← imkumawatmanoj.com Download PDF

Manoj Kumawat

Senior Backend Engineer · Node.js / TypeScript · GraphQL · AWS
1.6M+ users 400K+ active subscriptions 500K+ req/day $150K+/mo payouts −50% cloud cost
Summary

Senior Backend Engineer, 5+ years across product and security engineering — including 4+ years building e-commerce and subscription systems serving 1.6M+ users and 400K+ active subscriptions. Expertise in Node.js/TypeScript, GraphQL (Apollo), REST API design, event-driven architecture, and AWS — led a full Shopify platform migration, cut cloud spend ~50%, and run a payout pipeline processing $150K+/month. Cybersecurity background (OWASP Top 10, VAPT) — architect systems, code, and business logic secure-by-design: hardened authentication, scoped authorization, rate limiting, and query-complexity/abuse limits.

Experience
SpringworksSenior Backend Engineer
Burst Oral Care — e-commerce & subscription platform
  • Led a full custom-platform to Shopify migration for a 400K+ subscription, 1.6M+ user store — implemented complex ambassador discount logic (40K+ codes) as Shopify Functions and cut over with no disruption to recurring billing.
  • Sole DevOps owner for the platform — cut AWS spend ~50% (Aurora/RDS tuning, ECS right-sizing, CloudWatch retention/log-ingestion tuning, S3/Glacier lifecycle) and replaced a $2K/month hosted BI tool (Periscope/Sisense) with self-hosted Redash on EC2, eliminating ~$24K/year in licensing.
  • Designed and built the ambassador payout system from scratch with idempotent Stripe transfers and automated reconciliation — a robust design that prevents duplicate transfers under retries and failures, across $150K+/month.
  • Built and operated REST APIs across subscriptions, payments, and orders (500K+ requests/day), holding p95 latency under production peaks via connection pooling, indexing, and query tuning on high-concurrency MySQL.
  • Architected event-driven sync on Shopify's GraphQL Admin API and webhooks, mirroring customers, orders, products, and discounts into internal systems for near-real-time analytics and automation.
  • Implemented Shopify Functions (cart validation, purchase restrictions, delivery customization, custom discounts), retiring paid third-party apps; built custom B2B/wholesale recurring billing Shopify could not natively support.
Truminds Software SystemsPenetration Tester
Web Application Security
  • Ran manual and automated security testing with Burp Suite, OWASP ZAP, and sqlmap against web applications and APIs, uncovering OWASP Top 10 vulnerabilities (injection, broken access control, XSS) and driving them to remediation with engineering teams.
  • Integrated SonarCloud static analysis (SAST) into CI pipelines across repositories, shifting vulnerability detection left and catching insecure code before merge.
  • Partnered with developers on secure-coding reviews and threat-aware design, reducing recurring vulnerability classes across the codebase.
Projects
blue-node — backend reference implementation   github.com/imkumawat/blue-node
Node.js · TypeScript · Express 5 · Apollo GraphQL · Postgres · MongoDB · Redis · AWS
  • Modular monolith in TypeScript (ESM) on Express 5 — per-module REST + GraphQL (Apollo) adapters over Postgres (Drizzle), MongoDB, and Redis, plus an MQTT broker client as a resilient shared transport; BullMQ + standalone SQS worker for background jobs.
  • Per-request DataLoader batching to eliminate resolver N+1 (order-preserving batch queries behind a request-scoped context), with query-complexity limits.
  • Directive-driven GraphQL security at the schema level — @authenticated, @requireScope, @rateLimit, and alias-abuse protection.
  • Unified JWT auth core for REST + Apollo — access/refresh-token rotation & reuse detection, scoped permissions, and per-IP/account lockout.
  • Multi-instance real-time layer — WebSocket transport with a connection manager and Redis Pub/Sub fan-out (rooms) across horizontally-scaled instances; graceful shutdown drains in-flight requests and jobs on SIGTERM; pino logging; CI (GitHub Actions + Azure DevOps) with typecheck, lint, Vitest.
Skills
Languages
TypeScript, JavaScript (Node.js, ES6+), Python
Backend & API
GraphQL (Apollo), DataLoader, REST, WebSockets, Express 5, JWT
Data
PostgreSQL, MySQL, MongoDB, Redis
Messaging & Events
AWS SQS/SNS/EventBridge, BullMQ, MQTT, event-driven architecture
Cloud & DevOps
AWS (ECS/Fargate, Lambda, Aurora/RDS, ElastiCache, S3/Glacier, API Gateway, CloudWatch, Secrets Manager, IAM), Docker, CI/CD (GitHub Actions, Azure DevOps), Cloudflare
Observability
Sentry, CloudWatch, OpenSearch, structured logging (pino)
Security
OWASP Top 10, VAPT (Burp Suite, OWASP ZAP, Nessus, sqlmap, Metasploit), SonarCloud (SAST), secure coding, refresh-token reuse detection, rate limiting
Frontend
Next.js, React
Education
Lovely Professional University
B.Tech, Computer Science & Engineering
Jul 2016 – Jun 2020 · Punjab, India
200 OK — resume served over HTTPS imkumawatmanoj.com