Payment Gateway System Design - Part 1. : Idempotence
Let's say a user paying online faces a network issue and doesn't get a response. And again, start the process. In the payment industry, it shouldn't create a duplicate transaction but return the status of the initial request.
Idempotency is an important feature to take care of in payment systems and general APIs.
What is idempotency?
Idempotency is a property of a system or operation that makes sure that doing the same thing more than once has the same result as doing it just once. It is important for a payment system to be idempotent so that there aren't any duplicate transactions, which could lead to overcharging or other mistakes.
To put it another way, if you carry out an idempotent operation more than once, the outcome will be the same as if you just carried out the action once.
This is crucial in systems where repeated requests might be sent as a result of network issues, retries, or other issues.
How to Implement Idempotency?
1. When the server receives a payment request, create a unique identifier. Use SHA-256 or a random string generator.
2. Verify that the one-of-a-kind identifier has not already been in use. The ID of the request and the response data that goes with it can be cached or saved in a database.
3. If the key has been used before, the prior request's response data will be sent back to avoid future duplication. If it does, proceed with processing the payment and saving the answer data along with the identifier.
4. When submitting a payment request, be sure to include the identifier in the header.
5. The payment system can make sure that the same transaction is not completed more than once by utilizing an idempotent identifier, even if the same request is sent more than once. By doing so, errors may be avoided and the payment system's integrity can be guaranteed.
6. Besides, the payment system should accept an idempotent key from the client as well. And save for that particular request.
Important points to take care of:
1. Each request needs a unique key: Idempotency keys prevent duplicate requests. Thus, each request needs a unique key. A hash function can construct a fixed-length string from request data.
2. The client and anyone outside the payment processing system should not know the idempotency key. If the key is disclosed, an attacker may duplicate requests and incur financial loss.
3. Random key: Using data that can be predicted, like timestamps or a series of numbers, to make the idempotency key can lead to collisions and defeat the point of the key. Thus, pick a random or hard-to-guess value.
4. Idempotency keys should be long enough to avoid clashes. SHA-256, a fixed-length hash function, is often used as the idempotency key.
5. Tamper-proof keys: The idempotency key must be protected from attackers during transit. Include the key in the HTTP header instead of the request body.
It's clear from this that idempotency is an important part of not only payment systems but also other backend systems. It makes sure that no duplicate transactions are made and that the system always returns the same status.
Thanks for reading. Follow for more content related to development.
Senior Software Engineer @ Carma 🚗
2yI'm curious about the point regarding the security of the idempotency keys. It seems to me that these keys are something that is used to protect the caller of the api and not something that needs to be kept secure. From my mental model, the client knowing the idempotency key, for example, doesn't seem like it would be a problem 🤔
Software Engineer | Python | Django | Data Engineering | Machine Learning
2yI would like to add one thing if I may use PUT method for payment request