![](https://res.infoq.com/presentations/docdb-online-database/en/mediumimage/jimmy-morzaria-medium-1

By Codcompass Team·2026-05-07·4 min read

DocDB: Stripe’s Online Database Architecture for 5M QPS & 5.5 Nines Reliability

Current Situation Analysis

Scaling a financial-grade database tier to sustain 5 million queries per second (QPS) while guaranteeing 5.5 nines (99.9995%) availability introduces severe architectural friction. Traditional monolithic relational databases hit hard ceilings on connection pooling, WAL I/O throughput, and replication lag, making vertical scaling economically and operationally unviable. Horizontal sharding is the conventional workaround, but it fractures ACID boundaries, forces application-level routing complexity, and introduces cross-shard transaction overhead that degrades p99 latency under burst traffic.

Legacy migration strategies compound these failures. Offline cutover windows violate strict uptime SLAs required for global commerce. Standard logical replication or bulk export/import pipelines lack transactional consistency guarantees during the sync phase, leading to reconciliation drift. Furthermore, multi-tenant environments suffer from noisy-neighbor I/O contention, and version upgrades across heterogeneous shard states cause partial schema mismatches that trigger cascading query failures. The core failure mode is the inability to decouple data movement from traffic routing while preserving linearizable consistency, forcing teams to choose between availability, consistency, or operational velocity.

WOW Moment: Key Findings

Empirical validation of DocDB’s zero-downtime data movement platform and distributed sharding coordinator reveals a decisive performance and reliability advantage over conventional scaling strategies. The following comparison isolates the operational sweet spot where strict consistency, live migration, and massive throughput converge.

Approach	Peak QPS	Migration Downtime	Cross-Shard p99 Latency
Monolithic RDBMS	~500K	N/A (vertical limit)	<5ms
Standard Sharding	~2M	15–45 mins	45–120ms
DocDB (Stripe)	5M+	0s (Zero-Downtime)	8–15ms

Key Findings:

Zero-Downtime Cutover: Live data movement with dual-write validation eliminates maintenance windows entirely, reducing migration risk to near-zero.
Consistency Preservation: Linearizable guarantees are maintained across shard boundaries during rebalancing, preventing financial reconciliation drift.
Latency Stabilization: Optimized distributed transaction coordination keeps cross-shard p99 latency within single-digit millisecond overhead, even during active tenant migration.

Core Solution

DocDB implements a distrib

uted, horizontally sharded architecture anchored by a custom zero-downtime data movement platform. The system decouples routing, storage, and migration into independent control planes, enabling live rebalancing without service interruption.

Architecture Decisions:

Consistent Hashing + Tenant-Aware Routing: Shard assignment uses consistent hashing with virtual nodes to minimize data movement during scale-out. A routing layer maps tenant IDs to shard ranges, enforcing strict namespace isolation.
Distributed Transaction Coordinator: Cross-shard operations use an optimized two-phase commit (2PC) with snapshot isolation and deterministic ordering. The coordinator batches dependent writes to reduce network round trips and applies backpressure to prevent I/O saturation.
Zero-Downtime Data Movement Platform: Migration executes in four phases:
- Background Sync: Logical streaming replication copies data to the target shard while source remains active.
- Dual-Write Cutover: New writes are routed to both source and target. The platform validates row counts and checksums in real-time.
- Traffic Switch: Once replication lag drops below the configured threshold, the routing layer atomically redirects traffic to the target shard.
- Decommission: Source shard is marked read-only, validated, and retired.

Configuration Example:

# DocDB Migration Job Specification
migration:
  source_shard: "shard-07"
  target_shard: "shard-12"
  tenant_ids: ["tenant_8842", "tenant_9910"]
  strategy: "zero_downtime_dual_write"
  consistency: "linearizable"
  validation:
    checksum: "xxhash3"
    row_count_diff_threshold: 0
  cutover:
    max_lag_ms: 50
    rollback_on_failure: true
    traffic_switch_timeout: 30s

Pitfall Guide

Shard Key Misalignment: Selecting high-cardinality keys that don't align with query patterns creates hot shards and forces expensive cross-shard joins. Always map shard keys to primary access paths and tenant boundaries.
Ignoring Migration Backpressure: Unthrottled background sync saturates disk I/O and CPU, spiking p99 latency for live traffic. Implement adaptive rate limiting tied to shard utilization metrics.
Cross-Shard Transaction Overhead: Assuming distributed commits are free leads to latency explosions. Batch dependent writes, minimize coordinator hops, and prefer tenant-scoped transactions whenever possible.
Tenant Isolation Leakage: Multi-tenant routing without strict namespace boundaries risks data leakage during rebalancing. Enforce cryptographic or logical tenant scoping at the routing layer and validate isolation post-migration.
Consistency Level Mismatch: Configuring read replicas with eventual consistency while expecting linearizable reads breaks financial reconciliation. Align read paths with transactional requirements and use read-your-writes semantics where applicable.
Rollback Blind Spots: Failing to maintain dual-write state or validation checkpoints makes post-cutover rollbacks impossible without data loss. Always preserve source shard snapshots and implement automated rollback triggers on validation failure.
Version Upgrade Fragmentation: Rolling out schema changes without backward-compatible migration paths causes partial failures across shards. Use expand-contract migration patterns and validate schema parity before traffic cutover.

Deliverables