Back to Resources

Fault-Tolerant Sagas with Temporal: A Production Implementation Guide

15 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Inescapable Challenge of Distributed Transactions

In a monolithic architecture, ACID transactions are the bedrock of data consistency. A BEGIN, a series of SQL statements, and a COMMIT or ROLLBACK—the database handles the all-or-nothing semantics. In a distributed microservices architecture, this safety net vanishes. A single business process, like processing an e-commerce order, might span multiple services: Orders, Payments, Inventory, and Notifications. A simple database transaction is no longer an option.

Two-phase commit (2PC) protocols are often touted as a solution, but they introduce significant operational complexity and performance bottlenecks due to their synchronous, blocking nature. They create tight coupling between services, undermining the very resilience and scalability that microservices promise.

Enter the Saga pattern. A Saga is a sequence of local transactions where each transaction updates data within a single service. When a local transaction completes, the Saga triggers the next one. If a local transaction fails, the Saga executes a series of compensating transactions to semantically undo the preceding successful transactions. While powerful, implementing a Saga from scratch is a significant engineering challenge. You become responsible for:

  • Durable State Management: Where is the state of the Saga stored? A database? A Redis key? What happens if the orchestrator process crashes?
  • Failure Detection and Retries: How do you differentiate between a transient network blip and a permanent business logic failure (e.g., insufficient funds)?
  • Complex Compensation Logic: How do you reliably trigger compensating actions in reverse order, ensuring they are also idempotent and retryable?
  • Visibility and Debugging: How do you trace the execution of a long-running, multi-step process across service boundaries?

    • This is where a durable execution system like Temporal shines. Temporal abstracts away the complexities of state management, retries, and failure handling, allowing you to write Saga orchestration logic as straightforward, stateful code. This post is not an introduction to Sagas or Temporal; it's a deep dive into building a production-ready, fault-tolerant Saga for a complex e-commerce workflow, focusing on the nuanced implementation details that separate a proof-of-concept from a resilient, scalable system.

    We will use Go for our examples, leveraging its strong typing and robust concurrency model, which pair well with Temporal's SDK.

    Scenario: A Multi-Service E-Commerce Order Saga

    Our business process involves four distinct microservices:

  • Order Service: Creates and manages the state of the order (e.g., PENDING, CONFIRMED, FAILED).
  • Payment Service: Processes payments via a third-party gateway.
  • Inventory Service: Reserves and deducts stock for the items in the order.
  • Notification Service: Sends confirmation or failure emails to the customer.

    • The successful path (the "happy path") is a sequence of local transactions:

    CreateOrderProcessPaymentUpdateInventoryConfirmOrderSendConfirmationEmail

    The complexity lies in the failure paths. What if the payment fails? What if inventory reservation succeeds but the final stock deduction fails? We must define compensating actions for each step that makes a durable state change:

    * ProcessPayment is compensated by RefundPayment.

    * UpdateInventory is compensated by RestoreInventory.

    Our goal is to orchestrate this entire flow within a single Temporal Workflow, ensuring that the system's overall state remains consistent, even in the face of service outages, network failures, or process crashes.

    The Core Architecture: Workflows and Activities

    Temporal forces a clean separation between orchestration logic (Workflows) and business logic implementation (Activities).

    * Workflow: Deterministic, stateful code that orchestrates the Saga. It can't perform I/O directly (no HTTP calls, no database queries). Its state is durably persisted by the Temporal cluster, allowing it to survive worker restarts and run for potentially years.

    * Activity: A standard function that executes the actual business logic. This is where you interact with the outside world—calling other services, interacting with databases, etc. Activities are non-deterministic and their execution is managed by the Workflow.

    This separation is the key to Temporal's fault tolerance. The Workflow code is re-executed from its event history upon recovery, so it must be deterministic. The results of non-deterministic Activities are recorded in this history, so they are only executed once per logical step.

    Defining the Workflow Orchestrator

    Let's start by defining the OrderProcessingWorkflow. We'll use a defer block within the workflow to elegantly handle compensation. If the workflow function exits for any reason (completion or error), the deferred functions are executed in last-in, first-out (LIFO) order. This provides a natural stack for our compensation logic.

    go
    // file: workflow/order_workflow.go
package workflow

import (
	"fmt"
	"time"

	"go.temporal.io/sdk/workflow"

	"your_project/activities"
	"your_project/model"
)

