Long-running tasks

The simplest and most reliable status channel. After receiving the 202, the client sets up a polling loop: call GET /jobs/:id every N seconds, check the status field, and stop when it is SUCCEEDED, FAILED, or CANCELLED.

Polling interval strategy. Use exponential backoff with a cap: start at 1s, double each poll, cap at 10s. For jobs with predictable durations (e.g., "reports take 30-90s"), start polling after an initial delay equal to the median duration and then poll every 2s. This avoids wasting 30 requests polling a job that will not be done for a minute.

Response shape. The poll response should include: status (the FSM state), progress (percentage, 0-100), current_stage (human-readable), estimated_eta (ISO timestamp or null), result_url (presigned S3 URL, populated only when status=SUCCEEDED), and error (populated only when status=FAILED). Clients render the progress bar from the percentage and stage fields.

Retry-After header. The server should return a Retry-After header with the recommended poll interval. Well-behaved clients respect it. This gives the server control over poll frequency — during high load, increase Retry-After to 30s to reduce poll traffic.

Idempotency of the status endpoint. GET /jobs/:id is naturally idempotent and cacheable. Set Cache-Control: no-store to prevent intermediate proxies from serving stale status. For high-traffic dashboards, add a short TTL (1s) via CDN to absorb thundering-herd polls when many users watch the same job.

Limitations. Polling wastes bandwidth when jobs are slow — 10,000 users polling every 2s generates 5,000 req/s of pure overhead. For dashboard-heavy use cases with many concurrent viewers, push-based channels (SSE, WebSocket) are more efficient. But polling is universally compatible, needs no special infrastructure, and works through every proxy and firewall.

Server-Sent Events (SSE) flip the polling model: instead of the client asking "are you done yet?" every few seconds, the server pushes progress events as they happen. The client opens an EventSource connection to GET /jobs/:id/stream and receives a series of text/event-stream frames.

How it works. The worker writes progress updates to a Redis Pub/Sub channel keyed by job_id. The API server subscribes to that channel when the client opens the SSE connection. Each Redis message becomes an SSE frame: data: {"pct":45,"stage":"Rendering page 450/1000","eta":"2026-04-27T14:05:00Z"}. When the job completes, the server sends a final frame with status=SUCCEEDED and the result_url, then closes the connection.

Connection management. SSE uses a standard HTTP connection, so it works through most proxies and load balancers. However, you must configure: (a) disable response buffering in Nginx (proxy_buffering off; X-Accel-Buffering: no) so frames are not batched; (b) set a long read timeout (proxy_read_timeout 3600s) so the proxy does not kill the connection during idle periods; (c) handle reconnection — EventSource auto-reconnects with the Last-Event-ID header, and your server must resume from that point.

Scaling SSE. Each SSE connection holds a server thread (or async task). At 10,000 concurrent viewers, that is 10,000 open connections. Use an async framework (Node.js, Go, or Python asyncio) to handle this without thread-per-connection overhead. The Redis Pub/Sub subscription is per-server, not per-client — one subscription fans out to all local SSE clients watching that job.

Fallback to polling. Not all environments support SSE (some corporate proxies kill long-lived connections). Implement the polling endpoint as a fallback. The client tries SSE first; if the connection drops three times within 30 seconds, it falls back to polling.

When to use WebSocket instead. SSE is unidirectional (server → client). If the client needs to send cancellation or pause commands on the same channel, use a WebSocket. For most "watch my job" use cases, SSE is sufficient and simpler to implement.

Webhooks invert the relationship entirely: instead of the client checking on the job, the server pushes the result to a URL the client provides at submission time. This is the standard pattern for B2B APIs where the "client" is another server, not a browser.

Flow. The client includes a callback_url in the POST /jobs request. The server stores it with the job record. When the worker completes the job, it POSTs the result payload to the callback_url with an HMAC signature in the X-Signature-256 header. The client verifies the signature against a shared secret to authenticate the webhook.

Reliability. Webhooks fail when the client's server is down. You need a retry policy: 3-5 attempts with exponential backoff (1 min, 10 min, 1 hour). After exhausting retries, mark the webhook as failed and log it. The client must also be able to manually retrieve the result via GET /jobs/:id as a fallback — webhooks augment polling, they do not replace it.

