DocuCommit

Changes

Comparing empty160dc49.

@@ -1,0 +1,38 @@
1+---
2+title: How a request flows
3+sort: 1
4+---
5+
6+# How a request flows
7+
8+A `POST /v1/checkouts` from a storefront in Berlin to the `eu-frankfurt` region, with timings
9+representative of what we see at p50.
10+
11+```drawio
12+{"meta":"placeholder — this fenced block is rendered by the drawio escape hatch on the live server. The local app exposes an in-app editor for it."}
13+```
14+
15+The hops:
16+
17+1. **Storefront SDK** issues the HTTPS request. (~1 ms TLS terminate, browser-side.)
18+2. **Edge** (Cloudflare in the user's POP, Frankfurt for Berlin) does WAF + DDoS, holds the
19+ connection. (~3 ms.)
20+3. **Regional load balancer** routes to the API gateway. (~1 ms.)
21+4. **API gateway** authenticates the bearer token, applies rate limits, attaches the tenant
22+ context. (~2 ms.)
23+5. **Checkout service** validates the cart, calls Tax and Inventory in parallel, persists the
24+ session, signs the hosted-checkout URL. (~30 ms — the bulk of the budget.)
25+6. **PostgreSQL** writes the checkout session, commits. (~5 ms within the region.)
26+7. **Response** travels back through the gateway → LB → edge → SDK. (~5 ms aggregate.)
27+
28+End-to-end p50 from Berlin is ~50 ms. p99 is dominated by tax calculation and ranges 80–140 ms.
29+
30+## What can go wrong at each hop
31+
32+| Hop | Failure mode | What we do |
33+|--------------------|---------------------------------------|--------------------------------------------------|
34+| Edge | DDoS | Cloudflare absorbs; legit traffic unaffected |
35+| Gateway | Rate limit exceeded | Return 429 with `Retry-After` |
36+| Checkout service | Tax service down | Fail open with a stub, flag the order for review |
37+| PostgreSQL primary | Failover (rare, ~30 s) | Gateway returns 503 with `Retry-After: 5` |
38+| Response back | Network blip | SDK retries idempotently |