At the heart of SuperDealz is a deceptively simple interaction: a customer walks into a store, shows a QR code, and the deal is redeemed. But behind that 2-second scan lies a system that must be instantaneous, fraud-proof, and reliable — even under heavy load.
The Challenge
QR redemption sounds easy until you consider the edge cases: What if the deal has already been redeemed? What if the user is trying to use a screenshot? What if the merchant's device is offline? What about coordinated abuse — bots generating hundreds of codes simultaneously?
We needed a system that could handle all of these while keeping the redemption experience under 2 seconds end-to-end.
Architecture Overview
Our QR system has three layers:
1. Code Generation — Each QR code encodes a time-limited, cryptographically signed token containing the deal ID, user ID, and a one-time nonce. Codes expire after 60 seconds and cannot be reused.
2. Verification — When scanned, the merchant app sends the token to our verification API. We validate the signature, check the nonce against our Redis-backed deduplication cache, verify the deal is still active, and confirm the user hasn't exceeded their redemption limit.
3. Settlement — Upon successful verification, we atomically update the deal's redemption count, credit loyalty points to the user, and log the transaction for merchant reconciliation.
Fraud Prevention
We employ multiple layers of fraud detection:
Performance at Scale
During our Diwali sale event, we processed over 12,000 redemptions in a single hour with a p99 latency of 180ms. The system auto-scaled from 3 to 12 verification pods and back down within 20 minutes of the traffic spike subsiding.
Lessons Learned
Building this system taught us that the best security is invisible security. Users should never feel the fraud checks — they should just see a green checkmark in under 2 seconds. Every millisecond of friction we add to the redemption flow directly reduces conversion.