Skip to content

pixels26/mobile-money

Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1,576 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Mobile Money ↔ Stellar Bridge

CI codecov License: MIT

A backend service that bridges African mobile money providers (MTN MoMo, Airtel Money, Orange Money) with the Stellar blockchain network β€” enabling low-cost cross-border payments and remittances across Africa and beyond.

🌟 The Problem

Sending money across African borders is expensive and slow. Traditional remittance services charge 7–10% in fees and take hours to days. Meanwhile, 500+ million people across Africa already use mobile money for everyday transactions β€” but mobile money stops at the border.

πŸ’‘ The Solution

This platform connects mobile money wallets to the Stellar blockchain, allowing users to:

  1. Deposit mobile money (XAF) β†’ receive Stellar tokens (XLM, USDC)
  2. Transfer tokens across Stellar's network in ~5 seconds, for fractions of a cent
  3. Withdraw Stellar tokens β†’ receive mobile money in the destination country

The sender and recipient interact with their familiar mobile money apps. Stellar handles the cross-border settlement invisibly.

  πŸ“± MTN MoMo (Cameroon)                           πŸ“± Airtel Money (Kenya)
         β”‚                                                  β–²
         β–Ό                                                  β”‚
  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚                    Mobile Money ↔ Stellar Bridge                β”‚
  β”‚                                                                 β”‚
  β”‚   Deposit (XAF β†’ USDC)  ──►  Stellar Network  ──►  Withdraw    β”‚
  β”‚                              (settles in ~5s)                   β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Use Cases

  • Remittances β€” Send money home across borders at ~1–2% vs 7–10% with traditional services
  • Cross-border B2B payments β€” Pay suppliers in other African countries without expensive wire transfers
  • Stable savings β€” Convert volatile local currency to USDC via mobile money
  • Merchant payments β€” Accept crypto, settle in local mobile money
  • Developer integrations β€” Build payment apps on top of our REST + GraphQL APIs

πŸš€ Key Features

Core Platform

  • Mobile Money Integration β€” MTN MoMo, Airtel Money, Orange Money with circuit breaker, failover, and batch payouts
  • Stellar Blockchain β€” XLM, USDC, and custom asset support via Stellar SDK + Horizon API
  • Dual API β€” REST (40+ endpoints) and GraphQL (queries, mutations, and real-time subscriptions)
  • Real-time Processing β€” BullMQ job queues with Redis, admin dashboard at /admin/queues
  • WebSocket β€” Live transaction updates with JWT auth, per-user rooms, and Redis pub/sub for horizontal scaling
  • Provider Mock Server β€” Full mock for MTN + Airtel APIs for local development without real credentials

Security & Compliance

  • Multi-tier KYC β€” Tiered identity verification with document upload (S3) and third-party verification (Entrust)
  • AML Monitoring β€” Auto-flagging of suspicious patterns (large transactions, rapid structuring, daily totals)
  • Travel Rule Compliance β€” FATF travel rule data collection for qualifying transactions
  • GDPR / Privacy β€” Data export, deletion, and consent management endpoints
  • Sanctions Screening β€” Automated screening against sanctions lists
  • 2FA (TOTP) β€” Time-based one-time passwords via Speakeasy, required for withdrawals
  • RBAC β€” Role-based access control via Casbin
  • Rate Limiting & Audit Logging β€” Multi-layer rate limiting with full audit trail
  • PII Encryption β€” AES-256-GCM encryption for sensitive data at rest

Financial Engine

  • Dynamic Fee Engine β€” Configurable fee strategies with VIP tiers (25KB+ fee strategy engine)
  • Transaction Limits β€” Provider-specific and KYC-tiered daily limits
  • Vault System β€” Secure fund storage with distributed locking
  • Double-Entry Ledger β€” Internal accounting system with full transaction journal
  • Dispute Management β€” Complete dispute workflow with state machine
  • Monthly Statements β€” Automated PDF statement generation
  • Reconciliation β€” Provider reconciliation workflows

Stellar Protocol (SEP) Support

  • SEP-06 β€” Deposit and Withdrawal API
  • SEP-10 β€” Web Authentication (challenge-response)
  • SEP-12 β€” KYC API (customer CRUD with document upload)
  • SEP-24 β€” Interactive Deposit and Withdrawal (hosted flow)
  • SEP-31 β€” Cross-Border Payments (send-side anchor)

Smart Contracts

  • Escrow Contract β€” Soroban smart contract for escrowed payments (Rust)
  • HTLC Contract β€” Hash Time-Locked Contract for atomic cross-chain swaps (Rust)