Idempotency. Network retries and server-side retries can deliver the same webhook twice. Include an idempotency key (the job_id or a delivery_id) in the payload so the client can deduplicate. The client should respond with 200 quickly (within 5 seconds) and process the payload asynchronously — do not let webhook delivery block on the client's own processing.

Security. Always use HTTPS for the callback URL. Sign the payload with HMAC-SHA256 using a per-client secret. Reject callback URLs that point to internal IPs (SSRF protection). Rate-limit outbound webhook requests per client to prevent abuse. Validate the URL scheme and host at submission time, not at delivery time.

Comparison to SSE. Webhooks are server-to-server; SSE is server-to-browser. Webhooks do not require long-lived connections but need retry infrastructure. SSE gives real-time progress but only works for interactive clients. Most production systems support both: SSE for the dashboard, webhooks for API integrations.

When a job has distinct processing phases — extract, transform, load; or download, transcode, upload — treat each phase as a pipeline stage with its own checkpoint. An orchestrator (AWS Step Functions, Temporal, or a custom DAG runner) coordinates the stages and handles retries at the stage level, not the job level.

Checkpoint design. After each stage, the worker writes the intermediate output to durable storage (S3, GCS) along with a checkpoint record in the jobs DB: {job_id, stage: "transform", checkpoint_uri: "s3://...", items_processed: 45000, timestamp}. If the worker crashes during stage 3, the orchestrator reads the latest checkpoint, sees that stage 2 completed, and dispatches a new worker starting at stage 3 with the stage-2 output as input.

Checkpoint granularity. For stages that process data in batches (e.g., "transform 1M rows"), checkpoint every N batches (e.g., every 10,000 rows). The checkpoint stores the offset: "processed rows 0-40,000, intermediate file at s3://…/chunk-4.parquet". On resume, the new worker starts at row 40,001. This limits wasted work on crash to at most N items.

Orchestrator patterns. (a) Sequential pipeline — stages run one after another; the simplest model. (b) DAG pipeline — stages have dependencies; a DAG runner (Airflow, Step Functions) resolves the execution order. (c) Map-reduce pipeline — a single stage fans out to N parallel workers (e.g., transcode N video segments), then a reduce stage stitches the results. Each fan-out worker checkpoints independently.

Timeout per stage. Set a timeout on each stage, not just the overall job. If stage 2 normally takes 5 minutes, set a 15-minute stage timeout. This catches stuck workers faster than a single 2-hour job timeout. The orchestrator marks the stage as FAILED and retries it (up to stage_max_retries) before failing the overall job.

Cost of checkpointing. S3 PUT costs $0.005 per 1,000 requests. At one checkpoint per stage per job, 1M jobs/day with 4 stages = 4M PUTs = $20/day. The cost of NOT checkpointing — restarting a 2-hour job from zero — is far higher in compute. Checkpointing is almost always worth it for jobs > 5 minutes.

The API receives a request (e.g., POST /reports), generates the report inline, and returns 200 with the PDF payload. At low traffic with fast jobs (< 5s), this works fine — you need only a handful of server threads.

Why it breaks. ALB default idle timeout is 60s. Nginx default proxy_read_timeout is 60s. CloudFront default origin response timeout is 30s. Any job that takes longer hits a gateway timeout. Even below the timeout, holding threads for 30s means 100 concurrent jobs need 100 threads — and each thread holds memory, a DB connection, and CPU. At 500 concurrent jobs, you are running 500 threads on a single server, and response times spike from thread contention.

Replace the synchronous call with the 202 contract. The API validates input, mints a job_id, persists a PENDING job record, enqueues the job_id, and returns 202 with { job_id, status_url: "/jobs/{job_id}" }. A worker fleet processes jobs from the queue. The client polls the status URL until the job reaches a terminal state.

Key decisions. (a) Queue choice: SQS for simplicity, Kafka for ordering or replay. (b) Job DB: Postgres with a jobs table (id, status, created_at, updated_at, result_url, error). (c) Worker concurrency: start with 5 workers, autoscale on queue depth. (d) Poll interval: recommend 2-5s via Retry-After header.

Result. API latency drops from minutes to < 50ms. Jobs can run for hours without hitting any timeout. Users get a job_id they can bookmark and check later. The system handles 10x more submissions because the API is no longer blocked by processing.

