Part 4: gRPC Internal + REST Gateway — API Contract Lifecycle

Every public-facing API in the Composable Commerce Platform starts as a .proto file. The code — Go gRPC handlers, TypeScript SDK, HTTP routes, request validation, error codes — is generated from that contract. This article documents the conventions that make that system work. Answer-first: Internal services communicate via gRPC (type-safe, binary, ~7× faster than JSON over REST). External clients (browser, mobile app) use REST via the Gateway Service (port 8000). The proto file is the single source of truth for the API contract — and three proto conventions require special attention for engineers coming from Magento: the Money type (never use float for prices), cursor-based pagination (never use offset), and proto-level field validation (validation declared in the contract, not in business logic). ...

April 29, 2026 · 9 min · Lê Tuấn Anh

Idempotent API Design in Go — Idempotency Key & Redis SetNX

Prerequisite: Part 7 of the System Design Masterclass. Read Part 6: Distributed Locks — concurrent duplicate request blocking relies on the same mutual exclusion primitives. Answer-first: API idempotency ensures that retrying an identical request (same Idempotency-Key) never produces additional side effects beyond the first execution. This is foundational for payment APIs where network timeouts force client retries, and a duplicate execution would mean a double charge. What Is an Idempotency Key? Answer-first: An Idempotency Key is a unique token — typically UUID v4 — generated by the client and attached as an Idempotency-Key HTTP header. The server uses this key to detect duplicate requests: if the key has been seen before, return the cached response from the first execution without re-executing the handler. ...

June 18, 2026 · 8 min · Lê Tuấn Anh

Chapter 7: Designing Idempotency APIs for Payment Systems

← Previous | Series hub | Next → Chapter 7: Fortifying Payment Systems with Idempotent APIs In E-commerce or Fintech, the ultimate nightmare is not a system crash, but charging a customer twice for a single order. This is usually caused by network lag, an impatient user double-clicking “Pay”, or automated app retry logic. The mandatory solution for any transactional API (Payment/Order) is Idempotency. 1. What is Idempotency? Answer-first: An operation is idempotent if executing it once or N times yields the exact same system state and outcome. While GET and PUT are natively idempotent, POST requires explicit engineering. ...

June 9, 2026 · 4 min · Lê Tuấn Anh

OAuth 2.1 & Prompt Versioning for Production AI Agents

Answer-first: Production AI API design requires securing agent identities using OAuth 2.1 client credentials, versioning prompts inside CI/CD gates to prevent quality regression, and tracking runtime costs. Monitoring token usage and accuracy ensures robust operational predictability. What You’ll Learn That AI Won’t Tell You Secure prompt versioning practices using git commits and CI checks. Rate-limiting AI agents at the API Gateway using token-bucket configurations. Running AI APIs in production for the past 18 months has produced three lessons that I did not find in any “getting started with LLMs” tutorial. They emerged from incidents, postmortems, and that specific kind of 2 AM Slack message where a word you never wanted to see — “silent,” as in “silent failure” — appears in a production context. ...

May 18, 2026 · 14 min · Lê Tuấn Anh