Notifications

  • Email β€” SendGrid integration
  • SMS β€” Twilio integration
  • Push Notifications β€” Firebase Cloud Messaging
  • WhatsApp β€” Twilio WhatsApp channel
  • PagerDuty β€” Operational alerting

Developer Tools

  • CLI (momo-cli) β€” Admin tool for auth, status checks, and transaction retries
  • Kotlin SDK β€” Auto-generated from OpenAPI spec
  • Postman Collections β€” Pre-built API collections for testing
  • VS Code Extension β€” Transaction monitor with live WebSocket logs
  • Swagger UI β€” Auto-generated from Zod schemas at /docs (dev mode)

πŸ“‹ Prerequisites

  • Node.js 20+ (LTS)
  • PostgreSQL 16+
  • Redis 7+
  • Docker (optional, recommended for local dev)

πŸ› οΈ Quick Start

1. Clone & Install

git clone https://github.com/sublime247/mobile-money.git
cd mobile-money
npm install

2. Configure Environment

cp .env.example .env

Edit .env with your configuration (see .env.example for all ~470 configuration options):

# Database
DATABASE_URL=postgresql://user:password@localhost:5432/mobilemoney

# Redis
REDIS_URL=redis://localhost:6379

# Stellar
STELLAR_NETWORK=testnet  # or 'mainnet'
STELLAR_HORIZON_URL=https://horizon-testnet.stellar.org
STELLAR_ISSUER_SECRET=S...

# Mobile Money Providers
MTN_API_KEY=your_mtn_api_key
AIRTEL_API_KEY=your_airtel_key
ORANGE_API_KEY=your_orange_key

# Security
JWT_SECRET=your_jwt_secret_min_32_chars
SESSION_SECRET=your_session_secret

# Optional: Notifications
SENDGRID_API_KEY=your_sendgrid_key
TWILIO_ACCOUNT_SID=your_twilio_sid

3. Setup Database

npm run migrate:up
npm run seed  # Optional: development data

4. Run

Development (with provider mocks):

npm run docker:dev   # Starts app + Postgres + Redis + provider mock server

Development (standalone):

npm run dev

Production:

npm run build
npm start

Server starts at http://localhost:3000

πŸ§ͺ Testing

npm test                    # Unit tests (Jest)
npm run test:coverage       # With coverage report
npm run test:watch          # Watch mode
npm run test:e2e            # End-to-end (Playwright)
npm run test:load           # Load testing (k6 / autocannon)
npm run test:mutation       # Mutation testing (Stryker)

Test infrastructure includes:

  • Unit & integration tests across controllers, services, middleware, routes
  • Pact consumer-driven contract tests for provider APIs
  • Playwright end-to-end tests
  • k6 load/stress tests with benchmarking against Go vs Node ingest services
  • Stryker mutation testing
  • Fuzz testing

Coverage reports upload to Codecov on every push to main.

πŸ“š API Documentation

Interactive Docs (Development Only)

Start the dev server and visit:

  • Swagger UI: http://localhost:3000/docs
  • OpenAPI JSON: http://localhost:3000/docs/openapi.json

The API spec is auto-generated from Zod validation schemas at runtime β€” no manual YAML to maintain.

Core Endpoints

# Health
GET  /health                          # Liveness probe
GET  /ready                           # Readiness (DB + Redis)
GET  /health/lb                       # Load balancer health

# Transactions
POST /api/transactions/deposit        # Mobile money β†’ Stellar
POST /api/transactions/withdraw       # Stellar β†’ Mobile money
GET  /api/transactions                # List (paginated, filterable)
GET  /api/transactions/:id            # Transaction details
GET  /api/transactions/:id/invoice    # Download completed transaction invoice
POST /api/transactions/:id/cancel     # Cancel pending transaction
POST /api/transactions/:id/dispute    # Open dispute
POST /api/transactions/bulk           # Bulk operations

# Auth
POST /api/auth/register               # Register
POST /api/auth/login                  # Login (returns JWT)
POST /api/auth/2fa/enable             # Enable TOTP 2FA
POST /oauth/token                     # OAuth2 client credentials

# KYC
POST /api/kyc/submit                  # Submit documents
GET  /api/kyc/status                  # Check verification status

# Vaults
POST /api/vaults                      # Create vault
GET  /api/vaults                      # List vaults
POST /api/vaults/:id/transfer         # Deposit/withdraw funds