// OrderProcessingWorkflow orchestrates the e-commerce order saga.
func OrderProcessingWorkflow(ctx workflow.Context, orderDetails model.OrderDetails) error {
	// Configure Activity options with appropriate timeouts and retry policies.
	// This is CRITICAL for production systems.
	ao := workflow.ActivityOptions{
		StartToCloseTimeout: 10 * time.Second, // Max time for a single attempt.
		HeartbeatTimeout:    5 * time.Second,  // For long-running activities.
		RetryPolicy: &workflow.RetryPolicy{
			InitialInterval:    time.Second,
			BackoffCoefficient: 2.0,
			MaximumInterval:    100 * time.Second,
			// Do not retry on non-retryable application errors.
			NonRetryableErrorTypes: []string{"PaymentDeclinedError", "InsufficientStockError"},
		},
	}
	ctx = workflow.WithActivityOptions(ctx, ao)

	// Use a struct to hold all activity functions for cleaner code.
	var a *activities.OrderActivities

	// 1. Create the order in a PENDING state.
	var orderID string
	if err := workflow.ExecuteActivity(ctx, a.CreateOrder, orderDetails).Get(ctx, &orderID); err != nil {
		return fmt.Errorf("failed to create order: %w", err)
		// No compensation needed if the first step fails.
	}

	// Compensation stack using defer. Functions are added to the stack and will execute
	// in LIFO order if the workflow function returns an error.
	var compensations []func()
	defer func() {
		if workflow.IsCanceled(ctx) || len(compensations) == 0 {
			return
		}
		// If the workflow failed, run all compensations.
		// We use a new, detached context for compensations to ensure they run even if the main workflow context is canceled or timed out.
		compensationCtx, _ := workflow.NewDisconnectedContext(ctx)
		for _, compensation := range compensations {
			// We don't want a failing compensation to stop others from running.
			_ = workflow.ExecuteActivity(compensationCtx, compensation).Get(compensationCtx, nil)
		}
	}()

	// 2. Process the payment.
	var paymentID string
	if err := workflow.ExecuteActivity(ctx, a.ProcessPayment, orderID, orderDetails.ChargeDetails).Get(ctx, &paymentID); err != nil {
		_ = workflow.ExecuteActivity(ctx, a.SetOrderStatusToFailed, orderID, "Payment failed").Get(ctx, nil)
		return fmt.Errorf("payment processing failed: %w", err)
	}
	// Add refund to the compensation stack.
	compensations = append(compensations, func() {
		_ = a.RefundPayment(compensationCtx, paymentID)
	})

	// 3. Update inventory.
	if err := workflow.ExecuteActivity(ctx, a.UpdateInventory, orderDetails.Items).Get(ctx, nil); err != nil {
		_ = workflow.ExecuteActivity(ctx, a.SetOrderStatusToFailed, orderID, "Inventory update failed").Get(ctx, nil)
		return fmt.Errorf("inventory update failed: %w", err)
	}
	// Add inventory restoration to the compensation stack.
	compensations = append(compensations, func() {
		_ = a.RestoreInventory(compensationCtx, orderDetails.Items)
	})

	// 4. Confirm the order status.
	if err := workflow.ExecuteActivity(ctx, a.SetOrderStatusToConfirmed, orderID).Get(ctx, nil); err != nil {
		// This is a critical failure. The payment and inventory have been processed.
		// The compensations *will* run. We might also want to emit a high-priority alert.
		workflow.GetLogger(ctx).Error("CRITICAL: Failed to confirm order after payment and inventory success", "OrderID", orderID)
		return fmt.Errorf("failed to confirm order status: %w", err)
	}

	// Happy path complete. The deferred compensations will not run if the function returns nil.
	// We can now trigger non-critical, post-confirmation actions.
	_ = workflow.ExecuteActivity(ctx, a.SendConfirmationEmail, orderDetails.CustomerEmail, orderID).Get(ctx, nil)

	workflow.GetLogger(ctx).Info("Order workflow completed successfully.", "OrderID", orderID)
	return nil
}

    Several advanced patterns are at play here:

    * Explicit Activity Options: We define a single ActivityOptions block. The RetryPolicy is crucial. We specify NonRetryableErrorTypes to prevent retrying business logic failures like a declined credit card. This is a fundamental concept for building robust Sagas.

    * Compensation Stack: Instead of a complex chain of if-err-compensate blocks, we use a slice of functions (compensations) and a single defer block. This scales cleanly as more steps are added to the Saga.

    * Disconnected Context for Compensations: When running compensations, we use workflow.NewDisconnectedContext. This is vital. If the main workflow context is canceled or hits a timeout, the compensation logic will still execute because it runs in a new context that doesn't inherit the cancellation. This guarantees cleanup.

    * Failure Isolation in Compensation: Notice that within the defer loop, we ignore the error from ExecuteActivity. This is a deliberate choice. If RefundPayment fails, we still want to attempt RestoreInventory. In a production scenario, a failing compensation should trigger a high-priority alert for manual intervention.

    Implementing Idempotent Activities

    The Activities contain the real-world side effects. A core requirement for any fault-tolerant system is idempotency. Temporal may retry an Activity if a worker crashes after completing the work but before reporting the result back to the cluster. The downstream service must be able to handle the same request multiple times and produce the same result.

