Back to Resources

Orchestrating Sagas with Temporal for Fault-Tolerant Microservices

15 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Inevitable Complexity of Distributed State

In a microservices architecture, the promise of independent deployment and scalability comes with a steep price: the loss of ACID transactions. The classic two-phase commit (2PC) protocol, a staple of monolithic systems, is a notorious anti-pattern in distributed environments due to its synchronous, blocking nature and susceptibility to single points of failure. It creates tight coupling and fragility, the very things microservices aim to avoid.

Enter the Saga pattern. A saga is a sequence of local transactions where each transaction updates data within a single service. If a local transaction fails, the saga executes a series of compensating transactions to semantically undo the preceding successful transactions. This ensures data consistency across services without distributed locks.

Sagas are typically implemented in two styles:

  • Choreography: Services publish events to a message bus. Other services subscribe to these events and perform their local transactions. This is decentralized but becomes a debugging nightmare for complex sagas. Tracking the state of a business process involves correlating events across multiple services, and error handling logic is scattered, often leading to cyclic dependencies and inconsistent states.
  • Orchestration: A central orchestrator (the workflow) explicitly tells services what to do. It calls services, waits for responses, and triggers compensations upon failure. This centralizes the business logic, making it easier to understand, debug, and modify.

    • While orchestration is conceptually simpler, building a truly fault-tolerant orchestrator is non-trivial. A naive implementation using a database state machine or a stateless orchestrator can suffer from failures of the orchestrator itself. This is precisely the problem Temporal is designed to solve.

    Why Temporal Redefines Saga Orchestration

    Temporal isn't just another workflow engine; it's a durable execution platform. A Temporal Workflow's state, including local variables, call stack, and threads, is persisted and automatically recovered after any process failure. This means your workflow code is written as a single, straightforward function that can run for seconds, days, or even years, impervious to worker crashes or network partitions.

    For Saga orchestration, this provides several critical advantages over traditional approaches:

    * Durable State Management: The entire saga state is managed by the Temporal cluster. You don't need to build custom database tables to track which stage of a saga a particular transaction is in. The workflow's execution history is the single source of truth.

    * Built-in Retries and Timeouts: Temporal Activities (the units of work that interact with external services) have configurable, exponential backoff retries and multiple timeout settings (start-to-close, schedule-to-close, heartbeat). This handles transient failures gracefully without complex application-level logic.

    * Simplified Compensation Logic: You can use standard programming language constructs like try...catch...finally or defer to manage compensations. The logic is co-located with the main business flow, making it incredibly readable and maintainable.

    * Visibility and Debugging: The entire execution history of every saga instance is queryable and replayable, providing unparalleled insight into failures and their root causes.

    Let's move from theory to a production-grade implementation.

    Production-Grade Implementation: A Trip Booking Saga

    Consider a complex trip booking process: a user wants to book a flight, a hotel, and a rental car, and then pay for it all. This involves four distinct microservices: Flight, Hotel, Car, and Payment.

    Our saga will execute these steps sequentially. If any step fails, we must compensate for all previously completed steps.

    * BookFlight -> Compensation: CancelFlight

    * BookHotel -> Compensation: CancelHotel

    * BookCar -> Compensation: CancelCar

    * ProcessPayment -> Compensation: RefundPayment

    We will use the TypeScript SDK for this example.

    Step 1: Defining the Activities

    Activities are the functions that perform the actual work by calling external services. They should be idempotent. Note that we define both the action and its corresponding compensation.

    src/activities.ts

    typescript
    import { Context } from '@temporalio/activity';

// Mock external service clients
const flightService = { book: async (id: string) => ({ reservationId: `flight-${id}` }), cancel: async (id: string) => ({}) };
const hotelService = { book: async (id: string) => ({ reservationId: `hotel-${id}` }), cancel: async (id: string) => ({}) };
const carService = { book: async (id: string) => ({ reservationId: `car-${id}` }), cancel: async (id: string) => ({}) };
const paymentService = { process: async (id: string, amount: number) => ({ transactionId: `payment-${id}` }), refund: async (id: string) => ({}) };

export interface TripBookingActivities {
  bookFlight(bookingId: string): Promise<{ reservationId: string }>;
  cancelFlight(bookingId: string): Promise<void>;
  bookHotel(bookingId: string): Promise<{ reservationId: string }>;
  cancelHotel(bookingId: string): Promise<void>;
  bookCar(bookingId: string): Promise<{ reservationId: string }>;
  cancelCar(bookingId: string): Promise<void>;
  processPayment(bookingId: string, amount: number): Promise<{ transactionId: string }>;
  refundPayment(bookingId: string): Promise<void>;
}