# Disputes
GET  /api/disputes                    # List disputes
PUT  /api/disputes/:id                # Update dispute status

# Compliance
GET  /api/v1/compliance/travel-rule   # Travel rule data
GET  /api/gdpr/export                 # GDPR data export
DELETE /api/gdpr/delete               # Right to be forgotten

# Stellar SEP Endpoints
POST /sep10/auth                      # SEP-10 authentication
GET  /sep12/customer                  # SEP-12 KYC
POST /sep24/transactions/deposit/interactive  # SEP-24 deposit
POST /sep31/transactions              # SEP-31 cross-border

# Admin
GET  /api/admin/*                     # Admin dashboard endpoints
GET  /api/stats                       # Transaction statistics
GET  /api/reconciliation              # Provider reconciliation
GET  /metrics                         # Prometheus metrics

GraphQL

POST /graphql

Playground: http://localhost:3000/graphql (dev only)

# Query transactions
query {
  transactions(limit: 10) {
    id
    amount
    status
    provider
  }
}

# Create a deposit
mutation {
  createDeposit(input: {
    amount: "10000"
    phoneNumber: "+237670000000"
    provider: MTN
  }) {
    id
    status
  }
}

# Real-time subscription
subscription {
  transactionUpdated(userId: "user-123") {
    id
    status
    updatedAt
  }
}

Authentication

Most endpoints require JWT:

Authorization: Bearer <token>

Admin operations use API key:

X-API-Key: <key>

πŸ” Security

Transaction Limits

Type Limit Purpose
Minimum 100 XAF Prevent spam
Maximum 1,000,000 XAF Fraud prevention

KYC-Based Daily Limits

Level Daily Limit Requirements
Unverified 10,000 XAF Email only
Basic 100,000 XAF ID + selfie
Full 1,000,000 XAF Proof of address + video

Provider Limits

Provider Min Max
MTN 100 XAF 500,000 XAF
Airtel 100 XAF 1,000,000 XAF
Orange 500 XAF 750,000 XAF

AML Monitoring

Auto-flagging of suspicious transactions:

  • Single transaction > 1,000,000 XAF
  • 24h total > 5,000,000 XAF
  • Rapid structuring (3+ mixed in 15 min)
  • Sanctions list screening on every transaction

πŸ—οΈ Architecture

Tech Stack

Layer Technology
API Server Node.js, TypeScript, Express, Apollo Server (GraphQL)
Database PostgreSQL 16 (primary + read replicas), Redis 7 (cache, sessions, pub/sub)
Blockchain Stellar SDK, Horizon API, Soroban smart contracts (Rust)
Job Processing BullMQ workers, node-cron scheduled jobs
Ingest (High-throughput) Go service (fasthttp) + Node.js service (Fastify), Redis Streams, NATS JetStream
Security Helmet, bcrypt, JWT, Speakeasy (TOTP), Casbin (RBAC), AES-256-GCM (PII)
Monitoring Prometheus, Datadog (dd-trace), Sentry, PagerDuty
Logging Structured JSON β†’ Loki/Grafana (primary), ELK stack (secondary)
Edge Cloudflare Workers (.well-known caching)
Infrastructure Docker, Kubernetes (+ Helm, KEDA), Terraform (AWS)
CI/CD GitHub Actions (lint, test, build, deploy, rollback)

