SwiftSend — Serverless Email Platform
With AWS Pinpoint reaching end-of-support, I directed the from-scratch replacement for an 11-site newspaper network sending roughly 1.5 million emails a year — designed, built, and proven as a drop-in Pinpoint replacement, with the cutover scheduled for next month. I owned the requirements and drove the architecture; an AI coding agent implemented under my direction. The decisions were mine:
- Fire-time assembly over patched timing hacks. I traced chronic stale-newsletter sends to a recurring campaign racing a cron job to overwrite content — a race condition three layers of legacy timing code had been built to paper over. I re-architected around content assembled at fire time with immutable dated sends instead, which makes stale sends structurally impossible and let me delete the workarounds.
- Per-tenant isolation by construction, not by convention. A per-item multi-tenant authorization model was one forgotten condition away from a cross-paper subscriber leak. I chose resource-level IAM isolation — one DynamoDB store per publication — so that bug class can't happen, and each tenant's data stays cleanly portable.
- A two-token paywall with no shared secrets. Swift Auth's access model pairs a send-time HMAC click token with a short-lived Ed25519 grant, verified in-process by the WordPress plugin against a public key. Because it's asymmetric, there's no shared secret sitting on any of the 11 sites for an attacker to steal in the first place — and no network call on the reader's hot path either.
- Cut my own plan when the numbers didn't back it up. I'd planned to cache the suppression store for latency. Once I ran the numbers — seconds and about a cent per send directly, versus forcing every send worker into a VPC — the cache didn't pay for itself, so I dropped it. Owning the tradeoff means reversing it when the data says so.
AWS · SES · Lambda · EventBridge Scheduler · SQS · DynamoDB · Firehose · Athena · TypeScript · AWS CDK