Add SSE (or WebSocket) for real-time progress delivery. Workers write progress structs to Redis; the API subscribes and pushes frames to the client. The polling endpoint remains as a fallback.

Progress design. The worker updates a Redis key (job:{id}:progress) with a JSON struct every 2 seconds: { pct: 65, stage: "Rendering page 650/1000", items_done: 650, items_total: 1000, eta: "2026-04-27T14:05:00Z" }. The key has a 300s TTL so stale progress auto-expires. The worker also publishes to a Redis Pub/Sub channel (job:{id}) so the SSE endpoint receives updates without polling Redis.

Result. Users see a live progress bar with ETA. API poll traffic drops 95% because active users use SSE. The remaining poll traffic is from CLI tools and mobile apps that fall back to polling.

For jobs that naturally decompose into stages (extract → transform → render → upload), use an orchestrator (Step Functions, Temporal) to run each stage as an independent task. Each stage checkpoints its output to S3. On failure, the orchestrator retries the failed stage from its checkpoint.

Stage isolation. Each stage runs in its own container with tailored resource limits. The extract stage needs high network I/O; the transform stage needs CPU; the render stage needs GPU. Dedicated containers prevent a CPU-heavy transform from starving an I/O-bound extract.

Parallel fan-out. For large datasets, the orchestrator fans out the transform stage to N parallel workers, each processing a shard. A final reduce stage merges the results. Checkpointing at the shard level means a single shard failure only replays that shard, not the entire dataset.

Result. Jobs that crashed at 90% now resume from 90% instead of 0%. Stage-level retries catch transient failures without restarting the whole pipeline. Resource utilization improves because each stage uses right-sized containers.

A job state machine is the backbone of any long-running task system. Without it, you end up with ad-hoc status fields that admit impossible transitions (e.g., a job that is simultaneously "running" and "cancelled") and make debugging a nightmare.

States. PENDING: job record created, not yet enqueued. QUEUED: message is in the work queue. RUNNING: a worker has dequeued and is actively processing. SUCCEEDED: work completed, result available. FAILED: work failed after exhausting retries. CANCELLED: user or system requested cancellation. Each state has exactly one entry condition and well-defined exit transitions.

Transition rules. (1) PENDING → QUEUED is triggered by successful enqueue. (2) QUEUED → RUNNING is triggered by the worker setting status=RUNNING with an atomic compare-and-swap (UPDATE jobs SET status='RUNNING' WHERE id=? AND status='QUEUED'). This CAS prevents two workers from running the same job. (3) RUNNING → SUCCEEDED requires the worker to write the result URL first, then update status. (4) RUNNING → FAILED sets an error message and increments a retry counter. If retry_count < max_retries, the transition is RUNNING → QUEUED (re-enqueue). (5) Any non-terminal state → CANCELLED is triggered by the user or a timeout.

Transition log. Store an append-only array of transitions: [{state: 'PENDING', at: '...', reason: 'created'}, {state: 'QUEUED', at: '...', reason: 'enqueued'}, ...]. This log is invaluable for debugging: "Why did this job take 3 hours? Because it transitioned RUNNING → FAILED → QUEUED → RUNNING three times with 30-minute gaps between each."

Terminal state immutability. Once a job reaches SUCCEEDED, FAILED, or CANCELLED, it must never transition again. Enforce this in your state machine code and in the database (a CHECK constraint or application-level guard). A job that flip-flops between SUCCEEDED and FAILED will corrupt downstream systems that rely on the final status.

Choosing the right status channel depends on who the client is, how latency-sensitive the feedback must be, and how much infrastructure you are willing to add.

Polling. The client calls GET /jobs/:id on an interval. Pros: universally compatible, stateless server, easy to cache. Cons: wasted requests, notification delay equals poll interval. Best for: APIs consumed by scripts, CLIs, or mobile apps behind unreliable networks. Recommended interval: exponential backoff from 1s to 10s, capped.

SSE (Server-Sent Events). The client opens an EventSource to a streaming endpoint. The server pushes text/event-stream frames as progress updates arrive. Pros: sub-second latency, efficient (no wasted requests), auto-reconnect built into the browser API. Cons: unidirectional (server → client only), requires async server, proxy configuration (disable buffering, extend timeouts). Best for: web dashboards showing live progress.

