Back to Resources

Kafka Idempotency: Transactional Outbox & Tombstone Patterns

20 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Inescapable Challenge of At-Least-Once Delivery

In distributed systems, the phrase "exactly-once semantics" (EOS) is both a holy grail and a source of deep misunderstanding. While Kafka itself provides EOS capabilities, they are primarily confined to Kafka-to-Kafka data flows via Kafka Streams. The moment your system interacts with an external component—a database, a third-party API, a cache—the guarantee becomes far more complex. The boundary between your service's transactional database and the Kafka broker is the most common point of failure.

For most production applications, the default delivery guarantee is at-least-once. This is a pragmatic choice, prioritizing data durability over the risk of duplicates. However, it transfers the responsibility of handling those potential duplicates to the consumer. A naive consumer that re-processes the same event will introduce data corruption, incorrect financial calculations, or phantom notifications.

Consider the classic failure modes at the producer-database boundary:

  • DB Commit Succeeds, Kafka Publish Fails: Your service writes to its database, but a network partition or broker unavailability prevents the corresponding event from being published. The state of the system has changed, but the outside world is never notified. This is a silent data loss.
  • Kafka Publish Succeeds, DB Commit Fails: The event is sent to Kafka, but the local database transaction is rolled back due to a constraint violation or deadlock. Downstream services will react to an event that represents a state that never actually existed. This creates phantom data and system inconsistency.

    • On the consumer side, the race condition is just as perilous:

  • Process, Commit Offset, Crash: The consumer processes a message (e.g., updates its local database), the Kafka client auto-commits the offset, but the service crashes before its own database transaction is committed. The message is lost forever from the consumer's perspective.
  • Process, Commit DB, Crash: The consumer processes the message and commits its database transaction, but crashes before the Kafka offset is committed. Upon restart, the same message is redelivered, leading to duplicate processing.

    • This article presents a robust, battle-tested architectural pattern to solve these problems end-to-end: combining the Transactional Outbox pattern for reliable event publishing with a stateful Idempotent Consumer design. We will also tackle the often-overlooked challenge of propagating DELETE operations using Tombstone Records.

    Part 1: The Transactional Outbox for Atomic State & Event Publishing

    The core principle of the Transactional Outbox pattern is to persist the event to be published within the same atomic database transaction as the business state change. This leverages the ACID guarantees of your local database to ensure that either both the state change and the event are saved, or neither is.

    Architecture Overview

  • Service Logic: An application service (e.g., OrderService) performs a business operation.
  • Single Transaction: Within a single database transaction, the service:

    • * Writes/updates the business entity (e.g., the orders table).

    * Inserts a record representing the event into an outbox table.

  • Commit: The transaction is committed. Now, the state change and the intent to publish an event are durably stored together.
  • Event Relay: An asynchronous process monitors the outbox table, reads new event records, publishes them to Kafka, and marks them as published.

    • Polling the outbox table is a viable but inefficient approach. A far more scalable and low-latency solution is to use Change Data Capture (CDC) with a tool like Debezium. Debezium tails the database's transaction log (e.g., PostgreSQL's WAL), capturing committed changes in real-time and streaming them to Kafka.

    Implementation Deep Dive: Spring Boot, JPA, and PostgreSQL

    Let's model a User service. When a new user is created, we want to reliably publish a UserCreated event.

    1. Database Schema

    First, define the users and outbox tables. The outbox table is the critical piece.

    sql
    -- Main business table
CREATE TABLE users (
    id UUID PRIMARY KEY,
    email VARCHAR(255) NOT NULL UNIQUE,
    full_name VARCHAR(255) NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- The Outbox table
CREATE TABLE outbox (
    id UUID PRIMARY KEY,
    aggregate_type VARCHAR(255) NOT NULL, -- e.g., 'User'
    aggregate_id VARCHAR(255) NOT NULL, -- e.g., the user's ID
    event_type VARCHAR(255) NOT NULL,   -- e.g., 'UserCreated'
    payload JSONB NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

    * aggregate_type and aggregate_id: These identify the source entity, crucial for consumers and for partitioning in Kafka.

    * event_type: Allows consumers to route events to the correct handler.

    * payload: The actual event data, stored as JSONB for flexibility and queryability.

    2. Service and Repository Logic

    Now, let's implement the service layer in Java with Spring Data JPA. The key is that createUser is annotated with @Transactional, ensuring both repository calls happen within the same transaction.

    java
    // UserService.java
@Service
@RequiredArgsConstructor
public class UserService {

    private final UserRepository userRepository;
    private final OutboxRepository outboxRepository;
    private final ObjectMapper objectMapper; // Jackson ObjectMapper

    @Transactional
    public User createUser(String email, String fullName) {
        // 1. Create and save the business entity
        User user = new User();
        user.setId(UUID.randomUUID());
        user.setEmail(email);
        user.setFullName(fullName);
        User savedUser = userRepository.save(user);

        // 2. Create and save the outbox event within the same transaction
        UserCreatedEvent eventPayload = new UserCreatedEvent(
            savedUser.getId(),
            savedUser.getEmail(),
            savedUser.getFullName()
        );

        OutboxEvent outboxEvent = new OutboxEvent();
        outboxEvent.setId(UUID.randomUUID());
        outboxEvent.setAggregateType("User");
        outboxEvent.setAggregateId(savedUser.getId().toString());
        outboxEvent.setEventType("UserCreated");
        try {
            outboxEvent.setPayload(objectMapper.writeValueAsString(eventPayload));
        } catch (JsonProcessingException e) {
            throw new RuntimeException("Failed to serialize event payload", e);
        }
        outboxRepository.save(outboxEvent);

        return savedUser;
    }
}

// Simplified JPA entities and repositories for brevity
@Entity @Table(name = "users")
// ... User entity fields ...

@Entity @Table(name = "outbox")
// ... OutboxEvent entity fields ...

interface UserRepository extends JpaRepository<User, UUID> {}
interface OutboxRepository extends JpaRepository<OutboxEvent, UUID> {}

    If the userRepository.save() succeeds but outboxRepository.save() fails (e.g., due to a DB constraint), the entire transaction is rolled back. The user is not created, and no event is persisted. If both succeed, they are committed atomically. We have now solved the reliable publishing problem.

    3. Configuring Debezium for CDC

    Now, we set up Debezium to stream changes from our outbox table to a Kafka topic. This involves deploying a Debezium Kafka Connector.

    Here is a sample connector configuration JSON for the Debezium PostgreSQL connector:

    json
    {
  "name": "user-outbox-connector",
  "config": {
    "connector.class": "io.debezium.connector.postgresql.PostgresConnector",
    "database.hostname": "postgres",
    "database.port": "5432",
    "database.user": "postgres",
    "database.password": "postgres",
    "database.dbname": "user_service_db",
    "database.server.name": "user_service_server",
    "table.include.list": "public.outbox",
    "tombstones.on.delete": "false",

    "transforms": "outboxEventRouter",
    "transforms.outboxEventRouter.type": "io.debezium.transforms.outbox.EventRouter",
    "transforms.outboxEventRouter.route.by.field": "aggregate_type",
    "transforms.outboxEventRouter.table.field.event.key": "aggregate_id",
    "transforms.outboxEventRouter.route.topic.replacement": "${routedByValue}.events",

    "key.converter": "org.apache.kafka.connect.storage.StringConverter",
    "value.converter": "org.apache.kafka.connect.json.JsonConverter",
    "value.converter.schemas.enable": "false"
  }
}

    The most powerful part here is Debezium's EventRouter Single Message Transform (SMT). Let's break it down:

    * transforms.outboxEventRouter.type: Specifies the SMT that reshapes the raw CDC event from the outbox table into a clean business event.

