Tech Stack
Tech Stack
Tok is a Kotlin-native backend built for reliability and financial-grade security.
Core Stack
| Layer |
Technology |
Notes |
| Language |
Kotlin |
JVM-based, coroutine-native |
| HTTP Framework |
Ktor |
Kotlin-idiomatic, coroutines-native routing |
| Dependency Injection |
Koin |
Lightweight, Kotlin-first DI |
| Database |
PostgreSQL |
Primary data store |
| ORM |
Exposed (Kotlin SQL framework) |
Type-safe SQL DSL |
| Connection Pooling |
HikariCP |
High-performance JDBC pool |
| DB Migrations |
Flyway |
Version-controlled schema migrations |
| Job Scheduling |
Quartz Scheduler + coroutines |
Bank sync scheduling |
| Serialization |
kotlinx.serialization |
Native Kotlin JSON |
| Build |
Gradle (Kotlin DSL) |
Multi-module project |
Security & Encryption
| Concern |
Technology |
| Token encryption |
AES-256-GCM |
| Key management |
GCP Cloud KMS (HSM-backed) |
| PSD2 mTLS (QWAC) |
DigiCert or GlobalSign certificate |
| CSRF protection |
Cryptographic random state parameter per consent |
| Secret storage |
GCP Secret Manager |
Token encryption flow:
1. Receive OAuth token from bank API
2. Call GCP Cloud KMS generateDataKey (DEK + encrypted DEK)
3. Encrypt token with DEK (AES-256-GCM, random IV)
4. Store: encrypted_dek + iv + ciphertext in PostgreSQL
5. DEK discarded from memory after use
QWAC private key is stored in GCP Cloud KMS HSM — never extracted to filesystem.
Testing
Cloud Infrastructure — GCP
| Service |
Purpose |
| Cloud Run |
API server deployment (serverless containers) |
| Cloud SQL |
Managed PostgreSQL |
| Cloud KMS |
HSM-backed key management for OAuth tokens |
| Secret Manager |
QWAC certs, API credentials |
Data residency: europe-north1 (Finland) — covers EU/GDPR requirements for Croatian data, and PDPL-equivalent requirements for Serbian data.
API Design
| Aspect |
Choice |
| Style |
REST + OpenAPI 3.1 |
| Auth |
API keys (server-to-server) + OAuth2 (PSD2 consent flows) |
| Multi-tenant |
Organisation-scoped — each client = one organisation |
| Rate limiting |
Per-organisation, tiered: Free / Pro / Enterprise |
Core endpoints:
GET /accounts — list bank accountsGET /transactions — fetch transactions (with date range filters)POST /consents — initiate PSD2 consent flowPOST /payments — initiate payment (PISP — Phase 2)
Project Structure
Tok/
├── api/ # Ktor API server (Gradle module)
│ └── src/
│ ├── main/kotlin/io/tokapi/
│ │ ├── Application.kt # Ktor entry point
│ │ ├── adapters/ # BerlinGroupAdapter, BilateralAdapter
│ │ ├── consent/ # PSD2 consent management
│ │ ├── routes/ # Ktor routing
│ │ ├── services/ # Business logic
│ │ ├── models/ # Domain models + Exposed tables
│ │ └── plugins/ # Auth, rate-limit, logging, serialization
│ └── test/kotlin/io/tokapi/
├── sdk-kotlin/ # Kotlin client SDK (for Bilko, Drop)
├── sdk-node/ # Node.js client SDK (for third parties)
├── shared/ # Shared domain types
├── docs/ # Documentation
├── infrastructure/
│ ├── docker-compose.yml
│ └── terraform/ # GCP infrastructure as code
├── design/figma/
├── build.gradle.kts # Root Gradle build
├── settings.gradle.kts # Multi-module config
└── Dockerfile
SDKs
| SDK |
Language |
Package |
sdk-kotlin/ |
Kotlin |
io.tokapi:sdk-kotlin |
sdk-node/ |
TypeScript |
@tokapi/sdk |
packages/sdk-python/ |
Python 3.10+ |
tokapi-sdk |
