My Apigee Interview Experience: Top 11 Questions Asked (With Detailed Answers)

If you're preparing for an Apigee API Management interview, this blog will give you a clear idea of the questions that are commonly asked. Recently, I attended an Apigee interview where the discussion focused on API security, caching, OAuth, JWT, traffic management, JavaScript policies, and real-world implementation scenarios.

In this blog, I'll share the questions that were asked along with the answers that helped explain each concept.

Whether you're an Apigee Developer, API Engineer, or preparing for an Apigee X interview, these questions will strengthen your fundamentals.

1. What are the types of Cache in Apigee? (Response Cache)

Caching improves API performance by reducing backend calls.

The interviewer specifically asked about Response Cache, but it's important to understand all cache-related policies in Apigee.

Response Cache

• Stores the entire backend response.
• Returns cached responses for identical requests.
• Reduces backend load.
• Improves API response time.

Example use cases:

• Product catalog
• Country list
• Currency list
• Public APIs with infrequent updates

Populate Cache

Stores custom data into the cache.

Lookup Cache

Retrieves cached data.

Invalidate Cache

Removes cached entries when data changes.

Key Benefits

• Faster APIs
• Reduced latency
• Lower backend traffic
• Better scalability

2. What is the difference between One-Way SSL and Two-Way SSL?

SSL secures communication between the client and the server.

One-Way SSL (Server Authentication)

In one-way SSL:

• Client verifies the server certificate.
• Server identity is authenticated.
• Client certificate is not required.

Flow:

Client  ---> Server
          Certificate
Client validates server certificate
Secure connection established

Common usage:

• Public REST APIs
• Websites
• Mobile applications

Two-Way SSL (Mutual TLS)

In two-way SSL:

• Client validates server certificate.
• Server validates client certificate.
• Both parties authenticate each other.

Flow:

Client <----> Server
Certificates exchanged
Both validate each other

Common usage:

• Banking APIs
• Healthcare APIs
• Government applications
• Enterprise integrations

Interview Tip

Apigee supports Mutual TLS by configuring truststores and keystores.

3. What is the difference between Authentication and Authorization?

This is one of the most frequently asked interview questions.

Authentication

Authentication verifies who you are.

Examples:

• Username & Password
• OAuth
• JWT
• Certificate Authentication

Example:

Login to Gmail

Google checks your identity.

Authorization

Authorization determines what you can access after authentication.

Example:

An Admin can:

• Create users
• Delete users
• Modify users

A Viewer can:

• Read only

Authentication happens first.

Authorization happens after authentication.

Easy way to remember:

Authentication = Identity

Authorization = Permissions

4. Difference Between Quota and Spike Arrest

Both are traffic management policies in Apigee, but they solve different problems.

Quota

Controls the total number of API requests allowed during a specific time period.

Example:

1000 requests per day

Once the limit is reached, additional requests are rejected.

Use cases:

• API subscription plans
• Rate limiting per customer
• Billing

Spike Arrest

Controls sudden bursts of traffic.

Example:

100 requests per second

If 1000 requests arrive instantly, Spike Arrest smooths the traffic.

Use cases:

• Backend protection
• Traffic smoothing
• Prevent traffic spikes

Quick Comparison

Quota	Spike Arrest
Total requests	Request rate
Time-based	Burst-based
Daily/hourly/monthly	Per second/minute
Subscription control	Backend protection

5. Difference Between JavaScript slice() and split()

split()

Converts a string into an array.

Example:

let str = "Apigee,OAuth,JWT";
str.split(",");

Output:

["Apigee","OAuth","JWT"]

slice()

Extracts part of a string or array.

Example:

let str = "Apigee";
str.slice(0,3);

Output:

Api

Difference:

split() → String → Array

slice() → Returns selected portion

6. How do you handle different Quotas for different users?

This was a scenario-based question.

