Autional logo
Architecture 8 min #Disaster Recovery#High Availability#Backup

When the Identity System Goes Down: Designing a Disaster Recovery Plan

Every “System Operations Manual” has a chapter called “Disaster Recovery (DR).” But teams that take it seriously — conducting regular drills and ensuring the plan can be executed at 3 AM — are rare. The reasons are simple: disasters feel too distant, drills are too much trouble, budgets are too tight. Until one day — a database file is accidentally deleted, a cloud provider’s entire availability zone goes down, or an insufficiently staged rollout corrupts production data — you realize the DR budget you saved for three years will take the next three years of revenue to cover.

The identity system has a special place in disaster recovery: it has the largest blast radius of any infrastructure. If wallet-service goes down, user balances are intact and transactions can wait. But if identity-service goes down, users can’t log in, and every service — wallet, orders, dashboards, notifications — becomes completely unavailable. This isn’t one system’s outage; it’s the entire product ecosystem grinding to a halt.

Starting from Autional’s architecture, this article systematically discusses the disaster scenarios an identity system might face, corresponding recovery strategies, and how architectural design minimizes the blast radius before disaster strikes.

Scenario 1: Database Corruption

Disaster Description

At 2:15 AM, a DBA running a data cleanup script misses a WHERE clause and truncates the users table. Or more commonly: all of PostgreSQL’s WAL (Write-Ahead Log) files are corrupted due to disk failure, and the database won’t start.

Impact

  • All user-related authentication operations fail
  • JWT tokens containing user info may be stale, but since tokens are self-contained, existing tokens remain valid within their expiration (depending on token design)
  • All sessions are invalidated (sessions stored in DB)

Autional Recovery Strategy

Step 1: Point-in-Time Recovery (PITR)

Autional gives each service its own independent PostgreSQL database (authms_identity, authms_session, authms_mfa, etc.), each backed up independently, so recovery doesn’t require rebuilding the entire cluster. Autional backup strategy:

  • Full backup: pg_dump daily at 2:00 AM, retained 30 days
  • Incremental backup: WAL archive every hour, retained 7 days
  • Backup encryption: All backup files encrypted with AES-256
  • Cross-region replication: Backups automatically synced to S3/MinIO in the standby region

Recovering a service: find the most recent full backup → apply WAL logs to the target point-in-time → database is restored. Estimated recovery time: 15-30 minutes (depending on database size).

Step 2: Token Validity Protection

Key design decision: Autional JWT tokens are self-contained — the token encodes user ID, tenant ID, role list, and expiration time. This means:

  • Even if identity-service’s database is corrupted, valid tokens held by users can still be verified by the gateway
  • session-service database corruption won’t force online users to log out
  • Signing keys are stored in independent security modules (env vars or KMS), not lost with database corruption

Step 3: Cache Warming

Going live immediately after database recovery would cause 100% cache misses, and the flood of requests could overwhelm the just-restored database. Autional uses progressive cache warming:

  1. First 5 minutes: traffic gradually released at 20% rate, backend preloads hot data into Redis
  2. 5-15 minutes: traffic ramped to 50%, database load monitored
  3. After 15 minutes: if DB load is normal, ramp to 100%

Scenario 2: Full Regional Outage

Disaster Description

A cloud provider’s availability zone suffers a power system failure, or a fiber optic cable is cut by construction crews. The entire region — including your Kubernetes cluster, databases, and Redis — becomes unreachable.

Impact

  • All services deployed in that region are unavailable
  • If the database is single-region, data is inaccessible
  • DNS may need manual switching to the standby region

Autional Recovery Strategy

Step 1: Database Primary-Standby Switch

Autional Enterprise supports database primary-standby replication:

  • Primary in region A, handling all reads and writes
  • Standby in region B, continuously replicating asynchronously
  • When region A is unavailable, operators perform failover: promote the standby to primary, update the database connection address in service configuration

The problem with asynchronous replication is potentially losing the last few seconds of data. For an identity system, is this acceptable?

  • Newly registered users: worst case, the user needs to re-register. Manageable impact.
  • Password changes: if a user changed their password 3 seconds before the outage and the data wasn’t synced to the standby, the user may need to use the old password. A “forgot password” flow serves as fallback.
  • Audit logs: audit-service stores audit data in MongoDB, written asynchronously via MQ. Unconsumed MQ messages are taken over by new consumers after standby promotion.

Step 2: Fast Stateless Service Rebuild

All Autional business services (identity, profile, session, mfa, etc.) are stateless — they hold no local data, with all state in DB/Redis/MQ. This means restoring services in the standby region requires only:

  1. Start the Kubernetes Deployment (image already exists)
  2. Update DNS to point to the new region’s Gateway
  3. Services read the new region’s DB/Redis/MQ addresses from ConfigMap

Time: 3-5 minutes (excluding DNS propagation time).

