User journeys (story format)
End-to-end scenarios for Payment Reconciler in plain language—for UX and product. Uses domain vocabulary (expected/incoming transactions, merchant, matches).
Stories are user-facing: goals, what people see, and what “done” feels like. See UX overview — domain vocabulary for standard terms.
1. First time the organisation uses the product
Who: Org admin (sometimes with IT).
Story: The team wants to reconcile in a live environment, not only in test.
- They create or select a tenant, add or confirm an environment (test vs live), and land in the right context so all lists and jobs use the same scope.
- They complete tenant settings: locale and formats, matching behaviour (auto vs manual, thresholds), job schedules, and any LedgerMatch-related preferences exposed in the UI.
- Done: The tenant feels ready; people know where to add expected rows, incoming data, and colleagues.
Design notes: Onboarding wizard, persistent environment indicator, settings grouped (matching, scheduling, regional, integrations).
2. Signing in and switching context
Who: Anyone.
Story: A user opens the app and must act in the correct tenant and environment.
- They authenticate (your IdP), then pick or confirm tenant + environment (or the app derives them with a clear way to switch).
- Done: Every screen and action is scoped correctly; switching context refreshes data and prevents wrong-environment mistakes.
Design notes: Obvious scope in the header; warn before destructive actions across environments.
3. Bringing people in
Who: Org admin.
Story: Add colleagues with different access levels.
- They invite or register users and assign tenant membership per environment with a role (e.g. can configure vs read-only).
- Done: Each person sees only permitted tenants/environments and the right actions.
Design notes: Short role descriptions; read-only users never hit dead-end primary buttons.
4. Connecting data sources (incoming feed)
Who: Org admin (with credentials from finance or IT).
Story: Incoming transactions must flow in from real systems.
Paths (one or several):
- Stripe (card): Create a data source, store credentials, optional webhook secret, define field mappings, run or schedule sync, read sync logs (counts, errors, partial runs).
- EBICS (bank): Start init, bank letter step (offline), complete when the bank activates keys, run import/sync, map EBICS fields.
- CSV: Upload file (size limits clear); field mappings for
csvsource; see rows become incoming with pending status.
Done: New incoming rows appear in queues with correct merchant, amount, currency, transaction date, reference, description (and direction when relevant).
Design notes: Connection health, last sync time, plain-language errors, resume for long bank onboarding.
5. Maintaining field mappings
Who: Org admin.
Story: Raw Stripe/CSV/EBICS shapes must map cleanly to the standard incoming shape.
- They open field mappings per source, add or edit rules (merchant, amount, currency, date, reference, description, direction where supported).
- They validate with a sample row or a small test import when the UI allows.
- Done: New syncs and uploads produce trustworthy incoming rows without silent wrong fields.
Design notes: Show target field names (merchant, not “counterparty”); version or “last changed” if multiple admins edit.
6. Defining and maintaining expected transactions
Who: Reconciliation user (often with admin rights).
Story: The expected side must stay accurate for matching.
- Create rows (merchant, amount, currency, expected date, reference, description) or import in bulk if you support it.
- List / filter / search (by reference, date range, merchant).
- Edit when invoices change; delete or void when expectations are withdrawn (align with backend rules).
- Done: The candidate pool for LedgerMatch reflects reality; duplicates and stale rows are visible.
Design notes: Duplicate warnings; empty state: “Add expected transactions before matching.”
7. Entering or correcting incoming manually
Who: Reconciliation user.
Story: A payment arrived but did not come through a feed.
- They create an incoming transaction with manual source and full fields, or edit an existing incoming when policy allows (e.g. fix reference or merchant before re-matching).
- Done: Row is pending and eligible for matching.
Design notes: Clear source badge; show when edits affect existing matches.
8. Daily reconciliation: review matches
Who: Reconciliation user.
Story: Work through incoming that need a decision.
- Open a queue (e.g. pending / unmatched / “needs review”).
- Open incoming detail; see ranked matches to expected rows with confidence and explanations (amount, date, text, reference).
- Accept the correct match or reject with an optional reason; optionally trigger matching if it did not run automatically.
- Done: Incoming moves to matched when accepted; stays pending/unmatched when nothing fits or all candidates rejected.
Design notes: Side-by-side incoming vs expected; “top suggestion” vs alternatives; link to create expected or fix mapping from empty states.
9. Working from the expected side
Who: Reconciliation user.
Story: Finance starts from an invoice they know is unpaid.
- They open an expected transaction and see related matches or incoming candidates (if the UI exposes reverse navigation).