    * route.by.field: We tell it to use the aggregate_type column (User) to determine the destination topic.

    * route.topic.replacement: This is a template. ${routedByValue}.events will resolve to User.events. This dynamically routes events to topics based on your domain aggregates.

    * table.field.event.key: We use the aggregate_id column as the Kafka message key. This is critical for partitioning, ensuring all events for the same user go to the same partition, preserving order.

    The SMT will also automatically extract the payload field and make it the value of the Kafka message. What lands in the User.events topic is not the raw outbox row, but a clean event: a key (the user UUID) and a value (the JSON payload).

    Part 2: Engineering the Idempotent Consumer

    With reliable publishing solved, we now face the at-least-once delivery from Kafka. Our consumer must be able to receive the same message multiple times without adverse side effects.

    The strategy is to track the IDs of messages we have already successfully processed.

    Architecture Overview

  • Unique Message ID: Our outbox event already has a unique primary key (id UUID). This will serve as our idempotency key.
  • Processed Message Store: The consumer maintains a database table, processed_messages, to store the IDs of events it has handled.
  • Transactional Processing: When a consumer receives a message:

    • * It starts a new database transaction.

    * It checks if the message's unique ID exists in processed_messages.

    * If it exists: The message is a duplicate. The consumer does nothing further with it. It simply acknowledges the message to Kafka (commits the offset) and moves on.

    * If it does not exist: The consumer executes its business logic (e.g., creating a read model, sending a notification) and inserts the message ID into the processed_messages table. Both actions happen inside the same transaction.

  • Commit DB, then Commit Offset: If the database transaction commits successfully, the consumer then manually commits the offset to Kafka. We must disable auto-commit for this pattern to work.

    • Implementation Deep Dive: Notification Service Consumer

    Let's build a NotificationService that consumes UserCreated events and sends a welcome email.

    1. Database Schema

    This service needs its own table to track processed messages.

    sql
    CREATE TABLE processed_messages (
    event_id UUID PRIMARY KEY,
    processed_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

    * event_id: This will store the id from the outbox table, which Debezium conveniently places in the Kafka message headers or payload metadata.

    2. Kafka Consumer Configuration

    We must configure our Spring Kafka consumer for manual offset commits.

    yaml
    # application.yml
spring:
  kafka:
    consumer:
      group-id: notification-service
      bootstrap-servers: kafka:9092
      auto-offset-reset: earliest
      enable-auto-commit: false # CRITICAL: Disable auto-commit
    listener:
      ack-mode: manual_immediate # CRITICAL: We will acknowledge manually

    3. Consumer and Idempotency Logic

    The NotificationConsumer ties everything together.

    java
    // NotificationConsumer.java
@Component
@RequiredArgsConstructor
@Slf4j
public class NotificationConsumer {

    private final IdempotencyService idempotencyService;
    private final NotificationService notificationService;
    private final ObjectMapper objectMapper;

    // Debezium's EventRouter SMT places the original outbox row's fields in the payload.
    // We need a DTO to deserialize this structure.
    @JsonIgnoreProperties(ignoreUnknown = true)
    private record DebeziumOutboxEvent(UUID id, String payload) {}

    @KafkaListener(topics = "User.events")
    public void handleUserEvent(String message, Acknowledgment ack) {
        try {
            DebeziumOutboxEvent event = objectMapper.readValue(message, DebeziumOutboxEvent.class);
            UUID eventId = event.id();

            // The core idempotency and processing logic
            idempotencyService.process(eventId, () -> {
                try {
                    UserCreatedEvent userPayload = objectMapper.readValue(event.payload(), UserCreatedEvent.class);
                    notificationService.sendWelcomeEmail(userPayload.email(), userPayload.fullName());
                } catch (JsonProcessingException e) {
                    // This is a poison pill - non-recoverable deserialization error
                    log.error("Failed to deserialize user event payload for eventId: {}", eventId, e);
                    // Depending on strategy, could move to DLQ here.
                    // For now, we log and acknowledge to prevent infinite retries.
                }
            });

            // 4. Acknowledge message only after successful DB transaction
            ack.acknowledge();
            log.info("Successfully processed and acknowledged eventId: {}", eventId);

        } catch (JsonProcessingException e) {
            log.error("Failed to deserialize outer Debezium event", e);
            ack.acknowledge(); // Acknowledge poison pill
        } catch (Exception e) {
            // For transient errors (e.g., downstream service unavailable), an exception will be thrown.
            // The ack.acknowledge() is not called, so Kafka will redeliver the message.
            log.error("Transient error processing event. Will be retried.", e);
            // Do NOT acknowledge. Let the container handle the retry.
        }
    }
}

// IdempotencyService.java
@Service
@RequiredArgsConstructor
public class IdempotencyService {

    private final ProcessedMessageRepository processedMessageRepository;
    private final TransactionTemplate transactionTemplate; // Spring's programmatic transaction manager

    public void process(UUID eventId, Runnable businessLogic) {
        transactionTemplate.execute(status -> {
            // 1. Check if event is already processed
            if (processedMessageRepository.existsById(eventId)) {
                log.info("Event with id {} is a duplicate, skipping.", eventId);
                return null; // Exit transaction
            }

            // 2. Execute business logic
            businessLogic.run();

            // 3. Mark event as processed
            ProcessedMessage processedMessage = new ProcessedMessage();
            processedMessage.setEventId(eventId);
            processedMessageRepository.save(processedMessage);
            log.debug("Marked event {} as processed.", eventId);

            return null;
        });
    }
}

// NotificationService.java
@Service
@Slf4j
public class NotificationService {
    public void sendWelcomeEmail(String email, String name) {
        // Dummy implementation of sending an email
        log.info("Sending welcome email to {} ({})", name, email);
        // In a real system, this could involve an API call to an email provider.
        // If this call fails, an exception should be thrown to trigger a retry.
    }
}

    Analysis of the Failure Mode:

    Imagine the IdempotencyService.process method runs. The business logic (sendWelcomeEmail) completes, and the processedMessageRepository.save() call succeeds. The database transaction is committed. At this exact moment, the service crashes before ack.acknowledge() is called.

    Upon restart, Kafka redelivers the same message. The handleUserEvent method is called again with the same eventId. This time, when idempotencyService.process runs, the check processedMessageRepository.existsById(eventId) returns true. The method logs a duplicate and returns immediately. The businessLogic lambda is never executed. The ack.acknowledge() is then called, and processing continues safely. We have achieved idempotent processing.

    Part 3: Propagating Deletes with Tombstone Records

    How do we handle a DELETE in the source system? If a user is deleted, we need downstream consumers like the NotificationService (which might have its own local cache of user data) to be aware of this.

    A DELETE from the users table does not create an entry in our outbox. The solution is to treat deletion as another type of event: a Tombstone.

    In Kafka, a tombstone is a message with a valid key but a null value. For topics with log compaction enabled, tombstones are a signal for Kafka to eventually remove all previous messages with that key.

    Implementation Strategy

  • Modify the Delete Operation: Instead of a hard DELETE FROM users, the UserService will now perform two actions in a single transaction:

    • * DELETE FROM users WHERE id = ?

    * INSERT INTO outbox (..., payload) VALUES (..., NULL)

  • Configure Debezium: We need to ensure Debezium propagates this NULL payload to Kafka.
  • Update the Consumer: The consumer logic must be updated to recognize a message with a null payload as a delete instruction.

    • 1. Updated `UserService`

    java
    // UserService.java
@Transactional
public void deleteUser(UUID userId) {
    User user = userRepository.findById(userId)
            .orElseThrow(() -> new UserNotFoundException("User not found"));

    // 1. Create and save the tombstone event in the outbox
    OutboxEvent outboxEvent = new OutboxEvent();
    outboxEvent.setId(UUID.randomUUID());
    outboxEvent.setAggregateType("User");
    outboxEvent.setAggregateId(user.getId().toString());
    outboxEvent.setEventType("UserDeleted");
    outboxEvent.setPayload(null); // The tombstone!
    outboxRepository.save(outboxEvent);

    // 2. Delete the actual business entity
    userRepository.delete(user);
}

    Both the outbox insert and the user delete happen in one atomic transaction.

    2. Consumer Logic for Tombstones

    The consumer needs to handle the possibility of a null value. Kafka Listeners in Spring can be configured to receive the raw ConsumerRecord.

    java
    // NotificationConsumer.java
@KafkaListener(topics = "User.events")
public void handleUserEvent(ConsumerRecord<String, String> record, Acknowledgment ack) {
    // Note: The value can be null for a tombstone record
    String value = record.value();
    String key = record.key();

    if (value == null) {
        // This is a tombstone record
        log.info("Received tombstone for user key: {}. Handling deletion.", key);
        notificationService.handleUserDeletion(UUID.fromString(key));
        // We still need idempotency for deletes!
        // A header could carry the event ID, or we could derive it.
        // For simplicity, we assume the delete logic itself is idempotent.
        ack.acknowledge();
        return;
    }

    // ... existing logic for non-null messages ...
}

// NotificationService.java
public void handleUserDeletion(UUID userId) {
    // e.g., Invalidate a local cache, delete user projection, etc.
    log.info("Deactivating notifications and clearing data for deleted user {}", userId);
}

    This completes the lifecycle. We can now reliably create, update (by publishing another event), and delete entities, with all changes correctly propagated and processed idempotently by downstream services.

    Advanced Production Considerations & Edge Cases

    * Outbox and Processed Messages Table Growth: These tables will grow indefinitely. A periodic cleanup job is essential. For the outbox table, you can delete records after they have been successfully relayed (Debezium provides mechanisms for this, or a simple time-based cleanup works). For the processed_messages table, you can delete records older than your Kafka topic's message retention period plus a safety margin. If a message can't be redelivered, you don't need to track its ID anymore.

    * Poison Pill Messages: What if a message is malformed and causes the consumer to crash repeatedly? Our current try-catch block for deserialization is a basic form of handling. A robust solution involves a Dead Letter Queue (DLQ) pattern. After a few failed retries, the problematic message is published to a separate DLQ topic for manual inspection, allowing the main consumer to proceed.

    * Idempotency Store Performance: For extremely high-throughput systems, the write contention on the processed_messages table in your relational database could become a bottleneck. In such scenarios, you might consider using an external, high-performance key-value store like Redis for idempotency checks. However, this comes at a cost: you lose the ability to atomically commit the business logic update and the idempotency key insertion in a single transaction. This requires a more complex two-phase commit or sagas-like pattern to manage, increasing system complexity.

    * Debezium Connector Availability: The Debezium connector is a critical piece of infrastructure. If it goes down, events will queue up in the database WAL. When it comes back online, it will resume from where it left off, ensuring no data loss. It's crucial to monitor its health and have operational procedures for managing it.

    Conclusion

    By combining the Transactional Outbox pattern with Change Data Capture and building stateful, idempotent consumers, we can architect highly resilient and consistent event-driven microservices. This approach moves beyond the theoretical promise of "exactly-once" and provides a pragmatic, database-agnostic framework for achieving the same effective outcome in the real world.

    The end-to-end flow—DB Transaction -> Outbox Table -> Debezium CDC -> Kafka -> Idempotent Consumer -> DB Transaction + Offset Commit—creates a durable, auditable, and fault-tolerant chain. It correctly handles process crashes, network partitions, and message redeliveries, ensuring that your system's state remains consistent and your business logic is executed precisely once, every time.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles