Backend Developer
This Backend Developer interview question bank covers 15 questions across API design, Database, System design, Scalability, Debugging, Security. Each one mirrors a entry to mid level screen, so you can rehearse the exact areas a hiring panel digs into and walk in ready.
What this interview tests
- API design
- Database
- System design
- Scalability
- Debugging
- Security
Backend Developer interview questions
- Question 1Focus area: API design
Walk me through how you would design a REST API for a multi-tenant SaaS application. What key decisions would you make early on?
What a strong answer covers
A strong answer covers tenant isolation strategies (schema-per-tenant vs row-level), URL or header-based versioning, pagination design, consistent error envelope, authentication/authorization separation. Be ready to discuss: How would you isolate tenant data at the API layer? What versioning strategy would you choose, and why? How would you handle breaking changes for existing consumers?
- Question 2Focus area: Database
Tell me about a time you had to optimize a slow database query in production. What was the situation, and how did you diagnose it?
What a strong answer covers
A strong answer covers use of EXPLAIN/ANALYZE, understanding of index types (B-tree, GIN, partial), awareness of N+1 queries, mention of query plan caching, load testing after the fix. Be ready to discuss: What tools did you use to identify the bottleneck? How did you verify that your fix didn't introduce regressions?
- Question 3Focus area: System design
How would you design the backend for a real-time notification system that needs to support millions of users? Walk me through the architecture.
What a strong answer covers
A strong answer covers message queue choice (Kafka, RabbitMQ, Redis Streams), fan-out strategies, persistence of undelivered messages, connection management, horizontal scaling of stateful WebSocket servers via sticky sessions or pub/sub. Be ready to discuss: How would you handle users who are offline when a notification fires? What would your retry and dead-letter strategy look like? How would you scale the WebSocket layer horizontally?
- Question 4Focus area: Scalability
Explain how you would implement rate limiting for a public API. What approaches have you used or considered?
What a strong answer covers
A strong answer covers token bucket vs sliding window algorithms, Redis-backed distributed counters, proper HTTP 429 responses with Retry-After header, differentiation between authenticated and anonymous limits. Be ready to discuss: How would you handle rate limiting in a distributed environment with multiple server instances? What would you communicate to the client when they hit the limit?
- Question 5Focus area: Debugging
Describe a production incident you helped debug where the root cause turned out to be different from the initial symptoms. How did you work through it?
What a strong answer covers
A strong answer covers structured incident response, use of logs/metrics/traces, hypothesis-driven debugging, blameless post-mortem culture, concrete preventive measures (alerts, circuit breakers, better tests). Be ready to discuss: What observability tools did you rely on? How did you prevent the same class of issue from recurring?
- Question 6Focus area: Security
How do you approach securing an API that handles sensitive user data? What are the layers of defense you'd put in place?
What a strong answer covers
A strong answer covers input validation (allowlists over denylists), parameterized queries/ORM usage, authentication vs authorization, OWASP Top 10 awareness, secrets management (vault, env-based), encryption at rest and in transit. Be ready to discuss: How would you protect against SQL injection and mass-assignment vulnerabilities? What is your strategy for managing secrets and credentials in a deployed service?
- Question 7Focus area: System design
You need to migrate a monolithic backend to microservices. How would you decide what to extract first, and how would you manage the transition?
What a strong answer covers
A strong answer covers domain-driven bounded contexts, strangler fig pattern, API gateway, event-driven communication for data sync, incremental migration with feature flags, avoiding distributed monolith. Be ready to discuss: How would you handle data that's shared between the monolith and the new service? What patterns would you use to keep the system working during the migration?
- Question 8Focus area: Database
How would you design a database schema for a content platform where users can create posts, comment on them, and follow other users? Walk me through your table design.
What a strong answer covers
A strong answer covers normalized schema with clear foreign keys, junction table for follows, composite indexes on (user_id, created_at), fan-out-on-write vs fan-out-on-read for feeds, pagination strategy (keyset vs offset). Be ready to discuss: How would you generate a personalized feed efficiently? What indexing strategy would you use for the follows and comments tables?
- Question 9Focus area: API design
Tell me about a time you had to choose between building a feature quickly and building it 'the right way.' What trade-offs did you make?
What a strong answer covers
A strong answer covers pragmatism, ability to articulate trade-offs clearly, evidence of tracking tech debt, awareness of when shortcuts become costly, stakeholder communication skills. Be ready to discuss: How did you communicate the trade-offs to stakeholders? Did you ever go back and address the technical debt?
- Question 10Focus area: API design
How would you implement an idempotent payment processing endpoint? What failure scenarios do you need to handle?
What a strong answer covers
A strong answer covers idempotency keys stored server-side, exactly-once semantics via unique constraints, state machine for payment status, handling gateway timeouts with reconciliation jobs, transactional outbox pattern. Be ready to discuss: How would you handle a case where the payment gateway times out? What role does an idempotency key play in your design?
- Question 11Focus area: Debugging
Describe your approach to writing integration tests for a backend service that depends on a database, a cache, and an external API.
What a strong answer covers
A strong answer covers test containers or in-memory databases, clear test isolation, fixture management, mocking external APIs at the HTTP boundary (not deep mocks), CI stability practices, test pyramid awareness. Be ready to discuss: When would you use mocks versus real dependencies in tests? How do you handle flaky tests in CI?
- Question 12Focus area: Scalability
What strategies do you use to handle background jobs and async processing in a backend system? Give me a concrete example.
What a strong answer covers
A strong answer covers task queue selection (Celery, Sidekiq, Bull), exactly-once vs at-least-once semantics, dead-letter queues, job idempotency, monitoring dashboards, exponential backoff for retries. Be ready to discuss: How do you ensure a job isn't processed twice? How do you monitor and alert on failed jobs?
- Question 13Focus area: Scalability
How would you implement a caching layer for an API that serves data which changes infrequently but is read thousands of times per second?
What a strong answer covers
A strong answer covers cache-aside vs write-through patterns, TTL strategies, cache stampede prevention (locking, early recompute), graceful degradation, multi-layer caching (CDN, application, database query cache). Be ready to discuss: How would you handle cache invalidation when the underlying data changes? What happens if your cache goes down entirely?
- Question 14Focus area: Security
Explain how you would implement role-based access control (RBAC) in a backend service. How does it differ from attribute-based access control?
What a strong answer covers
A strong answer covers roles vs permissions separation, middleware/decorator-based enforcement, resource-level ownership checks, ABAC for dynamic policies, principle of least privilege, audit logging of access decisions. Be ready to discuss: How would you handle permissions that depend on the resource owner? Where would you enforce authorization checks in your codebase?
- Question 15Focus area: Debugging
You receive a report that your API's P99 latency has spiked from 200ms to 2 seconds. Walk me through your investigation process.
What a strong answer covers
A strong answer covers systematic approach (check metrics, correlate with deploys, isolate components), distributed tracing, database slow query log analysis, connection pool saturation checks, short-term mitigations (circuit breakers, shedding load, rollback). Be ready to discuss: How would you determine whether the issue is in your code, the database, or a downstream service? What short-term mitigation would you apply while investigating?
Questions asked in almost every interview
Ready to practice for real?
Rehearse these Backend Developer questions out loud with an AI interviewer that speaks Arabic and English, then get instant feedback on your answers.
Practice with AI, start free