    Here's how we can structure our ProcessPayment activity and the downstream service it calls.

    go
    // file: activities/order_activities.go
package activities

import (
	"context"
	"fmt"

	"go.temporal.io/sdk/activity"

	"your_project/model"
	"your_project/services"
)

// OrderActivities struct holds dependencies for activities.
type OrderActivities struct {
	PaymentService   services.PaymentClient
	InventoryService services.InventoryClient
	OrderDB          services.OrderDatabaseClient
}

// ProcessPayment makes a call to the payment service.
func (a *OrderActivities) ProcessPayment(ctx context.Context, orderID string, chargeDetails model.ChargeDetails) (string, error) {
	logger := activity.GetLogger(ctx)

	// Extract Temporal's unique Activity attempt ID to use as an idempotency key.
	// This is a robust pattern.
	info := activity.GetInfo(ctx)
	idempotencyKey := fmt.Sprintf("%s-%d", info.WorkflowExecution.ID, info.ActivityID)

	logger.Info("Processing payment", "OrderID", orderID, "IdempotencyKey", idempotencyKey)

	paymentID, err := a.PaymentService.Charge(ctx, idempotencyKey, chargeDetails)
	if err != nil {
		// Check for specific, non-retryable business errors from the service.
		if services.IsPaymentDeclinedError(err) {
			// Wrap in a Temporal non-retryable error type.
			return "", temporal.NewApplicationError("Payment was declined by the provider.", "PaymentDeclinedError", err)
		}
		// For other errors (e.g., network), return them directly to let the retry policy kick in.
		return "", fmt.Errorf("failed to charge payment service: %w", err)
	}

	return paymentID, nil
}

// RefundPayment is the compensating activity.
func (a *OrderActivities) RefundPayment(ctx context.Context, paymentID string) error {
	info := activity.GetInfo(ctx)
	idempotencyKey := fmt.Sprintf("refund-%s-%d", info.WorkflowExecution.ID, info.ActivityID)

	activity.GetLogger(ctx).Info("Refunding payment", "PaymentID", paymentID, "IdempotencyKey", idempotencyKey)

	// The refund service must also be idempotent.
	return a.PaymentService.Refund(ctx, idempotencyKey, paymentID)
}

// ... other activities (UpdateInventory, RestoreInventory, etc.) would follow a similar pattern.

    Key Implementation Details:

  • Idempotency Key Generation: We generate a unique idempotency key using the WorkflowExecution.ID and the ActivityID. This combination is guaranteed to be unique for each logical execution of the activity within that specific workflow run. Sending this key to the downstream service is the contract that enables idempotency.
  • Downstream Service Responsibility: The Payment Service's API must be designed to handle this. A typical implementation involves:

    • * The POST /charge endpoint accepts an Idempotency-Key header.

    * Upon receiving a request, the service first checks a cache (like Redis) or a database table for this key.

    * If the key is found, it returns the stored response from the original request without re-processing the payment.

    * If the key is not found, it processes the payment, stores the result against the key with a TTL, and then returns the result.

  • Propagating Non-Retryable Errors: In ProcessPayment, when the payment service returns a definitive failure (e.g., card declined), we wrap it in temporal.NewApplicationError. The second argument, "PaymentDeclinedError", must match one of the strings in the NonRetryableErrorTypes list in our workflow's RetryPolicy. This tells Temporal to stop retrying immediately and fail the activity, which in turn triggers our compensation logic in the workflow.

    • Edge Cases and Advanced Fault Tolerance

    The real world is messy. Let's explore how this architecture handles more complex failure scenarios.

    Edge Case 1: Worker Crash During an Activity

    Imagine a worker picks up the UpdateInventory task. It makes a successful API call to the Inventory service, which deducts the stock and commits the transaction to its database. Before the worker can report completion back to the Temporal cluster, the pod it's running in is terminated.

    Without Temporal: This is a classic distributed systems nightmare. You'd need an external mechanism (like a database job) to find orphaned tasks and determine their true status, which is incredibly difficult.

    With Temporal: This is handled automatically.

  • The StartToCloseTimeout for the activity will expire.
    • Temporal will see that the activity hasn't been completed and will re-schedule it on another available worker.
  • The new worker will re-execute the UpdateInventory activity with the exact same activity ID and idempotency key.
    • The Inventory service receives the duplicate request, sees the idempotency key, and returns its stored successful response without deducting stock a second time.
    • The new worker reports the successful result to the Temporal cluster, and the workflow proceeds to the next step.

    The durability is provided by the platform, not your application code.

    Edge Case 2: A Long-Running Saga with Human-in-the-Loop

    What if an order over $10,000 requires manual fraud review before payment is processed? This Saga could be paused for hours or days. This is trivial to implement with Temporal's Signal feature.

