v1.0 — Stack Documentation

QUENZO

QR-Based Encrypted Payment Platform

A fintech-grade system engineered for performance, security, and scale. Every architectural decision made with intent.

7
Core Services
AES
QR Encryption
Go
Backend Power
VPS
Self-Hosted
scroll
01 — Architecture

How it all connects

A modular monolith built for clarity today, microservices-ready for tomorrow. Every layer earns its place.

Flutter App
Android + iOS
Nginx
Reverse Proxy + HTTPS
Go Backend
Gin · REST · WebSocket
PostgreSQL
Primary DB
Redis
Cache + Rate Limit
NATS
Message Queue
FCM
Push Notifications
02 — Stack

Every tool, justified

No cargo-culting. Each technology chosen for a specific, defensible reason.

📱
Frontend
Flutter
Cross-platform mobile client
  • Single codebase for Android & iOS
  • MVVM architecture, strict separation of concerns
  • BLoC for transaction & QR state machines
  • Provider for app-wide state
  • Secure token storage + deep linking
Backend
Go + Gin
High-concurrency API server
  • Stateless REST APIs, built for scale
  • Native goroutine concurrency — handles thousands of simultaneous requests
  • WebSocket server for live transaction status
  • Clean modular monolith — microservices-ready
🐘
Database
PostgreSQL
Primary relational database
  • ACID compliant — non-negotiable for financial data
  • Relational integrity across transactions & ledger
  • Optimized for complex joins and aggregations
  • golang-migrate for schema version control
Cache
Redis
In-memory caching layer
  • OTP & session caching with TTL
  • Redis-based rate limiting on all APIs
  • Frequently accessed ledger data served instantly
  • Optional background job queues
📡
Realtime
WebSocket
Live transaction status
  • In-app real-time updates (pending → success/failed)
  • Runs inside Go backend — zero extra infra cost
  • FCM handles background; WS handles foreground
  • Bi-directional, low-latency connection
📬
Async
NATS
Lightweight message queue
  • Decouples payment confirmation from side effects
  • Async: FCM push, audit logging, email receipts
  • ~15MB RAM — runs comfortably on your VPS
  • Go-native client, built for high-throughput
🔔
Notifications
Firebase FCM
Push notification delivery
  • Payment received & confirmed alerts
  • Credit reminders & system events
  • Background delivery even when app is closed
  • Triggered async via NATS worker
🐳
Infra
Docker
Containerized deployment
  • Go backend, PostgreSQL, Redis, NATS, Nginx in containers
  • Consistent dev/prod environments
  • Docker Compose for single-command startup
  • Service isolation — one crash doesn't kill the stack
⚙️
CI/CD
GitHub Actions
Automated deployment pipeline
  • Push → Build → Test → Deploy to VPS
  • Zero manual SSH deployments
  • Secrets stored in GitHub Actions vault
  • Rollback on failed deployments
🐛
Observability
Sentry
Error tracking & crash reporting
  • Captures Go panics and runtime errors
  • Flutter crash reporting on mobile
  • Free tier is sufficient for early stage
  • Complements Prometheus (metrics ≠ errors)
📊
Monitoring
Prometheus + Grafana
Metrics & dashboards — planned
  • API response time & latency tracking
  • Server resource utilization dashboards
  • Transaction volume & error rate graphs
  • Alert rules for abnormal patterns
🔐
Security
Secret Management
.env now → Vault later
  • All credentials via environment variables — never hardcoded
  • AES keys, JWT secrets, DB creds isolated in .env
  • GitHub Actions Secrets for CI/CD pipeline
  • HashiCorp Vault planned for production hardening
03 — Core Feature

QR System Design

The heart of Quenzo. Dynamic, encrypted, and app-exclusive by design.

QR Payload Structure

qr_token.go
// Dynamic QR URL structure https://quenzo.app/q/ {AES_encrypted_token} // Payload contains merchant_id // who receives amount // optional expiry // TTL enforced nonce // replay protection hmac_signature // integrity

Security Layers

  • 🔒
    AES-256 Encryption
    QR payload is encrypted — unreadable by any other app or scanner
  • HMAC Signature
    Every QR signed and verified on backend — tamper-proof
  • ⏱️
    TTL + Nonce
    Tokens expire, nonce prevents replay attacks
  • 📲
    App-Exclusive Deep Link
    External scanners redirect to install/open Quenzo
01
Generate QR
02
Scan in App
03
Backend Validates
04
Tx Processed
05
Both Notified
04 — Code Structure

Clean by default

Modular monolith — each domain is self-contained, independently extractable into a microservice when the time is right.

backend/ — Go
backend/ cmd/ main.go internal/ auth/ ← JWT, bcrypt users/ ← user mgmt transactions/ ← core logic ledger/ ← audit trail qr/ ← generate/validate notifications/ ← FCM + WS workers/ ← NATS consumers database/ migrations/ ← golang-migrate middleware/ auth.go ratelimit.go utils/ crypto.go ← AES, HMAC
flutter_app/ — Dart
lib/ core/ di/ ← dependency injection network/ ← Dio + interceptors storage/ ← secure storage features/ auth/ viewmodel/ ← MVVM view/ transactions/ bloc/ ← BLoC state machine view/ qr_scan/ bloc/ ← BLoC state machine view/ ledger/ viewmodel/ ← MVVM
05 — Security

Paranoia is a feature

Every layer hardened. Financial data demands nothing less.

HTTPS Everywhere
Let's Encrypt SSL on Nginx. All traffic encrypted in transit, no exceptions.
JWT Authentication
Short-lived access tokens + refresh token rotation. RBAC enforced at middleware level.
bcrypt Password Hashing
Passwords never stored in plaintext. bcrypt with appropriate cost factor.
Redis Rate Limiting
All API endpoints rate-limited. Brute force and DDoS mitigation built-in.
AES-256 + HMAC QR
QR payloads encrypted and signed. Backend validates everything — client input never trusted.
Immutable Audit Log
Every transaction mutation write-only logged. Tamper-evident financial trail.
Input Validation
Strict validation on all incoming payloads. SQL injection and XSS mitigated at handler level.
Secret Management
All credentials via environment variables. Zero secrets in codebase. Vault planned for V2.
06 — Data Model

Core entities

PostgreSQL schema designed for financial integrity — every relationship explicit, every mutation traceable.

schema — PostgreSQL
users id, phone, email password_hash role, status created_at businesses id, owner_id → users name, gstin kyc_status transactions id, sender_id → users receiver_id → businesses amount, currency status, qr_token_id created_at, settled_at
ledger_entries id, transaction_id debit_account credit_account amount, balance_after created_at qr_tokens id, merchant_id encrypted_payload hmac_signature, nonce expires_at, used_at audit_logs ← immutable id, entity_type entity_id, action actor_id, diff_json created_at
07 — Roadmap

Built to grow

Start lean on a single VPS. Scale surgically when actual pain points emerge — not imagined ones.

V1
Now — Single VPS
Modular Monolith
Go Monolith PostgreSQL Redis NATS Docker Compose Hostinger KVM4
Growth — Scaling Up
Infrastructure Hardening
Managed DB (Neon/Supabase) Object Storage (R2/S3) HashiCorp Vault Prometheus + Grafana Multi-region Redis
V3
Scale — Microservices Era
Extract Services by Pain Point
Transaction Service Notification Service QR Service Load Balancer Service Mesh
08 — Summary

The full picture

Category Technology Why
Frontend Flutter + MVVM + BLoC Cross-platform, strict state machines for payment flows
Backend Go + Gin High concurrency, lightweight, perfect for financial APIs
Primary DB PostgreSQL ACID compliance, relational integrity for transactions
Cache Redis OTP caching, rate limiting, fast data access
Realtime WebSocket Live in-app transaction status — no polling
Async NATS Decouple payment confirmation from side effects
Notifications Firebase FCM Reliable background push delivery
Proxy Nginx + Let's Encrypt HTTPS, routing, future load balancing
Container Docker + Compose Consistent environments, service isolation
CI/CD GitHub Actions Automated deploy pipeline to VPS
DB Migrations golang-migrate Version-controlled schema changes
Error Tracking Sentry Runtime crash capture (metrics ≠ errors)
Monitoring Prometheus + Grafana API metrics, resource usage, transaction volume
Secrets .env → Vault Zero credentials in codebase, hardened in V2
Infra Hostinger KVM4 VPS Cost-efficient, full control, 200GB storage