Answer:

In Apigee, Quota policies can use identifiers such as:

• API Key
• Client ID
• Developer App
• Access Token
• Custom Header

Example:

Free Plan

1000 requests/day

Premium Plan

10000 requests/day

Enterprise

Unlimited

Implementation approaches:

• Different API Products with different quota limits.
• Conditional Quota policies.
• Quota based on the verified OAuth client or API key.
• Dynamic quota values using flow variables or Key-Value Maps (KVMs) when limits need to change without redeploying proxies.

This is a common real-world implementation in Apigee.

7. Difference Between OAuth and JWT

Many candidates confuse these.

OAuth is an authorization framework.

JWT is a token format.

OAuth decides:

Can this user access the API?

JWT carries user information securely.

OAuth can use:

• JWT tokens
• Opaque tokens

JWT can also be used independently.

Comparison

OAuth	JWT
Authorization framework	Token format
Grants API access	Stores claims
Supports multiple grant types	Self-contained token
Can use JWT tokens	Can work without OAuth

8. How do you Generate and Validate JWT in Apigee?

Generate JWT

Use the GenerateJWT policy.

Steps:

1. Configure issuer (iss).
2. Configure subject (sub).
3. Add claims such as roles or user ID.
4. Set expiration (exp).
5. Sign the token using a shared secret (HS256) or a private key (RS256).

Example claims:

• iss
• sub
• aud
• exp
• Custom claims like role or department

Validate JWT

Use the VerifyJWT policy.

Validation checks include:

• Signature verification.
• Expiration time.
• Issuer (iss).
• Audience (aud).
• Algorithm.
• Optional custom claims.

If validation succeeds, the request continues. Otherwise, Apigee returns an authorization error.

9. Which OAuth 2.0 Grant Types Have You Worked With?

The interviewer wanted practical experience rather than just definitions.

The most common grant types are:

Client Credentials

Best for:

• Machine-to-machine communication
• Backend services

Example:
Microservice A calling Microservice B.

Authorization Code

Best for:

• Web applications
• Applications where users log in

Most secure grant type for server-side applications.

Authorization Code with PKCE

Best for:

• Mobile apps
• Single Page Applications (SPAs)

PKCE protects against authorization code interception and is the recommended flow for public clients.

Refresh Token

Used to obtain a new access token without requiring the user to log in again.

Password Grant (Legacy)

Previously used when applications directly collected user credentials. It is now discouraged and should only be used for legacy systems.

10. Is There Any Limit on Payload Size in Apigee?

Yes.

Apigee supports large payloads, but limits depend on several factors:

• Apigee platform configuration.
• Runtime limits.
• Backend server limits.
• Load balancer or ingress configuration.
• Timeouts and memory usage.

Large payloads can increase latency and memory consumption, so they should be avoided whenever possible.

Best practices:

• Compress payloads using GZIP.
• Use pagination for large datasets.
• Stream data when supported.
• Avoid unnecessarily large request and response bodies.

11. When Would You Use OAuth and When Would You Use JWT?

This is another common interview question.

Use OAuth when:

• You need secure API authorization.
• Multiple applications consume APIs.
• Access control is required.
• Token lifecycle management (issue, revoke, refresh) is needed.

Examples:

• Banking APIs
• Enterprise APIs
• Partner APIs

Use JWT when:

• You need a compact, self-contained token.
• Stateless authentication is preferred.
• User claims need to travel with the token.
• Fast token validation without a database lookup is desired.

Examples:

• Microservices
• Single Sign-On (SSO)
• Internal APIs

In many enterprise deployments, both are used together:

• OAuth 2.0 handles authorization and access control.
• JWT is used as the format of the OAuth access token.

Final Thoughts

These were the major questions asked during my Apigee interview. While the questions focused on theory, the interviewer was equally interested in real-world implementation and scenario-based answers.

If you're preparing for an Apigee interview, focus on these core areas:

• API Security (OAuth, JWT, SSL)
• Traffic Management (Quota, Spike Arrest)
• Caching
• JavaScript Policies
• API Proxy Development
• Authentication vs Authorization
• OAuth Grant Types
• JWT Generation and Validation
• Real-world Apigee implementation scenarios

Mastering these concepts will prepare you for most Apigee Developer and API Management interviews and help you explain not just what a feature does, but why and when to use it.