    We can modify the workflow to wait for an external signal.

    go
    // Inside OrderProcessingWorkflow...

if orderDetails.TotalValue > 10000 {
    workflow.GetLogger(ctx).Info("Order requires manual approval.", "OrderID", orderID)
    
    // This will pause the workflow indefinitely until a signal is received.
    // A timeout can be added using workflow.WithTimeout.
    var approvalSignal struct {
        Approved bool
        Reason   string
    }
    signalChan := workflow.GetSignalChannel(ctx, "manual-approval-signal")
    signalChan.Receive(ctx, &approvalSignal)

    if !approvalSignal.Approved {
        _ = workflow.ExecuteActivity(ctx, a.SetOrderStatusToFailed, orderID, "Manual approval denied: " + approvalSignal.Reason).Get(ctx, nil)
        return fmt.Errorf("order denied by manual review")
    }
    workflow.GetLogger(ctx).Info("Order manually approved.", "OrderID", orderID)
}

// ... continue with payment processing

    A separate process (e.g., a backend admin panel) would use the Temporal client to send the signal:

    go
    // In an external service, like an admin API handler
err := temporalClient.SignalWorkflow(context.Background(), workflowID, "", "manual-approval-signal", struct {
    Approved bool
    Reason   string
}{Approved: true, Reason: "Approved by admin."})

    Temporal handles persisting the workflow state, even if it's paused for days. If the entire worker fleet is restarted, the workflow will resume its waiting state once a worker comes back online.

    Edge Case 3: A Failing Compensation

    This is the most critical failure mode. What if UpdateInventory succeeds, but SetOrderStatusToConfirmed fails, and then the compensating RefundPayment activity also fails continuously?

    This represents a state of data inconsistency. The customer has been charged, but the order is not confirmed, and we cannot refund them automatically.

    Solution: There is no magic bullet here, but our architecture provides the necessary visibility and hooks for recovery.

  • Alerting: The RefundPayment activity should have robust logging and metrics. A persistent failure should trigger a high-priority PagerDuty alert with the workflowID and paymentID.
  • Dead Letter Queues (DLQs): While Temporal retries, for a compensation that is truly broken (e.g., a bug in the code), you can configure the activity to give up after a certain number of attempts and publish a message to a DLQ (like SQS or Kafka) with all the context needed for manual intervention.
  • Temporal Web UI: The UI provides full visibility into every workflow's execution history. An operator can see exactly which step failed, what the error was, and what the inputs were. They can then use this information to perform a manual refund via the payment provider's dashboard.
  • Manual Intervention via Signals: You could even design the compensation logic to signal an operations workflow on failure, creating a formal ticket for an SRE to resolve.

    • Performance and Scalability Patterns

    As you scale, several factors become important.

    * Task Queues: Our activities are all dispatched to a default task queue. In a large system, you would use separate task queues for different activities. For example, payment-activities and inventory-activities. This allows you to scale the worker fleets for each service independently. If payment processing is a bottleneck, you can add more workers to the payment-activities queue without affecting inventory workers.

    go
        // In workflow
    paymentAO := workflow.ActivityOptions{ /*...*/ }
    workflow.GetContext(ctx).SetActivityOptions(paymentAO)
    ctxForPayment := workflow.WithTaskQueue(ctx, "payment-processing-queue")
    err := workflow.ExecuteActivity(ctxForPayment, a.ProcessPayment, ...)

    * Payload Size: The entire workflow event history, including activity inputs and outputs, is stored. Passing huge data structures (e.g., a multi-megabyte JSON object) as arguments can bloat this history and degrade performance. The best practice is to pass references. Instead of passing the order payload, pass the orderID. The activity is then responsible for fetching the full payload from the source of truth (the Order Service's database).

    * Worker Tuning: The number of concurrent activity and workflow pollers on a worker instance should be tuned based on the workload and machine resources. For I/O-bound activities (like most API calls), you can have a high number of concurrent activity pollers. For CPU-bound activities, this number should be closer to the number of available cores.

    Conclusion: Shifting Complexity to the Platform

    Implementing a fault-tolerant Saga pattern is a non-trivial endeavor. A naive implementation quickly becomes a maze of state machines, retry loops, and timeout logic that is brittle and difficult to test and maintain.

    By leveraging a durable execution system like Temporal, we transform the problem. Instead of building the complex distributed systems plumbing ourselves, we describe the desired business logic in straightforward, stateful workflow code. The platform—Temporal—then assumes the immense responsibility of durability, state management, retries, and timeouts.

    This approach allows senior engineers to focus on the core business logic and its failure semantics (i.e., the compensation logic), rather than the mechanics of making it fault-tolerant. The result is a system that is not only more resilient and scalable but also significantly easier to reason about, debug, and evolve over time.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles