Rate limiting: algorithm choice matters — token bucket (burst friendly) vs sliding window (smooth) vs leaky bucket (strict)
Auth at gateway: validate tokens at the edge, not in every service — but do not move business logic to the gateway
Request transformation: header injection, path rewriting, body transformation — each has a performance cost
Gateway selection: Kong (plugin ecosystem, open source) vs Apigee (analytics, GCP-native) vs AWS API GW (Lambda integration)
0 / 5 completed
1 / 5
The interviewer asks: "Explain the differences between token bucket, leaky bucket, and sliding window rate limiting algorithms. When do you use each?" Which answer is most precise?
Option B is strongest. It explains the mechanics of each algorithm, names the traffic shaping characteristic (burst-friendly, strict constant output, precision fairness), gives a concrete use case for each, and names a specific failure mode of an alternative (fixed-window double-counting at the boundary). Option A claims the choice does not matter — wrong; the algorithm determines traffic shape. Option C moves rate limiting to the application layer — valid but defeats the purpose of centralised enforcement at the gateway. Option D delegates the algorithm choice to the vendor without understanding what you are choosing.
2 / 5
The interviewer asks: "How do you implement authentication at an API gateway without creating a tight coupling between the gateway and your identity provider?" Which answer shows the most resilient design?
Option C is strongest. It describes JWT with local JWKS verification (decouples individual request validation from IdP availability), explains key rotation handling (cache both keys during transition), addresses the revocation problem (lightweight introspection with cache), and quantifies the downtime tolerance (JWT lifetime). Option A creates a hard synchronous dependency on the IdP — single point of failure. Option B uses database-backed sessions — the database becomes the dependency; also slower per-request than JWT. Option D uses API keys — simple but lacks claims, expiry, or user identity; appropriate for M2M not user auth.
3 / 5
The interviewer asks: "Describe a complex request transformation you have implemented at the gateway layer. What were the trade-offs?" Which answer is most technically detailed?
Option B is the strongest. It describes a complex real-world transformation scenario (three backend types unified), names the four transformation types (protocol, header enrichment, schema normalisation, error translation), quantifies the latency cost (2-5ms, SOAP being most expensive), and names all three trade-offs (complexity, latency, coupling) with their mitigations (test harness, decision record). Option A describes path rewriting — a simple transformation, not a complex one. Option C avoids the question. Option D is the minimum viable transformation, not a complex case.
4 / 5
The interviewer asks: "How do you manage traffic between multiple backend versions during an API migration?" Which answer is most operationally complete?
Option B is strongest. It describes five traffic management techniques for a migration: header-based opt-in routing, weighted splitting with automatic rollback on error rate threshold, consumer-based routing for SLA customers, deprecation tracking per consumer, and graceful cutover with a 410 response. This is the complete migration playbook. Option A is big-bang cutover with manual rollback — high risk. Option C uses DNS-based separation — works but does not allow gradual migration or per-consumer routing. Option D uses query parameters for versioning — generally discouraged (parameters should not change resource identity); header versioning is preferred.
5 / 5
The interviewer asks: "Compare Kong and Apigee for enterprise API gateway selection. When would you choose each?" Which answer demonstrates the most balanced judgement?
Option C is the strongest. It characterises each gateway along consistent dimensions (architecture, deployment model, cost, ideal team profile), names specific differentiating capabilities (Kong: plugins, multi-cloud; Apigee: analytics, monetisation, developer portal), provides three concrete decision criteria with conditions, and names anti-patterns for each (Apigee for internal-only APIs, self-managed Kong without a platform team). Option A uses only open source vs proprietary as the axis — oversimplified. Option B expresses a preference without criteria. Option D avoids making a recommendation — unhelpful in an interview.