WebSocket. Full-duplex channel over a single TCP connection. Pros: bidirectional (client can send cancel/pause commands on the same connection), lowest latency. Cons: more complex than SSE, requires WebSocket-aware load balancers, connection management overhead. Best for: interactive applications that need both progress push AND client-to-server commands.

Webhook. The server POSTs the result to a URL the client provides at submission time. Pros: no client polling, works for server-to-server integrations. Cons: client must expose a public HTTPS endpoint, retry/DLQ infrastructure needed, SSRF risk. Best for: B2B APIs (Stripe, Shopify, GitHub).

Hybrid approach. Most production systems implement polling as the baseline (it is the fallback everyone can use) and SSE for the dashboard. Webhooks are added for B2B integrations. WebSocket is rarely needed unless the client needs to send real-time commands during processing.

Checkpointing is the difference between "a 2-hour job that crashed at 1h50m restarts from zero" and "it resumes from 1h50m." For any job longer than 5 minutes, checkpointing is not optional — it is a structural requirement.

What to checkpoint. The checkpoint must capture everything the worker needs to resume: the current offset (row number, page number, byte offset), intermediate state (partial aggregation, in-progress file), and metadata (job_id, stage, timestamp). Store this as a JSON file in S3 with a deterministic key: s3://checkpoints/{job_id}/stage-{n}/checkpoint.json.

When to checkpoint. Two strategies: (a) Time-based — every 60 seconds. Simple, but may lose up to 60 seconds of work. (b) Count-based — every N items (e.g., every 10,000 rows). More predictable replay cost. (c) Hybrid — whichever comes first. This is the recommended approach. The cost of checkpointing (one S3 PUT per interval) is negligible compared to the cost of replaying hours of work.

Atomic checkpoint + progress update. The worker should update the checkpoint and the progress record atomically (or at least in the same code path). If the checkpoint is ahead of the progress, users see inaccurate percentages. If the progress is ahead of the checkpoint, a crash resumes from behind where the user saw — which feels like regression.

Checkpoint versioning. Include a schema_version field in the checkpoint JSON. When you deploy new code that changes the checkpoint format, the new worker checks the schema_version. If it matches, resume. If it is an older version, either migrate the checkpoint in-place or restart from scratch (with a log warning). Never silently consume a checkpoint in an incompatible format — data corruption is worse than a restart.

Cleanup. After a job reaches SUCCEEDED, delete its checkpoints (or archive them to Glacier for audit). Stale checkpoints from abandoned jobs should be cleaned up by a TTL policy on the S3 prefix (lifecycle rule: delete objects older than 7 days under the checkpoints/ prefix).

Without timeouts, a stuck worker holds a job in RUNNING state forever — consuming resources, blocking the slot, and making the user wait indefinitely. Without cancellation, users have no way to abort jobs that are no longer needed. Both are required for a production-grade system.

Job-level timeout. Set a maximum wall-clock time for the entire job (e.g., 30 minutes for a report, 4 hours for a video transcode). When the job transitions to RUNNING, start a timer. If the timer fires before the job reaches a terminal state, transition to CANCELLED with reason=TIMEOUT. Implementation: the orchestrator (or a cron job) queries for jobs WHERE status='RUNNING' AND updated_at < NOW() - INTERVAL '30 minutes' and cancels them.

Heartbeat-based liveness. The timeout alone does not distinguish between "still working" and "hung." Workers send heartbeats — an update to last_heartbeat_at every 30 seconds. The orchestrator's liveness check is: if last_heartbeat_at < NOW() - 90s AND status = 'RUNNING', the worker is presumed dead. Transition to QUEUED for retry (if retries remain) or FAILED.

User-initiated cancellation. The client calls DELETE /jobs/:id or POST /jobs/:id/cancel. The API sets a cancel flag in the job record (or publishes to a Redis channel). The worker checks the cancel flag on every checkpoint or iteration. If set, the worker stops processing, cleans up intermediate files, and transitions to CANCELLED. The cancellation is cooperative — you cannot kill a running worker mid-computation without risking data corruption, so the worker must poll for the cancel signal.

