Building TheSkinProof — 4-portal verified marketplace in 6 weeks

TheSkinProof.com is a multi-vendor skincare marketplace we built and shipped in 6 weeks. It went live in Q2 2025 and now serves real buyers, sellers, and a warehouse team across South Asia. This post walks through the engineering decisions behind it — from the verification pipeline that gates every product, to the COD fraud detection that protects margins, to the 750+ tests that gate every PR.

The brief

The skincare e-commerce space in South Asia has a real harm problem: an estimated 30–40% of products sold online are counterfeit or expired. There's no verification standard on existing platforms. The founder's brief to us was direct:

Every product must be provenance-checked before it lists. No exceptions.
Cash-on-delivery fraud must be priced into the system from day one. Fraud bleeds runway.
Buyers should get personalised recommendations, not a generic catalogue.
Sellers, admins, and the warehouse team need different views, but on the same data.
Ship something real in 6 weeks. With tests. So when something breaks, we know where.

The shape of the system

What we shipped:

4 portals — Buyer, Seller, Admin, Warehouse — each with isolated layouts, auth flows, and permission boundaries.
124 API endpoints — every one rate-limited, every one Zod-validated, every one tested.
26 PostgreSQL tables — relational integrity, GIN indexes for search, RLS where it earned its keep.
3 payment gateways — bKash, Nagad, SSLCommerz — covering 95%+ of regional digital payments.
1 courier integration — Pathao, with real-time tracking and COD settlement webhooks.
2 languages — Bangla and English, fully bilingual UI with phone normalisation.
750+ automated tests — Jest, with enforced coverage thresholds on the modules that touch money.

1. The verification pipeline

The single most important system in the platform. Every product passes through a four-stage gate before it ever appears to a buyer:

Submit Draft — seller submits product details, images, ingredient list, pricing.
Upload Documents — purchase invoices, Certificate of Analysis (COA), brand authorisation letter. Stored encrypted on AWS S3 with presigned access.
Admin Review — internal team reviews documents, validates batch numbers and expiry, flags anomalies. The admin queue is the highest-traffic internal page on the platform.
Go Live or Reject — approved products get a verified badge in the buyer UI. Rejected items return to the seller with structured feedback they can act on.

The pipeline is implemented as a Postgres state machine with an immutable audit trail. Every state transition writes a row. We can reconstruct exactly who approved what, when, and why — months after the fact. That's not a nice-to-have when you're operating in regulated personal-care.

2. COD fraud detection

Cash-on-delivery is the dominant payment method in the region, which means COD fraud is the dominant operational drag. Velocity abuse, fake names, rapid-fire orders from the same address — these aren't edge cases. They're the default failure mode without active defence.

What we built: a multi-signal scorer that runs at checkout and weighs:

Order velocity from the same phone, address, IP, or device fingerprint
Recipient-info anomalies (mismatched names, throwaway emails, recently-rotated phones)
Historical patterns — has this phone been flagged before? Has this address received and refused?
Cart composition — high-value first orders trigger extra friction

The scorer outputs a tiered risk classification. Clean buyers see no friction. Medium-risk see a partial-advance requirement (10% of order value, paid via bKash before dispatch). High-risk are blocked outright with a manual-review path. The whole thing is a single composable function, ~200 lines, with 90%+ test coverage on the scoring core.

3. The skin quiz engine

The biggest non-marketplace surface on the platform. A multi-step questionnaire that classifies skin type, builds an allergy exclusion list, and recommends products with explainable match scores. It's the most-tested module in the codebase — 120+ tests, 90% line coverage on the scoring engine.

The quiz hits six question areas: top concerns, skin feel/texture, sensitivity, known allergies, lifestyle factors, and health conditions. Each answer feeds a weighted scoring vector. The output isn't just "your skin type is dry" — it's a ranked list of products with the specific reasons each one matches: "Recommended because: addresses your top concern (hyperpigmentation), excludes your declared allergens (fragrance, alcohol), suitable for sensitive skin." Buyers convert on explanations, not on opaque recommendations.

