system design · system-design

Design Amazon Locker (IoT pickup network)

IoT device fleet, offline resilience, locker assignment, scanning, security/audit. Tests edge architecture + correctness under intermittent connectivity.

hard4hawsgeneralsystem-design
Ask GPTConfidence

Theory

Explanation

Intuition first, formal definition second. Skim the bullets if you already know this; read the prose if you don't.

Each Locker unit is a sealed IoT device with a barcode scanner, a touchscreen, and N physical compartments. Cloud assigns packages to compartments and pickup codes; device authenticates pickup. The network must keep working when the local internet drops, courier deliveries and customer pickups cannot block on connectivity.

Locker firmware embeds a TPM-backed identity + a local SQLite of assigned packages with TTLs + pickup codes. Cloud-to-device control plane uses MQTT (AWS IoT Core) for assignment messages. Device-to-cloud sends scan/open events. On connectivity loss, device authorizes pickups from local DB; events queue locally and flush on reconnect with idempotency. Compartment state is single-writer (the device); cloud reconciles after sync. Audit log signed per event with device key for tamper detection.

When to use

Any geographically-distributed device fleet performing physical actions: smart lockers, parcel kiosks, charging stations, vending.

When not to

Always-online use cases without physical actuation, pure cloud serves better.

flowchart LR
  Cloud[Locker Cloud Control Plane] -->|MQTT assignment| Device[Locker Device]
  Device -->|MQTT events| Cloud
  Device --> Local[(Local SQLite + Pickup Codes)]
  Device --> HW[Compartment Actuators]
  Customer([Customer]) -->|enters code| Device
  Courier([Courier]) -->|scans barcode| Device
  Cloud --> Assign{{Assignment Service}}
  Cloud --> Audit[(Signed Audit Log)]

Key insights

  • Offline-first design: device must serve pickups without cloud. Local state is authoritative for compartment occupancy.
  • Event ordering relative to other devices does not matter; ordering within a device matters absolutely.
  • Pickup codes are short (6 digits), must be unique within a locker + TTL-scoped to prevent brute force.
  • Audit events are signed with device key; cloud verifies signatures to detect tampered firmware.
  • Assignment chooses compartment size based on package dimensions and locker fill level.