The Challenge
Bank Indonesia issued the Standar Nasional Open API Pembayaran (SNAP), requiring financial institutions to adopt standardized, secure, and interoperable API architectures. Our client, a major national enterprise (PT. POS Indonesia), relied on a legacy monolith for their core transaction processing. Scaling this monolith to handle millions of transactions securely while complying with strict SNAP-BI security standards (Asymmetric RSA-256 and Symmetric HMAC-512 signatures) proved to be an impossible bottleneck.
Architectural Overhaul
I spearheaded the architectural design and development of a new API Gateway ecosystem written entirely in Golang, utilizing gRPC for high-performance internal communication. The architecture was broken down into specialized domains to maximize scalability.
Gateway Service
The main entry point handling HTTP requests, performing initial authentication, and routing requests via gRPC to domain-specific microservices.
Security & Auth Service
Integrates with Keycloak for JWT validation, manages client credentials, and handles complex asymmetric/symmetric cryptographic verifications.
Rate Limiter Service
Utilizes Redis Sliding Window algorithms to strictly enforce API quotas per client and prevent abuse or DDoS attacks.
Storage & Idempotency
A Redis-backed service ensuring 100% transaction idempotency by validating unique Reference Numbers and External IDs.
Transaction Domains
Isolated microservices dedicated to Transfers, Inquiries, and History tracking, mapping new payloads to legacy core systems.
Deep Dive: Core Implementations
Strict Signature Validation (SNAP-BI Standard)
Implemented rigid validation for X-SIGNATURE headers. For B2B authentication (Asymmetric), used RSA-256 with PKCS#1 v1.5. For transactional endpoints (Symmetric), utilized HMAC-512 over a concatenated string of HTTP Method, URL Path, Access Token, hashed request body, and timestamp.
Idempotency & Duplicate Prevention
Financial transactions must never occur twice. We introduced a centralized Redis storage service to lock PartnerReferenceNo and ExternalId. If a duplicate reference is detected within a given expiration window, the gateway rejects the request with a 409 Conflict immediately, protecting the downstream core.
Sliding Window Rate Limiting
To comply with client SLAs, implemented a highly efficient rate limiter using Redis sorted sets and Hashes to maintain a sliding window count of requests per minute per API key. This guarantees traffic isolation between clients.
Observability & Distributed Tracing
Migrating to microservices causes a loss of visibility. Integrated OpenTelemetry across all Go services, passing span contexts via gRPC metadata. All logs and traces are centralized via the OTEL Collector for instant debugging and MTTR reduction.
Results & Impact
The new architecture was deployed via a strict GitOps pipeline using Kustomize and GitLab CI/CD, guaranteeing zero-downtime rollouts.
- Successfully bridged over 10 financial partners onto the new SNAP-BI compliant gateway.
- Isolated scaling allowed the core Transfer and Inquiry services to dynamically scale during peak transaction windows (e.g., payday, holidays).
- Reduced transaction debugging time significantly by utilizing end-to-end distributed tracing.