Brex Tech Blog
Published in

Brex Tech Blog

Building the Brex Accounting API

Delighting customers through banking data feeds

  1. Customers demand robust integrations with their existing workforce productivity tools.
  2. Brex’s channel partners like accounting apps can provide a better customer experience by directly accessing customers’ transactions and statement data, at their permission.

The Partners’ Perspective

  • Statements data is immutable: only closed statements will be returned. The current “open” statement is constantly updated.
  • By default, statements are sorted in order of the statement period’s closing date.
  • Only posted transactions (not pending) are returned. That being said, we did consider returning pending entries in a separate endpoint to preserve the consistency between changing versus immutable data.

Behind the Scenes: Service Architecture

  1. The incoming request is handled in a public-facing API service by Phoenix, an Elixir web framework which implements the MVC pattern
  2. Elixir-grpc is used by the controller in Phoenix to perform a gRPC request to the backend service
  3. The server gathers the data requested and builds response objects
  4. When rendering, ExJsonSchema (an Elixir schema validator) validates the data before it is returned
  • Accounts: Retrieves a customer’s account data and limits
  • StatementEntries: Retrieves Card and Cash statement entries
  • Statements: Retrieves Card and Cash statements
AccountsService.Stub.get_accounts(channel, request)

Data Validation at Runtime

Monitoring and Scalability

  • High average latency
  • High error rate
  • High QPS (queries per second)
  • How many parallel requests to simulate: i.e. 5 users per second, for 10/120/600 seconds
  • A set of endpoints to hit, and how much time in between each requests
  • Database checks: make sure all databases being queried have the appropriate indexes
  • Data scoping: don’t return data the customer didn’t allow, don’t return another customer’s data
  • Script to simulate an initial pull from a client. This pull would retrieve every transaction for a customer in the past year
  • A thorough security audit from Brex’s Trust team, who attempted common attacks like authorization bypassing, JWT token manipulation, vulnerability scanning, and more

Rollout & Adoption

The Road Ahead

  • Streamline the onboarding and credential-provisioning process
  • Develop a self-serve partner portal
  • Build more endpoints to support use cases such as card issuing, setting limits, and onboarding

The Team (in alphabetical order)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store