Step 3: Asymmetric Cross-Region Design

A full active-active architecture isn’t optimal for identity systems. Reasons:

  • JWT signing keys would need multi-region synchronization, introducing security risk
  • Active-active requires database bidirectional sync (e.g., PostgreSQL logical replication), with exponential complexity
  • Cost doubles, but for a “low-frequency, high-criticality” service like identity, the ROI isn’t there

Autional chooses an active-passive (primary-standby) architecture:

  • Production traffic handled by the primary region
  • Standby region maintains a minimal deployment (single replica + database standby)
  • On failover, the standby region scales to full capacity

This gives an RTO (Recovery Time Objective) of 10-15 minutes and an RPO (Recovery Point Objective) of less than 5 seconds of data loss. For 99.99% of SaaS scenarios, these metrics are sufficient.

Scenario 3: Misconfigured Rollout

Disaster Description

This is a more common disaster than hardware failure. A seemingly harmless config change — like adding an extra space to JWT_SECRET or changing SESSION_TTL from 30m to 30s — is pushed to production. When services reload their configuration, all users are locked out.

Why Misconfigured Rollouts Are Especially Dangerous

  • It bypasses all health checks — JWT_SECRET is wrong, the service still returns 200 OK, but generated tokens are eternally invalid
  • Rollback time is limited by config distribution speed — ConfigMap mounts require all Pods to restart
  • It may not trigger immediately — a wrong SESSION_TTL might go unnoticed for hours, but its impact covers all users
  • No “partial damage” — unlike database failures that may affect only some tables, a wrong JWT_SECRET affects 100% of authentication requests

Autional Recovery Strategy

Step 1: Versioned Config with Fast Rollback

Autional uses YAML files + environment variable override pattern:

  • configs/service/{service}.yaml is Git-managed, every change has a complete diff and commit log
  • Environment variable overrides (e.g., JWT_SECRET) come from .env files or Kubernetes Secrets
  • Rollback = git revert + redeploy

Step 2: Canary Validation

For high-risk config changes (JWT_SECRET, database connection strings, MQ config), Autional recommends canary deployment:

  1. Update 1 Pod first
  2. Wait 5 minutes to observe error rate and health checks
  3. If normal, expand to 25% of Pods
  4. Wait another 10 minutes
  5. Full rollout

But this requires an automated toolchain to execute. Manual kubectl apply makes canary deployment just a wishful thought.

Step 3: Independent Secret Management

JWT_SECRET, database passwords, API Keys and other sensitive information should never be stored alongside regular config. Autional recommends using Kubernetes Secrets or HashiCorp Vault for independent management, injected into Pods via envFrom. Even if regular configuration is accidentally modified, secrets remain unaffected.

How to Minimize Disaster Blast Radius

The ideal disaster recovery strategy reduces the impact before disaster strikes. Autional makes several key architectural decisions:

1. Independent Database Per Service

If profile-service’s database is corrupted, identity-service is unaffected. Users can still log in — they just can’t see avatars and profile data. That’s an acceptable degradation.

2. Graceful Shutdown + DLQ

When a service exits unexpectedly, micro-middleware/app’s graceful shutdown mechanism ensures uncompleted messages are returned to the MQ queue. The Dead Letter Queue (DLQ) mechanism ensures that failed messages aren’t discarded — they’re preserved for manual review or retry.

This is especially critical for audit logs, where compliance requires that “no audit record is ever lost.” Even if audit-service goes down, MQ queue messages are preserved and consumed when the service recovers.

3. Choosing Sync vs Async Correctly

Not all operations need to be synchronous:

  • Synchronous (must wait): password verification, token issuance, permission checks
  • Asynchronous (can be deferred): audit log writes, notification sending, analytics

Autional uses MQ for asynchronous audit log delivery, meaning login flows are unaffected even if audit-service is down. This reduces the blast radius — an audit service failure doesn’t impact login availability.

4. Regular Drills

A disaster recovery plan that isn’t practiced is no plan at all. Autional recommends quarterly DR drills covering:

  • Database recovery from scratch (using the most recent backup)
  • Regional failover (primary → standby)
  • Key rotation (change JWT_SECRET, ensure old tokens still verify)

Problems found during drills are 100x cheaper than problems found in production.

Final Thoughts

Disaster recovery isn’t like buying insurance — where you’re covered once you’ve paid. It’s an engineering practice that requires ongoing investment. Every quarter, ask yourself:

  1. Can the most recent backup be successfully restored? (Not “it should be” — “we verified it in the last drill”)
  2. If the primary database fails right now, how long from backup to recovery?
  3. How many people on the team know the recovery procedure? What if the key person is on vacation?
  4. When was the last DR drill?

If you can’t answer one of these questions, your identity system is unprotected. Disasters won’t happen on your schedule — but you can make the recovery after a disaster happen on yours.

Autional Enterprise includes built-in cross-region deployment support, automated backup policies, and PITR database recovery capabilities. Learn about Enterprise features for more information.

Return to all blog posts