Project Structure

mobile-money/
β”œβ”€β”€ src/
β”‚   β”œβ”€β”€ auth/              # Authentication & authorization
β”‚   β”œβ”€β”€ compliance/        # Travel rule, sanctions
β”‚   β”œβ”€β”€ config/            # Centralized configuration
β”‚   β”œβ”€β”€ constants/         # Error codes, enums
β”‚   β”œβ”€β”€ controllers/       # Request handlers
β”‚   β”œβ”€β”€ crypto/            # Encryption utilities
β”‚   β”œβ”€β”€ graphql/           # Schema, resolvers, subscriptions, APQ cache
β”‚   β”œβ”€β”€ jobs/              # Scheduled & background jobs
β”‚   β”œβ”€β”€ locales/           # i18n translations
β”‚   β”œβ”€β”€ middleware/        # Auth, RBAC, rate limiting, audit, error handling
β”‚   β”œβ”€β”€ models/            # Database models (15 models)
β”‚   β”œβ”€β”€ openapi/           # Auto-generated API docs (Zod β†’ OpenAPI)
β”‚   β”œβ”€β”€ queue/             # BullMQ job queue management
β”‚   β”œβ”€β”€ reports/           # Statement & report generation
β”‚   β”œβ”€β”€ routes/            # API routes (40+ route files, versioned)
β”‚   β”œβ”€β”€ services/          # Business logic (58 service files)
β”‚   β”‚   β”œβ”€β”€ mobilemoney/   # MTN, Airtel, Orange providers + orchestration
β”‚   β”‚   └── stellar/       # Stellar operations, asset management, HSM
β”‚   β”œβ”€β”€ stellar/           # SEP protocol implementations (6, 10, 12, 24, 31)
β”‚   β”œβ”€β”€ types/             # TypeScript type definitions
β”‚   β”œβ”€β”€ utils/             # Helpers & utilities
β”‚   └── websocket/         # WebSocket server (JWT auth, Redis scaling)
β”œβ”€β”€ contracts/             # Soroban smart contracts (Escrow, HTLC)
β”œβ”€β”€ ingest-go/             # High-performance Go callback ingestion
β”œβ”€β”€ ingest-node/           # Node.js baseline for benchmarking
β”œβ”€β”€ workers/               # Cloudflare Workers (edge caching)
β”œβ”€β”€ cli/                   # CLI admin tool (momo-cli)
β”œβ”€β”€ sdk/                   # Auto-generated Kotlin SDK
β”œβ”€β”€ benchmarks/            # k6 load testing suite
β”œβ”€β”€ bridge-starter-node/   # Webhook bridge starter template
β”œβ”€β”€ docs/                  # Extensive documentation (59 docs)
β”œβ”€β”€ docs-portal/           # Docusaurus documentation site
β”œβ”€β”€ extensions/            # VS Code transaction monitor extension
β”œβ”€β”€ postman/               # API testing collections
β”œβ”€β”€ migrations/            # Database migrations (47 migrations)
β”œβ”€β”€ k8s/                   # Kubernetes manifests + Helm chart
β”œβ”€β”€ terraform/             # AWS infrastructure (VPC, ECS, RDS, ElastiCache)
β”œβ”€β”€ elk/                   # ELK stack config (Filebeat, Logstash, Kibana)
β”œβ”€β”€ logging/               # Loki + Grafana + Promtail config
β”œβ”€β”€ scripts/               # Operational scripts (mock server, DB scrub, etc.)
└── tests/                 # Test suites (unit, integration, e2e, pact, fuzz)

πŸ”„ Database

Migrations

47 migration files covering the full schema β€” transactions (partitioned), users, disputes, vaults, ledger (double-entry), webhooks, KYC, AML alerts, compliance documents, fee strategies, and more.

npm run migrate:create -- migration_name  # Create
npm run migrate:up                        # Run all pending
npm run migrate:down                      # Rollback last
npm run migrate:status                    # Check status

Read Replica Routing

HTTP method-based routing: GET/HEAD/OPTIONS β†’ read replicas (round-robin), write operations β†’ primary. Automatic fallback to primary if replicas are unavailable.

πŸ“Š Monitoring & Observability

Metrics

Prometheus metrics at /metrics:

  • Transaction counts by status and provider
  • API response times (histograms)
  • Queue depths and job latencies
  • Error rates by category
  • Provider availability and circuit breaker state

Health Checks

curl http://localhost:3000/health     # Liveness
curl http://localhost:3000/ready      # Readiness (DB + Redis)
curl http://localhost:3000/health/lb  # Load balancer

Logging

Dual logging stack:

  • Primary: Structured JSON β†’ Loki β†’ Grafana (included in docker-compose)
  • Secondary: Filebeat β†’ Logstash β†’ Elasticsearch β†’ Kibana (ELK stack configs in elk/)

Alerting

  • Sentry β€” Error tracking and exception monitoring
  • Datadog β€” APM tracing (dd-trace)
  • PagerDuty β€” Operational alerts (low liquidity, provider outages)

🚒 Deployment

Docker

# Development (with mocks, hot reload, Grafana)
docker compose up

# Production build
docker build -t mobile-money:latest .
docker run -p 3000:3000 --env-file .env mobile-money:latest

The production Dockerfile uses a multi-stage build targeting < 200MB image size with a non-root user.

