How Airbnb Avoids Double Payments in a Distributed System

Company Context

Airbnb processes millions of financial transactions across a microservices architecture that spans multiple teams and systems. A single booking triggers a cascade of payment operations: charging the guest, holding funds in escrow, paying the host, calculating service fees, and handling taxes. Each operation crosses service boundaries, involves external payment processors, and must be exactly-once in effect — charging a guest twice is unacceptable, and failing to pay a host erodes trust.

The Problem at Scale

In a distributed system, any network call can fail, time out, or succeed without the caller knowing. When a payment service calls Stripe to charge a card and the connection drops after Stripe processes the charge but before the response arrives, the caller does not know if the charge went through. The naive retry — just try again — risks double-charging. Conversely, not retrying risks failing to process a legitimate payment. This problem compounds across a microservice graph where each service may independently retry, creating a combinatorial explosion of potential duplicate operations.

Architecture Solution

Airbnb built a generic idempotency framework that wraps every payment operation. Each API request carries an idempotency key — a client-generated unique identifier (typically a UUID) that represents a specific intended operation. The server stores the idempotency key and the result of the operation in a database. If the same key is received again, the server returns the stored result without re-executing the operation.

The framework models each payment operation as a state machine with well-defined states (CREATED, PROCESSING, SUCCEEDED, FAILED). The idempotency record stores the current state, and the server uses optimistic locking to transition between states. This prevents concurrent requests with the same key from both executing the operation.

For multi-step payment flows (charge guest, then pay host, then record fees), the framework uses a saga pattern: each step has a compensating action (refund guest, reverse host payout). If any step fails after previous steps succeeded, the compensating actions are executed to restore consistency. The idempotency framework ensures that both forward and compensating actions are individually idempotent.

The framework also handles the ambiguous failure case: when the result of an external call is unknown (timeout), the system records the state as UNKNOWN and uses a background reconciliation process to query the external provider and resolve the state.

Key Techniques Used

• Idempotency keys: Client-generated UUIDs attached to every payment request
• Server-side result caching: Store operation outcomes keyed by idempotency key
• State machine model: Each operation transitions through defined states with optimistic locking
• Saga pattern: Multi-step operations with compensating actions for rollback
• Background reconciliation: Resolve ambiguous failures by querying external providers
• Optimistic locking: Prevent concurrent duplicate execution of the same operation

Lessons for System Design Interviews

This case study is essential for any payment system design question. Demonstrate that you understand why "exactly-once" is impossible in distributed systems but "effectively-once" (idempotent retries) is achievable. Show the idempotency key pattern, explain why keys must be client-generated (not server-generated), and discuss the state machine approach. Mention the saga pattern for multi-step transactions as an alternative to distributed transactions.

Lessons for Production

Every API that has side effects (especially financial ones) should be idempotent. Idempotency keys must be stored durably before executing the operation — if the key store is in-memory, a server restart causes the protection to vanish. The "ambiguous failure" case (timeout on external call) is the hardest to handle correctly and requires background reconciliation. Design compensating actions from the start; retrofitting them is extremely difficult.

Practical Implementation for .NET Developers

In a .NET application, you would typically implement this pattern using the following approach:

ASP.NET Core setup: Create a service class that encapsulates the logic, register it with dependency injection, and inject it into your controllers or minimal API endpoints. The built-in DI container handles lifecycle management.

Entity Framework Core: For database interactions, EF Core provides the ORM layer. Use migrations for schema management and raw SQL for performance-critical queries. Consider Dapper for read-heavy paths where EF Core's overhead matters.

Azure integration: If deploying to Azure, leverage managed services — Azure Cache for Redis, Azure SQL, Azure Service Bus, Azure Cosmos DB. These eliminate operational overhead and provide built-in monitoring through Application Insights.

Testing: Use xUnit with Testcontainers for integration tests that spin up real databases in Docker. Mock external dependencies with NSubstitute. The WebApplicationFactory class lets you test your entire HTTP pipeline in-process.

Monitoring: Add Application Insights telemetry to track request latency, dependency calls, and custom metrics. Use structured logging with Serilog to make production debugging possible:

Log.Information("Processing order {OrderId} for {CustomerId}", orderId, customerId);

This gives you searchable, structured logs in Azure Monitor or Seq.

Key Takeaways for Interviews

• Understand the core problem this resource addresses and be able to explain it in 2-3 sentences without jargon
• Know the key trade-offs: what does this approach optimize for, and what does it sacrifice?
• Be ready to compare this with alternative approaches and explain when each is appropriate
• Connect the concepts to real-world systems you have worked with or studied
• Demonstrate depth by discussing failure modes and how they are handled

How This Applies to Modern .NET Systems

The concepts from this resource translate to .NET through several established libraries and patterns:

Azure managed services often abstract away the underlying distributed systems complexity, but understanding the fundamentals helps you configure them correctly, debug issues, and make informed architectural decisions.

NuGet packages in the .NET ecosystem provide production-ready implementations of many patterns described in this resource. Before building custom solutions, check if a well-maintained package already exists.

ASP.NET Core middleware pipeline is where many of these patterns are implemented in practice: caching, rate limiting, health checks, and circuit breaking all fit naturally into the middleware model.

Sources

• Avoiding Double Payments in a Distributed Payments System — Airbnb Engineering