Question
Design a session-management service for a platform with 100M users and 300 microservices. It must validate a session on every request (2M validations/s) with under 5ms p99, support immediate revocation on logout / password change / detected compromise, allow multiple concurrent sessions per user with per-device visibility, and survive a regional outage. Threat model: stolen session tokens, token replay across regions, and an attacker trying to keep a session alive after the user revokes it. Cover the token format, the stateful-vs-stateless trade-off, revocation propagation, and multi-region behavior.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.