System Architecture

Zero-Trust, Event-Driven, Polyglot Microservices.

Architectural Layers

Layer 1: External Access

Client → API Gateway

HTTP/REST with JWT Authentication. Only the API Gateway is exposed to the public internet.

Layer 2: Inter-Service (Zero Trust)

Payment ↔ Account

gRPC with mTLS via SPIFFE/SPIRE. No static credentials (passwords/API keys) used for service-to-service auth.

Layer 3: Async Event Bus

Payment → Kafka → Account/Notify

Asynchronous decoupling using Kafka topics. Ensures resilience and scalability.

Detailed Payment Flow

  1. Client sends POST /payments to API Gateway (JWT required).
  2. API Gateway validates token, rate-limits, and forwards via gRPC to Payment Service (mTLS).
  3. Payment Service calls Account Service (gRPC) to check balance.
  4. Account Service checks Redis cache (Read-Aside). If miss, checks PostgreSQL.
  5. If balance sufficient, Payment Service saves transaction as PENDING in DB.
  6. Payment Service publishes payment.initiated event to Kafka.
  7. Account Service consumes event:
    • Deducts balance in PostgreSQL transaction (Optimistic Locking).
    • Invalidates Redis cache keys.
  8. Notification Service consumes event and logs notification.

Data Model

Payments Schema

payments.transactions
  • id (UUID)
  • from_account (UUID)
  • to_account (UUID)
  • amount (Numeric)
  • status (Enum: PENDING, COMPLETED, FAILED)
  • idempotency_key (Unique)

Accounts Schema

accounts.balances
  • account_id (UUID)
  • balance (Numeric)
  • currency (VARCHAR)
  • version (Int - Optimistic Lock)