4. The four portals

The "multi-portal" architecture isn't four pretty dashboards. It's four parallel auth flows, four sets of layouts, four permission boundaries — built so a compromised seller account can never see warehouse internals, and a warehouse picker can never see admin verification documents.

Portal	Auth	Core surfaces
Buyer	OTP via SMS	Catalog, quiz, cart, checkout, orders, reviews
Seller	Email + password	Drafts, orders, payouts, sales analytics
Admin	Email + password + RBAC	Verification queue, fraud monitoring, user mgmt, audit logs
Warehouse	Email + password + RBAC	FIFO picking, batch tracking, pack & ship, expiry alerts

Each portal lives behind its own Next.js layout, so cross-contamination of UI components is impossible by construction. Sessions are tamper-proof HMAC-signed cookies with rotating nonces.

5. Tests are the contract

750+ tests in CI on day one wasn't a vanity metric — it was the only way to ship in 6 weeks without burning the second 6 weeks on regressions. Coverage thresholds on the modules that touch money:

Quiz / scoring engine: 120+ tests, 90% line coverage
Cart store: 80+ tests, 80% coverage
API routes: 200+ contract tests
UI components: 89+ tests with React Testing Library

Every PR runs the full suite. Coverage thresholds are enforced — drop below 80% on the cart and the merge is blocked, full stop. This is the bar we hold every project to. It's why "zero-regression releases" isn't aspirational — it's just what falls out of doing the boring parts well.

6. Why these tech choices

Layer	Tech	Reason
App framework	Next.js (App Router)	SSR for SEO + fast TTI, API routes co-located
Language	TypeScript (strict)	End-to-end type safety. No `any`. Types are the contract.
Database	PostgreSQL	Relational integrity + GIN indexes for full-text product search
Cache	Redis	Sliding-window rate limiting, session cache, in-memory fallback in dev
State	Zustand	Lightweight persistent stores for cart, wishlist, auth — no Redux ceremony
Payments	bKash + Nagad + SSLCommerz	Covers 95%+ of digital payments in the region
Courier	Pathao API	Real-time tracking + webhook updates + COD settlement
Storage	AWS S3 (docs) + Cloudinary (images)	S3 for sensitive verification docs; Cloudinary for image CDN
Testing	Jest + React Testing Library	750+ tests gated in CI, enforced coverage on revenue paths

Notice what's not here: no exotic stack-of-the-week, no GraphQL, no microservices. Boring tech in the right hands is the highest-leverage approach there is.

The outcome

TheSkinProof went live in Q2 2025 and is still running. 99.97% uptime since launch. Zero counterfeit-product incidents. Zero PII leaks. The verification pipeline has gated thousands of products to date — and a non-trivial percentage of submissions get bounced for failed COA or expired batches. That's the system working as designed.

Most importantly: the founder's team can operate the platform without us. We handed over runbooks, an on-call playbook, the test pyramid, and the deploy pipeline. We're available if they need us — but they don't need us to ship.

That's the bar.

Want a system like this?

If you're building a marketplace, a SaaS, or any system where the integrity of the data is the product — we'd like to hear about it. Book a 15-minute technical audit. We'll walk through your stack, flag the risks we'd flag, and tell you whether we're the right team. No pitch. No fluff.

Or read the full case study: TheSkinProof — multi-vendor verified-skincare marketplace.

The brief

Every product must be provenance-checked before it lists. No exceptions.
Cash-on-delivery fraud must be priced into the system from day one. Fraud bleeds runway.
Buyers should get personalised recommendations, not a generic catalogue.
Sellers, admins, and the warehouse team need different views, but on the same data.
Ship something real in 6 weeks. With tests. So when something breaks, we know where.

The shape of the system

What we shipped:

4 portals — Buyer, Seller, Admin, Warehouse — each with isolated layouts, auth flows, and permission boundaries.
124 API endpoints — every one rate-limited, every one Zod-validated, every one tested.
26 PostgreSQL tables — relational integrity, GIN indexes for search, RLS where it earned its keep.
3 payment gateways — bKash, Nagad, SSLCommerz — covering 95%+ of regional digital payments.
1 courier integration — Pathao, with real-time tracking and COD settlement webhooks.
2 languages — Bangla and English, fully bilingual UI with phone normalisation.
750+ automated tests — Jest, with enforced coverage thresholds on the modules that touch money.

1. The verification pipeline

The single most important system in the platform. Every product passes through a four-stage gate before it ever appears to a buyer:

Submit Draft — seller submits product details, images, ingredient list, pricing.
Upload Documents — purchase invoices, Certificate of Analysis (COA), brand authorisation letter. Stored encrypted on AWS S3 with presigned access.
Admin Review — internal team reviews documents, validates batch numbers and expiry, flags anomalies. The admin queue is the highest-traffic internal page on the platform.
Go Live or Reject — approved products get a verified badge in the buyer UI. Rejected items return to the seller with structured feedback they can act on.

2. COD fraud detection

What we built: a multi-signal scorer that runs at checkout and weighs:

Order velocity from the same phone, address, IP, or device fingerprint
Recipient-info anomalies (mismatched names, throwaway emails, recently-rotated phones)
Historical patterns — has this phone been flagged before? Has this address received and refused?
Cart composition — high-value first orders trigger extra friction

3. The skin quiz engine

4. The four portals

Portal	Auth	Core surfaces
Buyer	OTP via SMS	Catalog, quiz, cart, checkout, orders, reviews
Seller	Email + password	Drafts, orders, payouts, sales analytics
Admin	Email + password + RBAC	Verification queue, fraud monitoring, user mgmt, audit logs
Warehouse	Email + password + RBAC	FIFO picking, batch tracking, pack & ship, expiry alerts

Each portal lives behind its own Next.js layout, so cross-contamination of UI components is impossible by construction. Sessions are tamper-proof HMAC-signed cookies with rotating nonces.

5. Tests are the contract

750+ tests in CI on day one wasn't a vanity metric — it was the only way to ship in 6 weeks without burning the second 6 weeks on regressions. Coverage thresholds on the modules that touch money:

Quiz / scoring engine: 120+ tests, 90% line coverage
Cart store: 80+ tests, 80% coverage
API routes: 200+ contract tests
UI components: 89+ tests with React Testing Library

6. Why these tech choices

Layer	Tech	Reason
App framework	Next.js (App Router)	SSR for SEO + fast TTI, API routes co-located
Language	TypeScript (strict)	End-to-end type safety. No `any`. Types are the contract.
Database	PostgreSQL	Relational integrity + GIN indexes for full-text product search
Cache	Redis	Sliding-window rate limiting, session cache, in-memory fallback in dev
State	Zustand	Lightweight persistent stores for cart, wishlist, auth — no Redux ceremony
Payments	bKash + Nagad + SSLCommerz	Covers 95%+ of digital payments in the region
Courier	Pathao API	Real-time tracking + webhook updates + COD settlement
Storage	AWS S3 (docs) + Cloudinary (images)	S3 for sensitive verification docs; Cloudinary for image CDN
Testing	Jest + React Testing Library	750+ tests gated in CI, enforced coverage on revenue paths

Notice what's not here: no exotic stack-of-the-week, no GraphQL, no microservices. Boring tech in the right hands is the highest-leverage approach there is.

The outcome

That's the bar.

Want a system like this?

Or read the full case study: TheSkinProof — multi-vendor verified-skincare marketplace.

Building TheSkinProof: how we shipped a 4-portal verified-skincare marketplace in 6 weeks

The brief

The shape of the system

1. The verification pipeline

2. COD fraud detection

3. The skin quiz engine

4. The four portals

5. Tests are the contract

6. Why these tech choices

The outcome

Want a system like this?

Ready to discuss your project?

Building TheSkinProof: how we shipped a 4-portal verified-skincare marketplace in 6 weeks

The brief

The shape of the system

1. The verification pipeline

2. COD fraud detection

3. The skin quiz engine

4. The four portals

5. Tests are the contract

6. Why these tech choices

The outcome

Want a system like this?

Ready to discuss your project?