Backend Architecture
Concurrency and cache architecture for idempotency at scale
Crux Naive SELECT-then-INSERT is not atomic. Postgres ON CONFLICT or advisory locks prevent race conditions. At high throughput, a Redis Cluster hot-path with Postgres cold-path fallback is the production pattern.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitTwo requests with the same idempotency key arrive at the server simultaneously — a real scenario when a mobile client fires two retries before the first acknowledgment. A naive SELECT-then-INSERT lets both through. Both charge the customer.
The race condition in naive implementations
A common first implementation:
-- Not atomic!
SELECT * FROM idempotency_keys WHERE key = $1;
-- Time passes here. A second request slips in.
INSERT INTO idempotency_keys (key, fingerprint, status, expires_at)
VALUES ($1, $2, 'in_progress', NOW() + interval '24 hours');Between the SELECT and the INSERT, a second concurrent request can execute the same SELECT (seeing no row), then also INSERT. Both succeed. Both start processing. Both charge the customer.
Fix 1: Postgres INSERT … ON CONFLICT DO NOTHING RETURNING
INSERT INTO idempotency_keys (key, fingerprint, status, expires_at)
VALUES ($1, $2, 'in_progress', NOW() + interval '24 hours')
ON CONFLICT (key) DO NOTHING
RETURNING *;If the RETURNING set is empty, this request lost the race. It then re-reads the row:
- If
status=in_progress→ return 409 Conflict. - If
status=completed→ return the cached response.
The INSERT is atomic at the database level. No race.
Fix 2: Postgres advisory locks
SELECT pg_advisory_xact_lock(hashtext($1));
-- Now safe to SELECT-then-INSERTpg_advisory_xact_lock holds a session-level exclusive lock for the transaction duration. Only one connection can hold the lock for a given hash at a time.
Tradeoff: hashtext is 64-bit — collisions are possible at ~10⁻¹⁰ probability per 10M keys per day. Acceptable for most workloads; security-critical paths use a full unique index instead. The lock must be held for the entire request including any external API calls (tens to hundreds of milliseconds) — watch pg_locks for pool exhaustion during incidents.
| Approach | Atomic? | Collision risk | Notes |
|---|---|---|---|
| SELECT then INSERT | No | N/A | Unsafe — race window |
| INSERT ON CONFLICT DO NOTHING RETURNING | Yes | None | Recommended for most cases |
| pg_advisory_xact_lock | Yes | 10⁻¹⁰ (hash collision) | Watch pool under slow external calls |
Scaling the cache: Redis Cluster
A single Postgres primary bottlenecks at roughly 5–10k writes/sec on commodity hardware. At 50k req/sec, the idempotency write becomes the bottleneck.
Redis Cluster with SETNX:
SETNX idempotency:{key} {fingerprint}:{status} EX {ttl_seconds}SETNX is atomic set-if-not-exists. Redis Cluster shards by key hash, spreading load across nodes. Each node handles ~50–100k SETNX/sec.
Durability risk: Redis defaults to async fsync. A crash within milliseconds of a write can lose the entry. For a payment API, this means the key is gone and the next retry is treated as new — potential double charge.
Two-tier cache: the production pattern
Payment APIs that hold legal liability for double charges use a hybrid:
- Hot path: Redis —
SETNXon the key. If it succeeds (new key), process and write to Postgres asynchronously via the outbox. If it conflicts (existing key), read Redis for the cached response. - Cold path: Postgres — authoritative record. If Redis misses (rare, on crash), fall through to the Postgres table to recover the authoritative response.
Request → Redis SETNX
├─ New: process + store in Postgres async + cache in Redis
├─ Conflict: return cached response from Redis
└─ Redis miss: read from Postgres → populate Redis → returnStripe and Square use this hybrid in production. Pure Redis is acceptable for non-financial workloads (signups, analytics events) where a rare duplicate is logging noise rather than a compliance event.
Why this works
Why not DynamoDB for the idempotency cache? DynamoDB ConditionExpression handles atomic insert-or-noop natively and scales horizontally without sharding effort. At 50k/sec the cost is roughly $3k/month at standard pricing, and p99 latency is ~5–10ms. Good if you are already on AWS and want zero operational overhead; expensive and adds latency otherwise. The Redis + Postgres hybrid is cheaper and faster at comparable scale.
Quiz
Completed
Two requests with the same idempotency key arrive simultaneously. The naive SELECT-then-INSERT implementation runs. What is the worst-case outcome?