export async function bookFlight(bookingId: string): Promise<{ reservationId: string }> {
  console.log(`Booking flight for ${bookingId}...`);
  // In a real app, this would make an API call
  // Simulating potential failure
  if (Math.random() < 0.1) { // 10% chance of failure
    throw new Error('Flight service unavailable');
  }
  const result = await flightService.book(bookingId);
  Context.current().log.info('Flight booked successfully', { reservationId: result.reservationId });
  return result;
}

export async function cancelFlight(bookingId: string): Promise<void> {
  console.log(`Canceling flight for ${bookingId}...`);
  await flightService.cancel(bookingId);
  Context.current().log.info('Flight canceled successfully');
}

export async function bookHotel(bookingId: string): Promise<{ reservationId: string }> {
  console.log(`Booking hotel for ${bookingId}...`);
  const result = await hotelService.book(bookingId);
  Context.current().log.info('Hotel booked successfully', { reservationId: result.reservationId });
  return result;
}

export async function cancelHotel(bookingId: string): Promise<void> {
  console.log(`Canceling hotel for ${bookingId}...`);
  await hotelService.cancel(bookingId);
  Context.current().log.info('Hotel canceled successfully');
}

export async function bookCar(bookingId: string): Promise<{ reservationId: string }> {
  console.log(`Booking car for ${bookingId}...`);
  const result = await carService.book(bookingId);
  Context.current().log.info('Car booked successfully', { reservationId: result.reservationId });
  return result;
}

export async function cancelCar(bookingId: string): Promise<void> {
  console.log(`Canceling car for ${bookingId}...`);
  await carService.cancel(bookingId);
  Context.current().log.info('Car canceled successfully');
}

export async function processPayment(bookingId: string, amount: number): Promise<{ transactionId: string }> {
  console.log(`Processing payment of ${amount} for ${bookingId}...`);
  // This is a critical step, let's make it more likely to fail to test compensation
  if (Math.random() < 0.5) { // 50% chance of failure
    throw new Error('Payment gateway declined transaction');
  }
  const result = await paymentService.process(bookingId, amount);
  Context.current().log.info('Payment processed successfully', { transactionId: result.transactionId });
  return result;
}

export async function refundPayment(bookingId: string): Promise<void> {
  console.log(`Refunding payment for ${bookingId}...`);
  await paymentService.refund(bookingId);
  Context.current().log.info('Payment refunded successfully');
}

    Step 2: Implementing the Saga Workflow

    This is where the orchestration logic lives. We'll use a Saga helper class to manage the compensation stack, making the workflow code clean and declarative.

    src/workflows.ts

    typescript
    import { proxyActivities, sleep, defineSignal, setHandler, condition } from '@temporalio/workflow';
import type * as activities from './activities';

// Define activity options with retries
const { 
    bookFlight, cancelFlight, 
    bookHotel, cancelHotel,
    bookCar, cancelCar,
    processPayment, refundPayment 
} = proxyActivities<typeof activities>({ 
    startToCloseTimeout: '30s',
    retry: {
        initialInterval: '1s',
        backoffCoefficient: 2,
        maximumInterval: '10s',
        maximumAttempts: 3,
    }
});

// A simple Saga helper for managing compensations
class Saga {
  private compensations: (() => Promise<void>)[] = [];

  addCompensation(fn: () => Promise<void>) {
    this.compensations.push(fn);
  }

  async compensate() {
    for (const compensation of this.compensations.reverse()) {
      try {
        await compensation();
      } catch (e) {
        // In a real-world scenario, you'd want to handle compensation failures.
        // This could involve retries, escalating to a human, or logging for manual intervention.
        console.error('Compensation failed:', e);
      }
    }
  }
}

export interface TripBookingInput {
  bookingId: string;
  userId: string;
  totalAmount: number;
}

export async function tripBookingSaga(input: TripBookingInput): Promise<string> {
  const saga = new Saga();

  try {
    const flightResult = await bookFlight(input.bookingId);
    saga.addCompensation(() => cancelFlight(input.bookingId));

    const hotelResult = await bookHotel(input.bookingId);
    saga.addCompensation(() => cancelHotel(input.bookingId));

    const carResult = await bookCar(input.bookingId);
    saga.addCompensation(() => cancelCar(input.bookingId));

    const paymentResult = await processPayment(input.bookingId, input.totalAmount);
    // No compensation for payment if it's the last step. 
    // If it fails, the saga compensates. If it succeeds, the saga is done.

