Overview

This architecture defines a secure, scalable, and loosely-coupled event-driven microservices platform. It leverages an API Gateway for client interactions, Kafka for asynchronous message passing, and separate services for business domains such as budgeting, transactions, and accounts.

Client Side

Frontend (FE): The web or mobile client interacting with the backend
- Initiates authentication via Authentik
- Sends requests to the API Gateway through an ALB

Networking Layer

Application Load Balancer (ALB): Acts as the entry point for all incoming HTTP requests
- Routes unauthenticated users to Authentik
- Forwards authenticated traffic to the API Gateway
API Gateway: Handles all external client API traffic
- Authenticates requests using tokens from Authentik
- Publishes events (requests) to Kafka for downstream consumption
- Does not directly invoke services to maintain loose coupling

Authentication

Authentik (AK): Identity provider (idP) responsible for user authentication
- Issues tokens (e.g., OIDC/JWT) to the frontend upon successful login
- API Gateway and services validate these tokens for request authorization

Client Side​

Networking Layer​

Authentication​

Client Side

Networking Layer

Authentication