Your API authenticates requests with stateless JWT access tokens that resource servers validate locally. Security asks you to support immediate logout and the ability to revoke a compromised token before it expires. Explain the tension here and how you'd design for it.

technical-conceptual · Senior level · software-engineering

What the interviewer is really asking

Assesses understanding of the fundamental trade-off between stateless JWT validation and revocation — whether the candidate sees that 'stateless' and 'instantly revocable' are in tension and can design a balanced solution (short TTLs, refresh-token rotation, a denylist) rather than ignoring one side.

What to say

What to avoid

Example answers

Strong: The tension is that JWTs are validated locally precisely so we don't hit the issuer per request, which is the same reason there's no built-in 'revoke now.' My default is short access TTLs — say 5–15 minutes — with rotating refresh tokens, so a stolen access token dies fast and a stolen refresh token is single-use and detectable on reuse. When security genuinely needs instant kill, I add a jti denylist in Redis checked on each request, and I'm explicit that this trades pure statelessness for immediacy, so I'd apply it broadly only if the threat model justifies the lookup.

Weak: JWTs already support revocation — we just delete the token on the client when the user logs out, and we can set a long expiry so users don't have to log in often. If one is stolen we change the signing key.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.