    return `Trip booked successfully! Confirmation: ${flightResult.reservationId}, ${hotelResult.reservationId}, ${carResult.reservationId}, ${paymentResult.transactionId}`;

  } catch (error) {
    await saga.compensate();
    // Re-throw the error to fail the workflow and signal that the saga was rolled back.
    throw new Error(`Trip booking failed and was compensated: ${error instanceof Error ? error.message : String(error)}`);
  }
}

    This implementation is clean and robust. The try...catch block elegantly separates the main business logic from the failure recovery logic. If any activity throws an error after its retries are exhausted, the catch block triggers saga.compensate(), which executes all registered compensations in reverse order.

    Advanced Patterns and Edge Case Handling

    Senior engineering is about handling the edge cases. A simple saga implementation is good, but production systems require more resilience.

    1. Activity Idempotency

    Problem: Network issues can cause an activity to complete successfully, but the response might not reach the Temporal worker. The worker will then retry the activity, potentially leading to a double booking or double charge.

    Solution: Activities must be designed to be idempotent. The standard pattern is to pass a unique idempotency key from the workflow to the activity. The workflow is deterministic, so the same key will be generated on any replay.

    Let's modify the processPayment activity.

    src/workflows.ts (modified workflow)

    typescript
    // ... imports
import { uuid4 } from '@temporalio/workflow';

// ... inside tripBookingSaga function
// ...
try {
    // ... other bookings

    const idempotencyKey = uuid4(); // Generate a unique key for this specific payment attempt
    const paymentResult = await processPayment(input.bookingId, input.totalAmount, idempotencyKey);
    
    // ...
} catch (error) {
    // ...
}

    src/activities.ts (modified activity)

    typescript
    // Assuming a database client like Prisma
import { PrismaClient } from '@prisma/client';
const prisma = new PrismaClient();

// ...

// The activity signature now accepts the key
export async function processPayment(bookingId: string, amount: number, idempotencyKey: string): Promise<{ transactionId: string }> {
  console.log(`Processing payment for ${bookingId} with idempotency key ${idempotencyKey}...`);

  // 1. Check if this operation has already been completed
  const existingTransaction = await prisma.paymentTransaction.findUnique({
    where: { idempotencyKey },
  });

  if (existingTransaction) {
    Context.current().log.info('Idempotency key already processed, returning existing result.', { transactionId: existingTransaction.transactionId });
    return { transactionId: existingTransaction.transactionId };
  }

  // 2. Perform the actual work
  // This block should be wrapped in a database transaction with the idempotency key check
  // to ensure atomicity.
  let result;
  try {
    result = await paymentService.process(bookingId, amount);

    // 3. Store the result and the idempotency key
    await prisma.paymentTransaction.create({
      data: {
        idempotencyKey,
        bookingId,
        amount,
        transactionId: result.transactionId,
        status: 'COMPLETED',
      },
    });

  } catch (err) {
    // Handle payment gateway errors
    throw err;
  }

  return result;
}

    This pattern guarantees that even if the processPayment activity is executed multiple times, the customer is only charged once.

    2. Non-Compensatable Failures & Human Intervention

    Problem: What happens if a compensation fails? For example, refundPayment repeatedly fails because the payment gateway is down for extended maintenance. The saga is now in an inconsistent state: the trip is canceled, but the customer hasn't been refunded.

    Solution: Implement a human-in-the-loop pattern. If a compensation fails after a set number of retries, the workflow should stop trying and instead signal for human intervention.

    src/workflows.ts (modified Saga class)

    typescript
    import { log, continueAsNew, isCancellation } from '@temporalio/workflow';

// We need to proxy a compensation-specific activity with different retry options
const { refundPayment: refundPaymentWithRetries } = proxyActivities<typeof activities>({ 
    startToCloseTimeout: '5m',
    retry: {
        initialInterval: '10s',
        maximumAttempts: 5, // Fewer, more deliberate retries for compensation
    }
});

class Saga {
  // ...
  async compensate() {
    for (const compensation of this.compensations.reverse()) {
      try {
        await compensation();
      } catch (e) {
        log.error('CRITICAL: Compensation failed after all retries.', { error: e });
        // The workflow is now in a state that requires manual intervention.
        // It will wait indefinitely until a human resolves the issue and signals it.
        // In a real system, you would also emit metrics/alerts here.
        await condition(() => this.manualInterventionSignalReceived);
      }
    }
  }

