Backend Architecture

Building a High-Scale SNAP-BI Open API Gateway

Migrating 114+ legacy monolithic endpoints to a distributed, highly-available Go microservices architecture compliant with Indonesia's National Open API Standards.

Banking & Finance 2024 Golang, gRPC, Redis
10+ Microservices
114+ Endpoints Migrated
100% SNAP-BI Compliant
0.00 Downtime

The Challenge

Bank Indonesia issued the Standar Nasional Open API Pembayaran (SNAP), requiring financial institutions to adopt standardized, secure, and interoperable API architectures. Our client, a major national enterprise (PT. POS Indonesia), relied on a legacy monolith for their core transaction processing. Scaling this monolith to handle millions of transactions securely while complying with strict SNAP-BI security standards (Asymmetric RSA-256 and Symmetric HMAC-512 signatures) proved to be an impossible bottleneck.

"We needed to decouple 114+ critical financial endpoints into isolated microservices without disrupting ongoing operations or compromising transaction idempotency."

Architectural Overhaul

I spearheaded the architectural design and development of a new API Gateway ecosystem written entirely in Golang, utilizing gRPC for high-performance internal communication. The architecture was broken down into specialized domains to maximize scalability.

graph TD Client[Third-Party Partner] -->|HTTPS / REST| GW(Gateway Service) subgraph Microservices [Distributed Golang Microservices] GW -->|gRPC| Auth(Security & Auth) GW -->|gRPC| RL(Rate Limiter) GW -->|gRPC| Idemp(Storage & Idempotency) GW -->|gRPC| Trx(Transaction Domains) end Auth -.->|OIDC| KC[(Keycloak)] RL -.->|TCP| RD[(Redis)] Idemp -.->|TCP| RD Trx -->|Legacy Protocols| Core[(Legacy Core System)] style Client fill:#F5F1EA,stroke:#C4B49A,stroke-width:1px style GW fill:#FEF3C7,stroke:#B45309,stroke-width:2px,color:#92400E style Auth fill:#FAF7F2,stroke:#C4B49A,stroke-width:1px style RL fill:#FAF7F2,stroke:#C4B49A,stroke-width:1px style Idemp fill:#FAF7F2,stroke:#C4B49A,stroke-width:1px style Trx fill:#FAF7F2,stroke:#C4B49A,stroke-width:1px style KC fill:#fef3c7,stroke:#d97706,stroke-width:1px style RD fill:#fee2e2,stroke:#dc2626,stroke-width:1px style Core fill:#EDE8DC,stroke:#A08060,stroke-width:1px style Microservices fill:#F5F1EA,stroke:#C4B49A,stroke-dasharray: 5 5

Gateway Service

The main entry point handling HTTP requests, performing initial authentication, and routing requests via gRPC to domain-specific microservices.

Security & Auth Service

Integrates with Keycloak for JWT validation, manages client credentials, and handles complex asymmetric/symmetric cryptographic verifications.

Rate Limiter Service

Utilizes Redis Sliding Window algorithms to strictly enforce API quotas per client and prevent abuse or DDoS attacks.

Storage & Idempotency

A Redis-backed service ensuring 100% transaction idempotency by validating unique Reference Numbers and External IDs.

Transaction Domains

Isolated microservices dedicated to Transfers, Inquiries, and History tracking, mapping new payloads to legacy core systems.

Deep Dive: Core Implementations

1

Strict Signature Validation (SNAP-BI Standard)

Implemented rigid validation for X-SIGNATURE headers. For B2B authentication (Asymmetric), used RSA-256 with PKCS#1 v1.5. For transactional endpoints (Symmetric), utilized HMAC-512 over a concatenated string of HTTP Method, URL Path, Access Token, hashed request body, and timestamp.

crypto/rsa crypto/hmac sha512
2

Idempotency & Duplicate Prevention

Financial transactions must never occur twice. We introduced a centralized Redis storage service to lock PartnerReferenceNo and ExternalId. If a duplicate reference is detected within a given expiration window, the gateway rejects the request with a 409 Conflict immediately, protecting the downstream core.

Redis Distributed Locks
3

Sliding Window Rate Limiting

To comply with client SLAs, implemented a highly efficient rate limiter using Redis sorted sets and Hashes to maintain a sliding window count of requests per minute per API key. This guarantees traffic isolation between clients.

Redis Hash Sliding Window
4

Observability & Distributed Tracing

Migrating to microservices causes a loss of visibility. Integrated OpenTelemetry across all Go services, passing span contexts via gRPC metadata. All logs and traces are centralized via the OTEL Collector for instant debugging and MTTR reduction.

OpenTelemetry gRPC Interceptors

Results & Impact

The new architecture was deployed via a strict GitOps pipeline using Kustomize and GitLab CI/CD, guaranteeing zero-downtime rollouts.