- Done: They can complete reconciliation without only scanning the incoming queue.
Design notes: If the API is incoming-centric only, surface “linked incoming” on expected detail from match data.
10. Browsing all matches
Who: Reconciliation user, read-only user.
Story: Audit or support needs to see decisions already taken or still open.
- List matches with filters (pending / accepted / rejected, by incoming or expected id).
- Open a match record for scores, timestamps, auto vs manual flags.
- Done: Questions like “who accepted this?” or “why was this rejected?” are answerable from the UI.
Design notes: Stable URLs for sharing; export optional.
11. Tuning automation (matching and jobs)
Who: Org admin.
Story: Balance automation vs risk.
- Adjust tenant settings: when matching runs (realtime / batch / hybrid), auto-match, auto-accept thresholds, “only when single candidate”, etc.
- Configure job schedules (matching batch, Stripe sync, webhook retry, cleanup retention) as your product exposes them.
- Done: Behaviour matches policy; ops can predict when work appears in queues.
Design notes: Plain-language presets (strict / balanced / manual-first); show impact preview where possible.
12. Operating jobs
Who: Org admin, sometimes reconciliation user.
Story: Background work fails or must be run ad hoc.
- List jobs by type (matching, Stripe sync, webhook retry, cleanup, …) and status.
- Open a job for error message, duration, last run.
- Trigger, cancel, or retry where supported.
- Done: Failed runs are actionable; stuck runs can be stopped.
Design notes: Link errors to data source, file, or settings.
13. Webhooks to downstream systems
Who: Org admin (with engineering).
Story: Other systems need events when matches or statuses change.
- Create / update / delete webhook definitions; set URL and secrets as required.
- Send test delivery; open delivery history (success/failure, response snippets if safe).
- Done: Integrations stay reliable; failures are visible.
Design notes: Test button prominent; last success / last failure at a glance.
14. API keys for automation
Who: Org admin, engineering.
Story: Scripts upload CSV, trigger sync, or query lists without human login.
- Create an API key (JWT required) scoped to tenant + environment; the response includes a single string
pr_<public>.<secret>— store it once; only a hash is kept server-side. - List keys (metadata, publicId only) and revoke (
DELETE) with a JWT when access must end. - Call business APIs with
X-Api-Key(or opaque Bearer) plus matchingX-Tenant-Id/X-Environment; useread/writepermissions for least privilege. - Done: Automation is auditable and least-privilege.
Design notes: Copy-once pattern; never show the full secret again after creation.
15. Managing data sources over time
Who: Org admin.
Story: Credentials rotate, connections break, or an integration is retired.
- Edit connection settings, rotate keys, disable sync without deleting history if supported.
- Delete or archive a data source when offboarding.
- Review sync logs for trends (errors creeping up).
- Done: No silent stop of feeds; admins see degradation early.
16. Exception handling and investigation
Who: Reconciliation user, read-only user.
Story: Something looks wrong—duplicate amount, wrong merchant string, missing reference.
- Filter incoming and expected lists; search by reference or amount band.
- Compare suggested match scores; reject and leave notes; add missing expected row or fix field mapping and re-run matching.
- Done: Root cause is visible (data vs rules vs mapping), not “black box.”
Design notes: Tie reject reasons to reporting or future model feedback if product supports it.
17. Read-only access
Who: Read-only user.
Story: Audit views the same truth without mutating it.
- Same lists, detail, logs, match history; create / accept / sync / settings hidden or disabled with explanation.
- Done: No accidental changes; no confusing empty permissions states.
18. Super-admin: cross-tenant operations
Who: Platform or internal support staff with the super-admin role (not tied to a single customer tenant the way org admin is).
Story: Diagnose or fix issues for any tenant without confusing one customer’s data with another’s.
- They sign in with super-admin; the UI makes them choose the active tenant and environment before opening lists or settings (their token is not “stuck” on one tenant).
- They can perform user management across tenants (e.g. assign people to a tenant/environment) where product policy allows—broader than a tenant-scoped org admin, who only manages their own organisation.
- Other screens (incoming, expected, matches, data sources, jobs, etc.) follow the same pattern: always scoped to the selected tenant + environment, with a clear indicator of which customer context is active.
- Done: Support and platform ops can act in the right tenant every time; audit and permissions still enforce who may change what.
Design notes: Persistent “acting as: [tenant] · [environment]” banner; warn before switching context with unsaved work; optional read-only support mode is a product policy choice, not an absence of super-admin.
Next step for design
Use Interaction flows for screen-level flows and Figma handoff for workshop layout.