WhatsApp / Messaging — system design by GentleBear93

Latency and availability are not measurable

The NFRs mention 'low latency' and prioritize availability, but they do not define concrete targets such as p95/p99 send-to-deliver latency or an uptime/SLA objective. Without measurable numbers, it is hard to evaluate whether the design meets the requirements. Add explicit targets, for example p95 message delivery latency and a service availability goal.

Guaranteed delivery is underspecified

Saying 'guaranteed delivery' is too absolute for a distributed chat system unless the exact semantics are defined. It is unclear whether this means at-least-once delivery, exactly-once user-visible delivery, durable acceptance by the server, or delivery within the 30-day offline window. Define the guarantee precisely and describe how duplicates, retries, and acknowledgments are handled.

Causal ordering scope is unclear

Causal ordering is a reasonable target, but the design does not specify where it applies: per conversation, per sender, across devices, or across all participants in a group chat. For correctness, the scope should be explicit because global causal ordering is much harder than per-chat ordering. Clarify the ordering contract expected by clients.

Entity boundaries between Chat and Group are unclear

It is not clear how Chat and Group relate to each other. For these requirements, the design should make the relationship explicit—for example, Chat as the conversation container with types like 1:1 or group, or Group as a specialized kind of chat. Without that, the model is ambiguous for representing both direct and group conversations consistently.

Missing media as a first-class domain concept

Media sending/receiving is a stated requirement, but there is no entity representing media/attachment content. Add a Media or Attachment entity, or explicitly state that Message can contain media as a distinct content type, so the domain model clearly covers this requirement.

RPS estimate is too low for the stated message volume

40B messages/day converts to about 463K messages/second on average, not 462K RPS. If each message implies both a send write and one or more delivery/read operations, the effective system load would be higher than the stated number. Recompute from first principles and clearly distinguish average QPS from peak QPS, ideally applying a peak factor (for example 3x-5x) so capacity is sized for realistic bursts.

Media storage math is inconsistent by several orders of magnitude

The estimate says 4B attached messages/day with 5 MB average media, which would be about 20 PB/day of media, not 20 TB/day. This is a major arithmetic error and materially changes storage planning. Fix by multiplying 4B × 5 MB carefully, then include the 30-day offline retention requirement to estimate total hot/warm storage needed.

30-day retention is not reflected in total storage sizing

The requirements explicitly say offline users can receive messages sent while offline for up to 30 days, but the calculation only gives per-day storage. Capacity planning should extend daily text and media volumes into retained storage over the retention window, including replication overhead if applicable. Add 30-day retained text/media totals so the design can be evaluated against the requirement.

Protocol shape is inconsistent and underspecified

The design mixes request/response arrows and push messages, but does not clearly define whether this is REST, WebSocket, or a hybrid. For a chat system, that ambiguity matters because connection lifecycle, delivery acknowledgements, and retry behavior depend on the protocol. Clarify the transport and structure: for REST use explicit HTTP methods and resource paths; for WebSocket define message types, payload schemas, and ack semantics consistently.

Primary entity read/list operations are incomplete

There are create and modify operations for chats and send for messages, but no way to fetch chat details, list a user's chats, or read message history. CRUD does not need to be exhaustive for every possible object, but the primary entities here are chats and messages, and clients need read operations to function correctly. Add endpoints/messages for listing chats and reading messages for a chat.

modifyChat request is missing target chat identifier

The modifyChat payload includes participants and name but does not specify which chat should be modified. Without a chatId in the request path or body, the operation is ambiguous. Include chatId explicitly, for example modifyChat(chatId, participants, name) or PATCH /chats/{chatId}.

Message delivery state is too vague

The sendMessage response only returns SUCCESS or FAILURE, and inbound messages are acknowledged with RECEIVED, but there is no messageId, timestamp, or delivery token. This makes deduplication, retries, ordering, and offline sync much harder. Return a server-assigned messageId and timestamp on send, and include messageId in newMessage and ack flows.

Group chat fanout architecture is underspecified for 100-member groups at large scale

The design has chat metadata and messaging servers, but it does not show how participant membership is resolved and how fanout is performed for group messages. At 1B DAU, group delivery needs an explicit pattern such as reading participant lists from chat metadata, writing per-user inbox entries, and routing online recipients via connection lookup. Make the fanout path explicit so the design clearly supports both 1:1 and group chat.

Redis Pub/Sub is a weak backbone for durable cross-service delivery

Redis Pub/Sub is transient and does not provide durable replay, which makes it risky if it is being used for important message or media state propagation between services. For a system at this scale, use Kafka or another durable log for critical inter-service events, and reserve Redis for ephemeral signaling or caching.

Several components are weakly connected or appear orphaned

The management server, service registry, Redis cache, and ETCD-based WebSocket manager are present, but their operational role in the main request path is not clearly connected. For example, the management server is only linked to the load balancer and database, and Redis cache has only one inbound edge. Tighten the diagram by showing exactly what each component does in routing, presence, discovery, or metadata lookup, or remove components that are not part of the end-to-end flow.