Backend Developer Interview Questions & Answers (2026)

Authentication verifies who you are (login, JWT validation). Authorization verifies what you're allowed to do (role-based access, permissions). A common mistake is confusing them: a valid JWT proves identity but doesn't grant access — you still need to check if that identity has permission for the requested resource.

ACID: Atomicity (a transaction completes fully or not at all), Consistency (transaction brings database from one valid state to another), Isolation (concurrent transactions don't interfere with each other), Durability (committed transactions survive system failures). These properties prevent data corruption in multi-user systems.

N+1 occurs when you fetch N records then make 1 additional query per record — e.g., fetching 100 users then 100 separate queries for their posts. Fix with: SQL JOINs, eager loading (Eloquent's `with()`, Rails' `.includes()`), GraphQL DataLoader for batching, or denormalization. Always inspect your ORM's generated SQL in development.

Key principles: use nouns for resources (not verbs), use HTTP methods semantically (GET=read, POST=create, PUT/PATCH=update, DELETE=delete), return appropriate status codes (200, 201, 400, 401, 403, 404, 500), use versioning (/v1/), implement pagination, use consistent error response format, and document with OpenAPI/Swagger.

An index is a data structure that speeds up lookups at the cost of write performance and storage. Add indexes on: columns in WHERE clauses, JOIN conditions, ORDER BY/GROUP BY, foreign keys, and high-cardinality columns used in filters. Don't index low-cardinality columns (boolean), columns rarely queried, or tables with very high write rates relative to reads.

Caching stores computed results to avoid repeating expensive work. Strategies: Cache-Aside (app checks cache before DB, writes to cache on miss — most common), Write-Through (write to cache and DB simultaneously), Write-Behind (write to cache immediately, DB asynchronously), Read-Through (cache handles DB reads). Use Redis or Memcached. Key decisions: TTL, eviction policy (LRU/LFU), cache invalidation.

Best practices: never deploy code and schema changes simultaneously (backward-compatible migrations first, then code, then cleanup); use expand-contract pattern for column renames; add NOT NULL columns with a default or in multiple steps; test migrations on a production-size snapshot; keep migrations idempotent; use tools like Flyway, Liquibase, or Rails migrations with version control.

A message queue (Kafka, RabbitMQ, SQS) decouples producers from consumers, enabling asynchronous processing. Use when: work is too slow for synchronous response (email sending, image processing), you need to absorb traffic spikes, multiple services need to react to the same event, or you need guaranteed delivery with retry logic. Trade-off: eventual consistency and increased system complexity.

Vertical scaling adds more resources to an existing server (more CPU, RAM). Simple but has an upper limit and single point of failure. Horizontal scaling adds more servers. Requires load balancing, session management (stateless design or distributed sessions), and data consistency strategy. Most modern architectures scale horizontally using containerization (Docker/Kubernetes).

Rate limiting restricts how often a client can call an API to prevent abuse and ensure fair use. Common algorithms: Token Bucket (smooth bursts), Leaky Bucket (constant rate), Fixed Window (simple but boundary bursting), Sliding Window (most accurate). Implementation: use Redis with atomic INCR/EXPIRE, or middleware like nginx's limit_req_module. Track by IP, API key, or user ID depending on context.