Backend Developer Interview Questions

Prepare for your backend developer interview with 10 expert-curated questions and sample answers covering APIs, databases, system design, and behavioral topics.

behavioral Questions

Tell me about the most serious production incident you've owned.

behavioralintermediate

Sample Answer

A deploy introduced a connection leak that exhausted our PostgreSQL pool over four hours, taking checkout down at peak. I led the response: rolled back within minutes of paging, confirmed recovery, then traced the leak to an early-return path that skipped releasing connections. The postmortem produced three fixes — linting for unreleased resources, pool saturation alerts at 70%, and load tests in CI. We turned a bad night into systemic resilience.

Tip: Structure as detect → mitigate → root-cause → prevent. Blameless framing matters.

Describe a time you disagreed with a teammate on an architectural decision.

behavioralbeginner

Sample Answer

A teammate wanted microservices for a new product; I believed our two-person team should start with a modular monolith. Instead of debating abstractly, we wrote a one-page decision doc with criteria — team size, deploy independence needs, operational budget. The criteria made the answer obvious: monolith now with clean module boundaries that could split later. Two years on, we extracted one service exactly where the boundaries predicted.

Tip: Decision docs and explicit criteria show engineering judgment beyond the specific disagreement.

technical Questions

Design a REST API for a ride-sharing service. What endpoints and considerations matter most?

technicalintermediate

Sample Answer

Core resources: riders, drivers, rides, payments. Key endpoints follow REST semantics — POST /rides to request, GET /rides/{id} for status, PATCH for state transitions. The interesting decisions are state machine enforcement (a ride can't go completed→accepted), idempotency keys on ride creation so retries don't double-book, pagination on list endpoints, and versioning strategy from day one. Real-time location updates would go over WebSockets, not polling.

Tip: Mention idempotency and state transitions — they separate API designers from CRUD generators.

How do you diagnose and fix a slow database query?

technicalintermediate

Sample Answer

Run EXPLAIN ANALYZE and read the plan: look for sequential scans on large tables, misestimated row counts, and expensive sorts or nested loops. Fixes in order of frequency: add or fix an index matching the filter and sort, rewrite the query to avoid wrapping indexed columns in functions, update statistics, or restructure with materialized views for heavy aggregations. Then verify under production-like data volume — a query that's fast on staging's 10K rows can crawl on 100M.

Tip: Walking through an actual EXPLAIN plan reading proves hands-on depth instantly.

Explain database transactions and isolation levels. When have they mattered in your work?

technicaladvanced

Sample Answer

Transactions group operations atomically; isolation levels trade consistency for concurrency — read uncommitted through serializable. In practice the defaults bite you: at read committed, two concurrent balance updates can race. I hit this in a payments flow where double-submitted refunds occasionally both succeeded; we fixed it with SELECT FOR UPDATE row locking plus an idempotency constraint. Knowing when the default isn't enough is the real skill.

Tip: A war story involving money and race conditions is the strongest possible answer here.

When would you choose a message queue over a synchronous API call?

technicalintermediate

Sample Answer

When the caller doesn't need the result to proceed, when the downstream is slower or less reliable than my SLA allows, or when I need to absorb bursts. Order confirmation emails, analytics events, and image processing are classic queue work. The trade-offs I accept: eventual consistency, duplicate delivery requiring idempotent consumers, and harder debugging — so I keep synchronous paths for anything the user waits on.

Tip: Listing the costs of queues, not just the benefits, demonstrates production maturity.

How do you secure a public-facing API?

technicalintermediate

Sample Answer

Layers: TLS everywhere, short-lived tokens (JWT or opaque) with proper authorization checks on every resource — not just authentication, input validation and parameterized queries against injection, rate limiting per client, and security headers. The bug class I actively hunt is broken object-level authorization: checking the user is logged in but not that they own resource 123. It's the most common real-world API vulnerability.

Tip: Naming IDOR/BOLA as the top practical risk aligns with OWASP API Top 10 — interviewers notice.

How do you approach API versioning and breaking changes?

technicalbeginner

Sample Answer

Avoid breaking changes first: additive evolution — new optional fields, new endpoints — covers most needs. When a break is unavoidable, version explicitly (URL or header), run both versions with deprecation headers and dates, monitor old-version usage to know when retirement is safe, and communicate with consumers early. The version number is the easy part; the migration choreography is the actual work.

Tip: Emphasize the deprecation lifecycle — most candidates stop at 'put v1 in the URL'.

What do you monitor on a backend service, and what alerts wake you up?

technicalintermediate

Sample Answer

The four golden signals: latency (p95/p99, not averages), traffic, error rate, and saturation — CPU, memory, connection pools, queue depth. Pages fire only on user-impacting symptoms tied to SLOs: error budget burn, p99 over threshold sustained. Cause-based alerts like high CPU go to a dashboard, not a pager. Alert fatigue is a reliability risk in itself, so every page must be actionable.

Tip: 'Symptom-based pages, cause-based dashboards' is the SRE-aligned answer that lands well.

situational Questions

How would you handle a sudden 10x traffic spike on your API?

situationaladvanced

Sample Answer

Immediate: confirm autoscaling is keeping up, enable aggressive caching on hot read endpoints, and shed load gracefully — rate limit by client, return 429s with Retry-After, and degrade non-critical features behind flags. The database is usually the real bottleneck since it doesn't scale horizontally as easily, so read replicas and connection pooling matter most. Afterward: load test to find the next ceiling before traffic does.

Tip: Showing you protect the database — the hardest layer to scale — marks the experienced answer.

Preparation Tips

1

Practice system design at the scale the role implies — a startup's loop differs from FAANG's; calibrate.

2

Be ready to write SQL with joins, aggregations, and indexing reasoning — it appears in most backend loops.

3

Prepare your incident story with the detect→mitigate→prevent arc before you walk in.

4

Review the company's API docs if public; commenting on their actual design choices impresses.

5

Know concurrency fundamentals in your primary language — race conditions and locking come up constantly.

Practice Backend Developer Interview Questions

Get AI-powered feedback on your answers and ace your next interview.

Start Interview Prep

Related Interview Questions

Software Engineer

Prepare for your software engineer interview with 10 expert-curated questions and sample answers covering coding, system design, and behavioral topics.

DevOps Engineer

Ace your DevOps engineer interview with 10 targeted questions and sample answers on CI/CD, infrastructure as code, containerization, and incident response.

Full Stack Developer

Prepare for your full stack developer interview with 10 expert-curated questions and sample answers covering frontend, backend, databases, and delivery.