Kubernetes

Pre-built manifests in k8s/ include:

  • Deployment β€” 3 replicas, rolling updates, startup/liveness/readiness probes, resource limits
  • Worker Deployment β€” Separate BullMQ worker pods
  • KEDA Autoscaling β€” Scale workers based on queue depth (threshold: 20 jobs, 1–20 replicas)
  • HPA β€” CPU-based horizontal pod autoscaling for the API
  • PodDisruptionBudget β€” Minimum 2 available pods during disruptions
  • Helm Chart β€” Parameterized deployment in k8s/helm/
kubectl apply -f k8s/

Terraform (AWS)

Full AWS infrastructure in terraform/:

  • VPC with public/private subnets across multiple AZs
  • ECS Fargate for containerized deployment
  • RDS PostgreSQL with Multi-AZ (production)
  • ElastiCache Redis with failover
  • Application Load Balancer
cd terraform
cp terraform.tfvars.example terraform.tfvars
terraform init
terraform plan -var-file=environments/production.tfvars
terraform apply

CI/CD

GitHub Actions pipeline (.github/workflows/ci.yml):

  1. Security β€” npm audit, Snyk vulnerability scanning
  2. Test β€” Lint, Jest (with Postgres + Redis services), Playwright E2E, Codecov upload
  3. Build β€” TypeScript compilation
  4. Docker β€” Build and push image on main branch
  5. Deploy β€” kubectl apply β†’ rollout status β†’ health check β†’ auto-rollback on failure

πŸ› Troubleshooting

See TROUBLESHOOTING.md for detailed error codes and solutions.

Common Issues

Database connection fails:

pg_isready -h localhost -p 5432
# Verify DATABASE_URL format

Redis connection fails:

redis-cli ping  # Should return PONG

Stellar transactions fail:

echo $STELLAR_NETWORK  # Should be 'testnet' or 'mainnet'
curl https://horizon-testnet.stellar.org

Provider mock not working:

# Use docker-compose.dev.yml which includes the mock server
docker compose -f docker-compose.dev.yml up

🚨 Error Handling

Standardized error codes organized by category:

  • 4000-4099: Validation (HTTP 400)
  • 4010-4019: Authentication (HTTP 401)
  • 4030-4039: Authorization (HTTP 403)
  • 4040-4049: Not Found (HTTP 404)
  • 4090-4099: Conflict (HTTP 409)
  • 4290-4299: Rate Limit (HTTP 429)
  • 5000+: Server Errors (HTTP 500+)

See src/constants/errorCodes.ts for complete reference.

πŸ“– Documentation

Extensive documentation is available in the docs/ directory (59 documents), covering:

  • Architecture β€” System design, Stellar-EVM bridge architecture, ZK balance proofs research
  • Features β€” KYC, RBAC, GraphQL, SSO, transaction filtering, monthly statements, vaults
  • Stellar/SEP β€” SEP-10/12/31 implementation guides, fee bumping, fee strategy engine
  • Infrastructure β€” CI/CD pipeline, Docker dev setup, ELK stack, database backups, distributed locks
  • Integrations β€” Bridge provider guides, Orange integration, Zapier/Make.com webhooks
  • Observability β€” Metrics, slow query logging, PagerDuty, low liquidity alerts

A Docusaurus documentation portal is available in docs-portal/.

🀝 Contributing

We welcome contributions! See CONTRIBUTING.md.

Workflow

  1. Fork the repository
  2. Create feature branch (git checkout -b feature/amazing-feature)
  3. Make changes and run tests (npm test)
  4. Commit (git commit -m 'Add amazing feature')
  5. Push (git push origin feature/amazing-feature)
  6. Open Pull Request

Pre-commit hooks run ESLint, Prettier, TypeScript checks, and tests automatically.

Good First Issues

Check good first issue label.

πŸ—ΊοΈ Roadmap

  • SEP-38 implementation (Quotes and Price Streams)
  • Additional providers (Vodacom, Tigo, M-Pesa)
  • Mobile SDKs (iOS, Android)
  • Merchant dashboard UI
  • Advanced analytics and reporting dashboard
  • Multi-currency settlement support
  • Additional stablecoin support (USDT, EURC)
  • DeFi protocol integrations
  • External accounting integrations (QuickBooks, Xero)

πŸ“ License

MIT License β€” see LICENSE file.

πŸ™ Acknowledgments

πŸ“ž Support


Built with ❀️ for financial inclusion in Africa

About

A production-ready backend bridging African mobile money (MTN, Airtel, Orange) with Stellar blockchain for instant cross-border payments and remittances.

Resources

Contributing

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • TypeScript 87.5%
  • JavaScript 3.8%
  • HTML 3.1%
  • PLpgSQL 2.8%
  • HCL 1.2%
  • Rust 0.7%
  • Other 0.9%