  // Signal handling for manual intervention
  private manualInterventionSignalReceived = false;
  public readonly manualInterventionSignal = defineSignal('manualIntervention');

  constructor() {
    setHandler(this.manualInterventionSignal, () => {
      this.manualInterventionSignalReceived = true;
    });
  }
}

// ... in the workflow, you would need to instantiate saga and handle the signal

    With this change, if refundPayment fails its 5 retries, the workflow will log a critical error and pause indefinitely at the await condition(...) line. An operations team would see the alert, manually process the refund, and then use the Temporal CLI or API to send the manualIntervention signal to the workflow, allowing it to complete.

    tctl workflow signal --workflow-id --name manualIntervention

    3. Workflow Versioning

    Problem: Your business logic evolves. Six months after launch, you need to add a new step to the saga: sending a confirmation email. If you simply add await sendConfirmationEmail() to your workflow code and deploy it, you will break all in-flight sagas. Temporal's replay-based execution model requires workflow code to be deterministic. The new code path creates a non-determinism for workflows that were started on the old code.

    Solution: Use Temporal's workflow.getVersion() API to safely introduce breaking changes.

    src/workflows.ts (versioned workflow)

    typescript
    import { proxyActivities, getVersion } from '@temporalio/workflow';
//... other imports

const { 
    // ... other activities
    sendConfirmationEmail 
} = proxyActivities<typeof activities>({ startToCloseTimeout: '10s' });

export async function tripBookingSaga(input: TripBookingInput): Promise<string> {
  const saga = new Saga();

  try {
    // ... booking flight, hotel, car, payment
    
    const confirmationMessage = `Trip booked successfully! ...`;

    const version = getVersion('send-confirmation-email-feature', 'initial-version', 1);

    if (version === 1) {
        // New logic: send a confirmation email
        await sendConfirmationEmail(input.userId, confirmationMessage);
    }

    return confirmationMessage;

  } catch (error) {
    // ... compensation logic
    throw new Error(`...`);
  }
}

    When a worker with this new code picks up a workflow that was started before this change, getVersion will return 'initial-version'. The if (version === 1) block will be skipped, maintaining determinism. For any new workflow executions, getVersion will return 1, and the email will be sent. This allows you to evolve complex, long-running business logic without ever having to take the system down or perform complex data migrations on in-flight processes.

    Performance and Scalability Considerations

    * Task Queues and Worker Scaling: Don't run all your activities on a single worker fleet. In our example, processPayment is a high-stakes, high-throughput activity. It should have its own Task Queue and a dedicated pool of workers. The bookFlight activity might call a legacy SOAP API and be very slow; it should be isolated on its own Task Queue so it doesn't block more performant activities. This allows you to scale worker resources independently based on the specific needs of each business function.

    typescript
        // In workflow, when proxying activities:
    const paymentActivities = proxyActivities<typeof activities>({ 
        taskQueue: 'payment-processing-queue',
        // ... other options
    });

    * Payload Size: The entire workflow history, including activity inputs and outputs, is stored in the Temporal cluster. Passing large objects (e.g., a 10MB JSON blob) can degrade performance. The best practice is to pass IDs and have activities fetch the data they need from a database or service. For sensitive data that must be passed, use a custom DataConverter to encrypt it so it's not visible in plaintext in the workflow history.

    * Observability: Use structured logging within your activities and workflows (Context.current().log and workflow.log). These logs are automatically correlated with the specific workflow and activity execution. Integrate Temporal server metrics (e.g., temporal_activity_execution_latency_bucket) with Prometheus and build Grafana dashboards to monitor saga success rates, compensation rates, and activity-level performance.

    Conclusion: Durable Execution is the Future of Complex Workflows

    The Saga pattern is a powerful tool for maintaining data consistency in a distributed system. However, traditional choreography-based implementations often trade one set of problems (distributed locks) for another (lack of visibility, scattered logic, complex error handling).

    By leveraging a durable execution platform like Temporal, you can implement the far more maintainable Orchestration pattern without building a complex, stateful orchestrator yourself. Temporal's primitives—durable state, built-in retries, timeouts, and versioning—provide the foundation needed to build sophisticated, fault-tolerant, and long-running business processes. The code remains remarkably close to the business logic it represents, freeing senior engineers to focus on solving complex domain problems instead of wrestling with the infrastructure of distributed state management.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles