Prev Next

API / Microservices Design Patterns Interview Questions

What is the Access Token pattern (JWT/OAuth2) for service-to-client authentication?

The Access Token pattern uses short-lived cryptographically signed tokens — most commonly JWTs issued via OAuth 2.0 / OpenID Connect — to authenticate client requests to microservices. The client authenticates once with an Authorization Server (Keycloak, Okta, Cognito) and receives a JWT. Subsequent requests carry this token; any service that holds the corresponding public key can validate it locally without calling the Auth Server on every request.

JWT structure — three Base64URL-encoded segments separated by dots (header.payload.signature):

// Header (algorithm and token type)
{ "alg": "RS256", "typ": "JWT" }

// Payload (claims)
{
  "sub": "user-42",
  "iss": "https://auth.example.com",
  "aud": "order-service",
  "exp": 1714003200,   // expiry Unix timestamp
  "scope": "orders:read orders:write"
}

// Signature: RS256(base64(header) + "." + base64(payload), privateKey)

// HTTP request
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Validation at the receiving service (API Gateway or service itself):

  1. Decode the header to get the signing algorithm and key ID (kid).
  2. Fetch (or cache) the public key from the Auth Server's JWKS endpoint.
  3. Verify the signature using the public key.
  4. Check exp (not expired), iss (trusted issuer), and aud (this service is the intended audience).
  5. Extract sub and scope claims to enforce authorisation.

Short token lifetimes (5–15 minutes) limit the blast radius if a token is stolen. Refresh tokens (longer-lived, stored securely by the client) are exchanged for new access tokens when the old one expires, without requiring re-authentication.

Why can a JWT access token be validated locally at the receiving service without calling the Authorization Server for every request?
What are the three Base64URL-encoded parts of a JWT, in correct order?

Invest now in Acorns!!! 🚀 Join Acorns and get your $5 bonus!

Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!

Earn passively and while sleeping

Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.

Invest now!!! Get Free equity stock (US, UK only)!

Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.

The Robinhood app makes it easy to trade stocks, crypto and more.

Webull! Receive free stock by signing up using the link: Webull signup.

More Related questions...

What is the Decompose by Business Capability pattern and how do you identify business capabilities? What is the Decompose by Subdomain pattern and how does it relate to DDD Bounded Contexts? What is the Strangler Fig pattern and when should you use it to migrate a monolith? What is the Anti-Corruption Layer (ACL) pattern in microservices? What is the Branch by Abstraction pattern for incremental migration? What is the Parallel Run pattern and how does it reduce migration risk? What is the Bulkhead decomposition pattern and how does it isolate failure domains? What is the Database per Service pattern and what problem does it solve? What is the Shared Database anti-pattern and why should it be avoided in microservices? What is the Saga pattern and how does it manage distributed transactions across microservices? What is the difference between Choreography-based and Orchestration-based Sagas? What is CQRS (Command Query Responsibility Segregation) and when should you use it? What is Event Sourcing and how does it complement CQRS? What is the API Composition pattern for querying data across services? What is the Outbox Pattern and how does it solve the dual-write problem? What is the Saga rollback / compensating transaction pattern? What is the API Gateway pattern and what responsibilities should it have versus a BFF? What is the Backend for Frontend (BFF) pattern and when does it replace a general API Gateway? What is the Service Mesh pattern and how do data-plane proxies such as Envoy implement it? What is the Message Broker pattern and how does it enable asynchronous microservice communication? What is the Request-Reply (Correlation ID) pattern for async messaging? What is the Idempotent Consumer pattern and why is it essential in event-driven systems? What is the Event-Driven Architecture pattern and how does it differ from synchronous request/response? What is Gateway Aggregation versus Gateway Routing versus Gateway Offloading? How does the Circuit Breaker pattern work and what are its three states? What is the Retry pattern with exponential backoff and jitter, and when should you NOT retry? What is the Timeout pattern and how does it prevent cascading failures? What is the Bulkhead pattern for resource isolation (thread pools, connection pools)? What is the Health Check API pattern and what should a /health endpoint return? What is the Rate Limiting pattern and what algorithms are commonly used? What is the Fallback pattern and how does it relate to the Circuit Breaker? What is the Throttling pattern and how does it differ from Rate Limiting? What is the Log Aggregation pattern and how does a centralised logging pipeline work? What is the Application Metrics pattern and what is the difference between push and pull metric collection? What is the Audit Logging pattern and what events should always be captured? What is the Distributed Tracing pattern and how do trace context headers propagate across services? What is the Access Token pattern (JWT/OAuth2) for service-to-client authentication? What is the Mutual TLS (mTLS) pattern for service-to-service authentication? What is the Secrets Management pattern and how do tools like Vault or AWS Secrets Manager implement it? What is the Sidecar pattern and what responsibilities does a sidecar container take on? What is the Ambassador pattern and how does it proxy outbound traffic for a service? What is the Adapter pattern in the context of microservice containers? What is the Canary Deployment pattern and how does it differ from Blue-Green deployment? What is the Service Registry and Discovery pattern — client-side versus server-side discovery? What is the Self Registration versus Third-Party Registration pattern for service discovery?
Show more question and Answers...

BigData

Comments & Discussions

Interviews Questions

About Javapedia.net

Javapedia.net is for Java and J2EE developers, technologist and college students who prepare of interview. Also this site includes many practical examples.

This site is developed using J2EE technologies by Steve Antony, a senior Developer/lead at one of the logistics based company.

contact: javatutorials2016[at]gmail[dot]com

Kindly consider donating for maintaining this website. Thanks.

Copyright © 2026, javapedia.net, all rights reserved. privacy policy.

DMCA.com Protection Status