development.
08 · Performance

Built to feel instant

Speed is a feature. A few of the choices that keep Zolea fast:

  • Server-first rendering. Server Components fetch data on the server and ship HTML — less client JavaScript, faster first paint.
  • Optimistic UI. Messages, reactions and edits appear instantly and reconcile against the realtime echo.
  • Cheap hot paths. The chat view precomputes per-message parsing once when messages change, so typing never re-parses the whole list.
  • Static marketing. This site and the docs are statically prerendered with zero page JavaScript — all motion is pure CSS.
09 · What's next

Roadmap

Shipped and verified: auth, servers, channels, realtime messaging, roles & moderation, live coin cards, the buy bot, global feed, Trending, DMs, sponsorships, donation drives, slash commands, encrypted spaces and the pump.fun live dock.

On the horizon: voice channels (LiveKit), richer per-channel permissions, cross-server watchlists and notifications, and a mobile / PWA experience.

Ready to try it?

Spin up a community in minutes — free, non-custodial.

Launch app