How we built our Payment Service API at Bento
Hi 👋 My name is Mahdi, and I’m a Senior Software Engineer working in Bento’s Proofers Squad at Gousto.
Bento, a Gousto Company, is a tech firm on a mission to equip subscription businesses with the tools they need to scale, offering everything from subscription platforms to intuitive AI modules. Here at Bento, we provide the essential elements for businesses to thrive and grow in the most cost-effective way.
Payment Service: The Story
A while ago, we identified the need to transition Gousto’s payment provider to a new one. Given Bento’s primary mission to develop a comprehensive set of subscription services for use by Gousto and other clients, we decided that the migration plan could be executed through a new service built within Bento. Thus, our project was born: the Bento Payment Service API!
Building a service from scratch!
In addition to meeting Gousto’s large-scale requirements, such as the ability to process hundreds of payment transactions per second, we aimed to ensure that the API possessed certain characteristics to meet the enterprise-grade standards we hold ourselves to at Bento:
- Being multi-provider
Our payment service is designed to easily accommodate various payment providers like PayPal Braintree, Stripe, Checkout, etc. The plugin-based design of the API enables us to support any payment provider seamlessly.
- Being multi-tenant
Recognizing that Gousto is not Bento’s sole client, we designed the service to serve multiple tenants (merchants) without exposing their data to each other. The “Tenant Configuration” service is responsible for extracting tenant information from the authorization token, identifying, authenticating, and authorizing the tenant, and then selecting the appropriate payment provider assigned to that tenant. - Being extendable and expandable
Acknowledging that Bento’s clients may have different and specific requirements, we designed the service to be easily extended when needed. This is an interesting challenge, as different payment providers work subtly differently, meaning we had to think hard about a standard Bento API that would work across all of them. - Being secure and reliable
Security and reliability are paramount for an API at this level and scale. We tackled the challenge of dealing with different types of auth tokens by implementing the OAuth 2.0 Token Exchange RFC. Additionally, we built anauth-gatewayservice that validates a client’s token (issued by any third-party auth provider) and exchanges it for a Bento JWT token (encrypted asymmetrically) for use by the Payment Service and other Bento services.
To ensure our service can handle hundreds of concurrent requests per second, we utilised the powerful K6 framework to perform automated load testing as part of our continuous delivery pipeline.
- Industry-standard documentations
A good API is only as valuable as its documentation. Therefore, all our API endpoints generate detailed OpenAPI specs using Zod. We upload the latest Swagger specs to a public S3 bucket with every deployment and generate user-friendly documentation in Archbee.
Mission accomplished 🎯
We initiated work on the service in Q3 2023 and completed the v1 of the API before the end of the quarter. This has been a rewarding experience for all team members, marking an important milestone in a series of services like this that we’ve built and continue to build, helping our clients run their subscription business without the hassle of dealing with tech complexities 💪
Last but not least, credits for this product go to these amazing individuals who directly contributed to the project over the past couple of months: Jiazhen Xie, Sam Broster, Stuart Russell, James Sawle, Alex Kelly, Mitch Beard, and all the fantastic Bentonians who played a role in building this 🙌
Related articles
