Code Room
System designMedium
Question
Design API-key management and revocation for a developer platform where customers create long-lived API keys (some live for years in CI, scripts, and servers) that authenticate millions of requests/sec. Requirements: validate keys with minimal latency, let customers rotate and revoke keys instantly, scope a key to specific permissions/resources, and detect and auto-revoke a key that's been leaked publicly (e.g., committed to GitHub). Walk through how you store and validate keys, how revocation propagates fast, and the secret-storage trade-off.
What a strong answer looks like
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.