PayFlow Fintech API
Stateless JWT-authenticated transaction broker
1. Context
Financial wallet APIs face security vectors including authorization bypass (IDOR) and double-transfer state conflicts. This project focuses on designing a production-style transaction ledger that secures wallet operations and guarantees transaction integrity.
2. Constraints
The API needed stateless authorization checks on every endpoint, strict request-response DTO validation, and transaction safety across multiple ledger entries without introducing deadlocks.
3. Approach
Configured Spring Security to intercept request headers, validating RS256 signature tokens statelessly. I chose DTO patterns for strict API contracts, using validation annotations to reject malformed JSON before the controllers execute logic. Ledgers are written using Spring @Transactional block wrappers to enforce isolated ACID guarantees.
4. Craft
Engineered wallet double-entry bookkeeping schemas where every debit has an equal credit. Implemented stateless JWT filters using BCrypt password hashing logic for user registration and auth. Developed a global exception handler that sanitizes error payloads, preventing stack traces or DB schema names from leaking to client interfaces.
5. Outcome
Fully secure, validation-tested banking REST API. Prevented negative-balance transfers through database constraints and validations. Achieved zero information leaks during automated threat audits of endpoints.