If you’re preparing for an Apigee API Management interview, this blog will give you a clear idea of the questions that are commonly asked. Recently, I attended an Apigee interview where the discussion focused on API security, caching, OAuth, JWT, traffic management, JavaScript policies, and real-world implementation scenarios.
In this blog, I’ll share the questions that were asked along with the answers that helped explain each concept.
Whether you’re an Apigee Developer, API Engineer, or preparing for an Apigee X interview, these questions will strengthen your fundamentals.
Caching improves API performance by reducing backend calls.
The interviewer specifically asked about Response Cache, but it’s important to understand all cache-related policies in Apigee.
Response Cache
- Stores the entire backend response.
- Returns cached responses for identical requests.
- Reduces backend load.
- Improves API response time.
Example use cases:
- Product catalog
- Country list
- Currency list
- Public APIs with infrequent updates
Populate Cache
Stores custom data into the cache.
Lookup Cache
Retrieves cached data.
Invalidate Cache
Removes cached entries when data changes.
Key Benefits
- Faster APIs
- Reduced latency
- Lower backend traffic
- Better scalability
SSL secures communication between the client and the server.
One-Way SSL (Server Authentication)
In one-way SSL:
- Client verifies the server certificate.
- Server identity is authenticated.
- Client certificate is not required.
Flow:
Client ---> Server
Certificate
Client validates server certificate
Secure connection established
Common usage:
- Public REST APIs
- Websites
- Mobile applications
Two-Way SSL (Mutual TLS)
In two-way SSL:
- Client validates server certificate.
- Server validates client certificate.
- Both parties authenticate each other.
Flow:
Client <----> Server
Certificates exchanged
Both validate each other
Common usage:
- Banking APIs
- Healthcare APIs
- Government applications
- Enterprise integrations
Interview Tip
Apigee supports Mutual TLS by configuring truststores and keystores.
This is one of the most frequently asked interview questions.
Authentication
Authentication verifies who you are.
Examples:
- Username & Password
- OAuth
- JWT
- Certificate Authentication
Example:
Login to Gmail
Google checks your identity.
Authorization
Authorization determines what you can access after authentication.
Example:
An Admin can:
- Create users
- Delete users
- Modify users
A Viewer can:
- Read only
Authentication happens first.
Authorization happens after authentication.
Easy way to remember:
Authentication = Identity
Authorization = Permissions
Both are traffic management policies in Apigee, but they solve different problems.
Quota
Controls the total number of API requests allowed during a specific time period.
Example:
1000 requests per day
Once the limit is reached, additional requests are rejected.
Use cases:
- API subscription plans
- Rate limiting per customer
- Billing
Spike Arrest
Controls sudden bursts of traffic.
Example:
100 requests per second
If 1000 requests arrive instantly, Spike Arrest smooths the traffic.
Use cases:
- Backend protection
- Traffic smoothing
- Prevent traffic spikes
Quick Comparison
| Quota | Spike Arrest |
|---|---|
| Total requests | Request rate |
| Time-based | Burst-based |
| Daily/hourly/monthly | Per second/minute |
| Subscription control | Backend protection |
split()
Converts a string into an array.
Example:
let str = "Apigee,OAuth,JWT";
str.split(",");
Output:
["Apigee","OAuth","JWT"]
slice()
Extracts part of a string or array.
Example:
let str = "Apigee";
str.slice(0,3);
Output:
Api
Difference:
split() → String → Array
slice() → Returns selected portion
This was a scenario-based question.
Answer:
In Apigee, Quota policies can use identifiers such as:
- API Key
- Client ID
- Developer App
- Access Token
- Custom Header
Example:
Free Plan
1000 requests/day
Premium Plan
10000 requests/day
Enterprise
Unlimited
Implementation approaches:
- Different API Products with different quota limits.
- Conditional Quota policies.
- Quota based on the verified OAuth client or API key.
- Dynamic quota values using flow variables or Key-Value Maps (KVMs) when limits need to change without redeploying proxies.
This is a common real-world implementation in Apigee.
Many candidates confuse these.
OAuth is an authorization framework.
JWT is a token format.
OAuth decides:
Can this user access the API?
JWT carries user information securely.
OAuth can use:
- JWT tokens
- Opaque tokens
JWT can also be used independently.
Comparison
| OAuth | JWT |
|---|---|
| Authorization framework | Token format |
| Grants API access | Stores claims |
| Supports multiple grant types | Self-contained token |
| Can use JWT tokens | Can work without OAuth |
Generate JWT
Use the GenerateJWT policy.
Steps:
- Configure issuer (
iss). - Configure subject (
sub). - Add claims such as roles or user ID.
- Set expiration (
exp). - Sign the token using a shared secret (HS256) or a private key (RS256).
Example claims:
isssubaudexp- Custom claims like
roleordepartment
Validate JWT
Use the VerifyJWT policy.
Validation checks include:
- Signature verification.
- Expiration time.
- Issuer (
iss). - Audience (
aud). - Algorithm.
- Optional custom claims.
If validation succeeds, the request continues. Otherwise, Apigee returns an authorization error.
The interviewer wanted practical experience rather than just definitions.
The most common grant types are:
Client Credentials
Best for:
- Machine-to-machine communication
- Backend services
Example:
Microservice A calling Microservice B.
Authorization Code
Best for:
- Web applications
- Applications where users log in
Most secure grant type for server-side applications.
Authorization Code with PKCE
Best for:
- Mobile apps
- Single Page Applications (SPAs)
PKCE protects against authorization code interception and is the recommended flow for public clients.
Refresh Token
Used to obtain a new access token without requiring the user to log in again.
Password Grant (Legacy)
Previously used when applications directly collected user credentials. It is now discouraged and should only be used for legacy systems.
Yes.
Apigee supports large payloads, but limits depend on several factors:
- Apigee platform configuration.
- Runtime limits.
- Backend server limits.
- Load balancer or ingress configuration.
- Timeouts and memory usage.
Large payloads can increase latency and memory consumption, so they should be avoided whenever possible.
Best practices:
- Compress payloads using GZIP.
- Use pagination for large datasets.
- Stream data when supported.
- Avoid unnecessarily large request and response bodies.
This is another common interview question.
Use OAuth when:
- You need secure API authorization.
- Multiple applications consume APIs.
- Access control is required.
- Token lifecycle management (issue, revoke, refresh) is needed.
Examples:
- Banking APIs
- Enterprise APIs
- Partner APIs
Use JWT when:
- You need a compact, self-contained token.
- Stateless authentication is preferred.
- User claims need to travel with the token.
- Fast token validation without a database lookup is desired.
Examples:
- Microservices
- Single Sign-On (SSO)
- Internal APIs
In many enterprise deployments, both are used together:
- OAuth 2.0 handles authorization and access control.
- JWT is used as the format of the OAuth access token.
These were the major questions asked during my Apigee interview. While the questions focused on theory, the interviewer was equally interested in real-world implementation and scenario-based answers.
If you’re preparing for an Apigee interview, focus on these core areas:
- API Security (OAuth, JWT, SSL)
- Traffic Management (Quota, Spike Arrest)
- Caching
- JavaScript Policies
- API Proxy Development
- Authentication vs Authorization
- OAuth Grant Types
- JWT Generation and Validation
- Real-world Apigee implementation scenarios
Mastering these concepts will prepare you for most Apigee Developer and API Management interviews and help you explain not just what a feature does, but why and when to use it.