Heads-up 409 is the correct response when a race is detected. The naive implementation may not detect the race at all.
Heads-up The naive implementation has no unique constraint or atomic check — both INSERTs may succeed if the SELECT-INSERT gap is large enough.
Heads-up There is no automatic serialization. The race window is real.
Quiz
Completed
At 50k requests/sec, why does Redis Cluster outperform a single Postgres primary for idempotency key lookups?
Heads-up Durability tradeoff is real, but the primary reason is architecture: sharding vs single-node.
Heads-up Postgres is an excellent store for idempotency keys at moderate throughput. The issue is single-primary write throughput at very high scale.
Heads-up The fingerprint check is application logic — it runs the same way regardless of the storage backend.
Quiz
Completed
A Redis Cluster node crashes milliseconds after a SETNX write. The key is lost. What is the consequence for a payment API using Redis as the sole idempotency store?
Heads-up If the payment was already processed before the crash, the charge exists in the payment processor. The Redis key loss means a retry will be treated as new.
Heads-up If the key was lost in the crash, the server has no record of it. There is nothing to return 409 for.
Heads-up Redis replication is async by default. A crash before the replica receives the write loses the key.
- 01Why is SELECT-then-INSERT not safe for idempotency key creation, and what is the correct Postgres fix?
- 02Describe the two-tier idempotency cache architecture used by production payment APIs.
- 03What is the tradeoff of using pg_advisory_xact_lock instead of ON CONFLICT for idempotency key serialization?
Recap
Concurrent idempotency key creation requires an atomic operation. Postgres INSERT ... ON CONFLICT (key) DO NOTHING RETURNING * is the standard fix — it is a single statement with no race window. A request that finds RETURNING empty lost the race and re-reads the row to return 409 or replay. At throughput above ~10k writes/sec, a Redis Cluster hot-path with SETNX handles the load; a Postgres cold-path fallback provides durability for financial workloads. In-memory-only dedup is never acceptable behind a load balancer.
Connected lessons
appears again in179
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- CLS: why layout shifts happen and how to stop themmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- What a relation is: tables, rows, keys, and constraintsjunior
- Constraints, keys, and Postgres data typesmiddle
- Normal forms, denormalization, and why schemas stickmiddle
- JSONB, arrays, and when a side table winsmiddle
- Heap storage, TOAST, and column alignmentsenior
- Schema integrity: deferral, versioning, and production failure modessenior
- Relational vs document, wide-column, graph, and key-valuesenior
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- pg_statistic, ANALYZE, and production observabilitymiddle
- Production failure modes and plan stabilitysenior
- MVCC: why readers and writers never wait for each otherjunior
- Row versions and snapshots: the on-disk mechanicsmiddle
- HOT updates and isolation levels: what you gain and what you paymiddle
- Vacuum and bloat: keeping the storage tax boundedmiddle
- CLOG, XID wraparound, and MultiXact: deep visibility internalssenior
- SSI internals and production autovacuum tuningsenior
- Real-world MVCC failures, deployment patterns, and distributed snapshotssenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- What a schema migration is and why it replaces ad-hoc DDLjunior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Expand-contract: zero-downtime for breaking schema changesmiddle
- Advisory locks, migration tools, and deploy coordinationsenior
- Migration failure taxonomy and production disciplinesenior
- Why sharding exists: the single-Postgres ceilingjunior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Partitioning vs sharding: same word, two different thingsmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Schema-based sharding and multi-tenancy alternativessenior
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- The three-way handshakejunior
- Sequence numbers and connection statemiddle
- DNS: what it does and why it existsjunior
- The resolver walk: referrals, record types, and gluemiddle
- TTL, caching, and DNS propagationmiddle
- The 1-RTT handshake: key shares and ECDHEmiddle
- Session resumption and 0-RTTmiddle
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket frame format: opcodes, masking, fragmentationmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Health checks, connection draining, and slow startmiddle
- Session affinity, consistent hashing, and the right fixmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- Connection IDs and network migrationmiddle
- 0-RTT resumption and packet encryptionsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- PII redaction and log injectionsenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Error budget policy, latency SLOs, and composite journeysmiddle
- Production SLO failures, self-observability, security, and the big picturesenior
- The incident loop: from pager to postmortem to preventionmiddle
- Cache lines, struct layout, and false sharingmiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior