Backend Engineering
Authentication & Authorization
6 practice questions. Free questions open a full answer guide; the rest unlock with Pro.
- Your API authenticates requests with stateless JWT access tokens that resource servers validate locally. Security asks you to support immediate logout and the ability to revoke a compromised token before it expires. Explain the tension here and how you'd design for it.
- For authenticating requests to a backend API, when would you reach for a self-contained token like a JWT versus a server-side session, and what's the main trade-off you're accepting?Go Pro
- In your microservices system, service A calls service B on behalf of an end user. How do you decide between propagating the user's token to B, issuing a separate service-to-service credential, or using mutual TLS — and what's the security risk if you get this wrong?Go Pro
- What is the difference between authentication and authorization, and where does each happen in a typical web request?Go Pro
- Why should an application never store user passwords in plain text, and what should it do instead?Go Pro
- Walk me through the difference between authentication and authorization, and where OAuth 2.0 and OpenID Connect each fit when you add 'sign in with Google' plus API access to your app.Go Pro
Want questions matched to your role? Paste a job title, job description, or CV for a personalized set, or go Pro to unlock the full bank.