Drain timeout. After receiving a cancel signal, give the worker a drain period (30 seconds) to finish its current batch and write a checkpoint. If it does not exit within the drain period, force-kill the container. The checkpoint ensures the job can be resumed later if the user changes their mind.

Preventing zombie jobs. A zombie job is one stuck in RUNNING with no live worker. Causes: worker OOM, network partition, or a bug that skips the heartbeat. A zombie reaper cron runs every 5 minutes, finds zombies (RUNNING + stale heartbeat), and transitions them to QUEUED or FAILED. Alert on zombie count > 0 — it indicates a systemic worker health issue.

Progress reporting transforms a black-box job into a transparent process. Without it, users see "pending" for 10 minutes and assume the system is broken. With it, they see "45% — rendering page 450 of 1,000, ETA 2 minutes" and wait patiently.

Progress data model. The worker writes a struct to a fast store (Redis, not the main DB — you do not want progress writes competing with business queries): { pct: 45, stage: "Rendering", items_done: 450, items_total: 1000, eta: "2026-04-27T14:05:00Z", started_at: "2026-04-27T14:00:00Z" }. The key is job:{id}:progress with a TTL of 300 seconds. If the worker dies, the progress key expires and the status endpoint returns null progress — a signal that the job may be hung.

Calculating ETA. Naive ETA = (items_total - items_done) / (items_done / elapsed_time). This is noisy at the start (0/0) and inaccurate if processing speed varies across items. Better: use a rolling average of the last 30 seconds of throughput. Even better: do not show ETA until items_done > 10% — before that, the estimate is unreliable. Display "Calculating..." instead.

Progress update frequency. Update every 2-5 seconds or every 1% of progress, whichever is less frequent. More frequent updates waste Redis writes and SSE bandwidth. Less frequent updates make the progress bar jerky. For SSE, batch updates into 2-second windows — if three updates arrive within 2 seconds, send only the latest.

Multi-stage progress. For pipeline jobs, report both stage-level and overall progress: { overall_pct: 60, stage: "Transform", stage_pct: 80, stages_done: 2, stages_total: 3 }. The frontend can show a multi-segment progress bar with each stage as a labeled section.

Graceful completion. When the job finishes, set pct=100 and send a final progress update before transitioning to SUCCEEDED. If you transition the status first and the SSE client reads the status before the final progress frame, the UI jumps from 95% to "Done" — a minor but noticeable UX glitch. Sequence: write progress 100% → write result_url → transition to SUCCEEDED → close SSE.

The output of a long-running job — a PDF, a CSV export, a transcoded video — must be stored durably, served efficiently, and garbage-collected eventually. This sounds trivial but has several sharp edges in production.

Where to store results. Blob storage (S3, GCS, Azure Blob) is the canonical choice. Store the output with a deterministic key: s3://results/{job_id}/{filename}. Do not store results in the database — a 50 MB PDF in a Postgres row degrades backup times, replication lag, and query performance.

Presigned URLs. When the job completes, generate a presigned GET URL with a short expiry (1 hour). Store this URL in the job record. When the client polls, return the presigned URL. This avoids routing result downloads through your API server — the client downloads directly from S3, which scales infinitely and is cheaper.

Result TTL. Set a lifecycle rule on the S3 prefix: delete objects older than 7 days. After 7 days, the job record transitions to EXPIRED and the result_url becomes null. Clients that poll after expiry get a 410 Gone response with a message: "Result expired. Re-submit the job." This prevents unbounded storage growth.

Re-download protection. Users sometimes close the tab before downloading. Store a download_count in the job record. If download_count > 0, the user has already downloaded. If download_count = 0 and the result is about to expire, send a reminder email (if the user opted in). This reduces re-submission rates for users who simply forgot to download.

Large result handling. For results > 5 GB (video transcodes, large exports), use S3 multipart upload from the worker. Serve via CloudFront to avoid S3 transfer costs and to provide edge caching for popular results. For results that are accessed by multiple users (a shared team report), cache at the CDN layer with a 1-hour TTL.

Compliance. In regulated industries (healthcare, finance), results may contain PII. Enable S3 server-side encryption (SSE-S3 or SSE-KMS). Log all presigned URL generations to an audit trail. Ensure the lifecycle rule does not delete results before the legal retention period (which may be longer than 7 days — override the TTL per job type if needed).