← Lessons

quiz vs the machine

Platinum1820

System Design

The Stripe Payments Reliability

Idempotency keys and ledgers ensure a charge happens exactly once.

6 min read · advanced · beat Platinum to climb

Never charge twice

Payments must be exactly once. Networks drop responses and clients retry, so the dangerous case is a retry that charges a customer a second time. Stripe defends with idempotency keys and a durable ledger.

Idempotency keys

Each charge request carries a client supplied idempotency key. The server records the result under that key. A retry with the same key returns the stored result instead of charging again.

  • The client sends a unique idempotency key per intent
  • The server stores the outcome keyed by it
  • Retries are deduplicated, so the charge happens once

The ledger

Money movements are recorded in an append only ledger rather than mutated balances. Every debit and credit is an immutable entry, which makes the system auditable and lets balances be recomputed from history.

Reliability comes from making retries safe and from an immutable record of every cent that moved.

Key idea

Attach an idempotency key to every charge so retries return the stored result, and record money movement in an append only ledger so the system is exactly once and auditable.

Check yourself

Answer to earn rating on the learn ladder.

1. What problem does an idempotency key solve?

2. Why record payments in an append only ledger?

3. Why are dropped network responses especially dangerous for payments?