Backend Engineer Interview Kit

Question 1: Explain the differences between RESTful APIs and GraphQL. When would you use one over the other?

What to Look For

• • Clear explanation of REST vs GraphQL
• • Awareness of over-fetching/under-fetching
• • Consideration of performance and complexity
• • Knowledge of real-world use cases
• • Experience implementing both

Red Flags

• • Thinks GraphQL is "always better"
• • No mention of trade-offs
• • Superficial answer
• • No implementation experience

Follow-up Questions

• • How would you cache GraphQL queries?
• • What tools would you use for documentation?
• • When might REST be the simpler option?

Question 2: How do you design a scalable authentication system for a SaaS app?

What to Look For

• • Knowledge of OAuth2, JWT
• • Awareness of session vs token-based auth
• • Handling refresh tokens
• • Security considerations (password hashing, 2FA)
• • Scalability and statelessness

Red Flags

• • Suggests storing passwords in plain text
• • No understanding of token management
• • Confuses auth with role-based access
• • No security considerations

Follow-up Questions

• • How would you handle token revocation?
• • What about single sign-on (SSO)?
• • How do you scale across microservices?

Question 3: What's the difference between SQL and NoSQL databases? Provide examples of when you would use each.

What to Look For

• • Understanding relational vs document storage
• • Knowledge of scalability trade-offs
• • Examples: PostgreSQL vs MongoDB
• • Awareness of ACID vs eventual consistency
• • Use-case driven explanation

Red Flags

• • Thinks NoSQL is "always better"
• • No understanding of consistency models
• • No real-world examples
• • Overly generic explanation

Follow-up Questions

• • When would you choose a graph database?
• • How do you design schemas for scalability?
• • Have you migrated between SQL and NoSQL?

Question 4: How do you implement rate limiting for an API?

What to Look For

• • Knowledge of token bucket, leaky bucket algorithms
• • Awareness of API gateway tools
• • Consideration of fairness and DoS prevention
• • Experience implementing with Redis or Nginx
• • Scalability considerations

Red Flags

• • Suggests only "returning errors"
• • No algorithmic awareness
• • Ignores distributed systems
• • No real implementation

Follow-up Questions

• • What tools would you use?
• • How do you handle rate limits per user vs per IP?
• • How do you communicate limits to clients?

Question 5: How do you monitor and troubleshoot a microservices architecture in production?

What to Look For

• • Knowledge of distributed tracing (Jaeger, OpenTelemetry)
• • Use of centralized logging (ELK, Datadog)
• • Metrics collection (Prometheus, Grafana)
• • Awareness of circuit breakers, retries
• • Experience with production incidents

Red Flags

• • No mention of monitoring tools
• • Focuses only on logs
• • No awareness of tracing or metrics
• • Vague experience

Follow-up Questions

• • How do you debug slow API calls?
• • What's your alerting setup?
• • How do you prioritize incidents?

Question 6: What is eventual consistency? Where would you use it in system design?

What to Look For

• • Definition of eventual consistency
• • Examples in distributed databases
• • Trade-offs vs strong consistency
• • Practical use cases (caching, messaging)
• • Understanding of CAP theorem

Red Flags

• • Thinks eventual consistency = "inconsistent"
• • No mention of CAP theorem
• • No use cases
• • Confuses with weak consistency

Follow-up Questions

• • What databases use eventual consistency?
• • When would you never accept it?
• • How do you design for user experience?

Question 7: How would you secure sensitive data in a backend service?

What to Look For

• • Encryption at rest and in transit
• • Proper use of TLS/HTTPS
• • Hashing passwords with bcrypt/argon2
• • Key management practices
• • Awareness of compliance standards

Red Flags

• • Suggests storing plain text passwords
• • No mention of encryption
• • No knowledge of key rotation
• • Vague answer

Follow-up Questions

• • How do you handle secrets in production?
• • What libraries do you use for encryption?
• • What standards do you follow?

Question 8: Explain database indexing. How do you decide which columns to index?

What to Look For

• • Understanding of B-tree/hash indexes
• • Query optimization awareness
• • Trade-offs between read/write performance
• • Compound indexes knowledge
• • Monitoring query performance

Red Flags

• • Thinks "index everything"
• • No understanding of write penalties
• • No query analysis experience
• • Confuses index types

Follow-up Questions

• • What's a covering index?
• • How do you analyze slow queries?
• • When would you remove an index?

Question 9: How do you handle database migrations in production without downtime?

What to Look For

• • Blue-green deployments understanding
• • Backwards compatible changes
• • Staged migration approach
• • Rollback strategies
• • Testing migration scripts

Red Flags

• • Suggests "just run migrations"
• • No rollback plan
• • Ignores backwards compatibility
• • No testing strategy

Follow-up Questions

• • How do you handle large data migrations?
• • What tools do you use?
• • How do you test migrations?

Question 10: What is your approach to API versioning?

What to Look For

• • URL vs header versioning
• • Deprecation strategies
• • Backwards compatibility
• • Documentation practices
• • Client communication

Red Flags

• • No versioning strategy
• • Breaks existing clients
• • No deprecation plan
• • Poor documentation approach

Follow-up Questions

• • How long do you support old versions?
• • How do you communicate changes?
• • What about internal APIs?