Code Room
On-callHardoc-g364
Subject Secret rotationLevel Senior–Staff~40 minCommon in Security interviewsIndustries Software development, IT services, Technology

Question

Audit logs reveal that 3 weeks ago a bug in your OAuth consent flow let a partner app whose tokens you issue request and receive **broader scopes than approved** (it asked for `read:tickets`, was granted `read:tickets admin:org` due to a scope-merge bug). ~2,000 access/refresh tokens with the over-broad scope are now live across many customer orgs; some were minted to a partner that has since had a security incident. You must claw back the excess scope without breaking the partner's legitimate `read:tickets` use, and without forcing every customer to re-consent if you can avoid it. How do you triage and remediate?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.