InterviewStack.io LogoInterviewStack.io

Authentication and Authorization Questions

Cover core concepts and implementation trade offs for securing backend services. Candidates should demonstrate understanding of token based authentication and server side session strategies, how to securely issue and rotate credentials, techniques for revocation and refresh, secure storage of secrets, use of third party identity providers, common threat mitigations such as cross site request forgery protection and secure transmission practices, and design patterns for role based and attribute based access control. Interviewers will evaluate the candidate ability to reason about scalability and revocation trade offs and to design secure application programming interface permission checks.

EasyTechnical
63 practiced
Describe the differences between access tokens and refresh tokens: intended lifetimes, storage recommendations, attack surface, and typical use patterns in web and mobile clients. Explain why refresh tokens generally require stronger protections and how rotation reduces risk.
HardSystem Design
70 practiced
Design a token revocation system that supports immediate global revocation for compromised access and refresh tokens in a geo-distributed environment serving millions of tokens. Describe your choices for data stores, invalidation propagation (pub/sub, edge caches, bloom filters), trade-offs between immediacy and scalability, and how to handle partitions and operational complexity.
EasyTechnical
84 practiced
Explain the structure of a JSON Web Token (JWT): header, payload, signature. Describe common claims (iss, sub, aud, exp, iat, nbf, jti, scope) and what each should be used for. Discuss how to design claims to avoid over-privileging and to minimize token size for mobile and network-sensitive environments.
MediumSystem Design
84 practiced
You must choose between an OAuth2 token introspection endpoint (centralized validation) and self-contained short-lived tokens validated locally by microservices for a system processing 10k requests/sec. Discuss performance, key rotation lifecycle, revocation timeliness, caching strategies, and propose a hybrid setup that balances scalability and security.
EasyBehavioral
127 practiced
Explain the principle of least privilege and provide a concrete example applying it to API permission design for an enterprise application. Identify entities involved, the minimal permissions you would grant, how you would enforce validation, and how you'd monitor and detect over-provisioned permissions.

Unlock Full Question Bank

Get access to hundreds of Authentication and Authorization interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.