The JWT Interview Question Bank


jwt security interviews backend

The JWT Interview
Question Bank

A tiered framework of 20 questions that reveal how deeply a candidate truly understands JSON Web Tokens - from first principles to distributed systems design.

  • 1.What is a JWT and what problem does it solve?
  • 2.What are the 3 parts of a JWT? What does each contain?
  • 3.Is the JWT payload encrypted? Can anyone read it?
  • 4.What is the difference between authentication and authorization - where does JWT fit?

Red flag
Can’t explain the 3 parts of a JWT

  • 1.How do you validate a JWT on the server side?
  • 2.What claims do you always check after verifying a JWT? (looking for: exp, iss, aud)
  • 3.Where do you store JWTs on the client side - and what are the tradeoffs? (localStorage vs httpOnly cookie)
  • 4.What happens if a JWT is stolen? How do you handle token revocation?

Red flag
Never checks exp or aud after verification

  • 1.What is the alg: none vulnerability? How do you prevent it?
  • 2.What is the difference between HS256 and RS256? When would you choose one over the other?
  • 3.What is a refresh token and why is it needed alongside a short-lived access token?
  • 4.How would you implement token rotation with refresh tokens?

Red flag
Doesn’t know the alg: none attack vector

  • 1.How does JWKS work and why is it useful in distributed systems?
  • 2.What is kid and why does it matter during key rotation?
  • 3.How would you do zero-downtime key rotation in a microservices architecture?
  • 4.What is JWE vs JWT - when would you encrypt the payload?

Red flag
Has never heard of JWKS

  • 1.Design a JWT-based auth system for 10 microservices. Walk me through every component.
  • 2.How would you handle a scenario where a private key is compromised mid-rotation?
  • 3.What are the tradeoffs between JWT-based auth vs opaque tokens + token introspection?
  • 4.If a high-traffic service is verifying thousands of JWTs per second, what bottlenecks would you anticipate and how would you address them?

Red flag
Can’t reason about tradeoffs or design decisions

How to use this guide
Start at Level 1 regardless of their experience - how they explain basics reveals clarity of thought.
Go deeper only if they answer confidently. Never skip ahead.
A strong candidate will naturally connect answers across levels - e.g., when asked about RS256, they’ll mention JWKS without prompting.
Level 1
Can’t name the 3 parts
Level 2
Never checks exp or aud
Level 3
Unaware of alg: none
Level 4
Never heard of JWKS
Level 5
Can’t weigh tradeoffs

Built for engineering interviewers. Use as a calibration tool, not a checklist - the depth of explanation matters far more than the answer itself.

📐 Want to go deeper? Check out the full system design breakdown: Build JWT Auth System at Production Scale