Code Room
System designMediumsd-g232
Subject Token revocationLevel Mid–Senior~35 minCommon in Distributed systems interviewsIndustries Technology, Software development

Question

Design API-key management and revocation for a developer platform where customers create long-lived API keys (some live for years in CI, scripts, and servers) that authenticate millions of requests/sec. Requirements: validate keys with minimal latency, let customers rotate and revoke keys instantly, scope a key to specific permissions/resources, and detect and auto-revoke a key that's been leaked publicly (e.g., committed to GitHub). Walk through how you store and validate keys, how revocation propagates fast, and the secret-storage trade-off.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.