Learning pathapissecuritysystem-design
Backend API Path
Build robust API instincts: pagination, idempotency, rate limits, webhooks, OpenAPI evolution, and security checks.
Path reward
Backend Sentinel
Backend and full-stack engineers preparing for production API ownership.
Demo progress: start the first mission to begin tracking.
Contract keeper
Design stable request and response behavior. Required clears: 2.
Abuse defender
Handle retries, signatures, limits, and spoofing. Required clears: 5.
Platform thinker
Tie API contracts to scale and operations. Required clears: 8.
Mission chain
Step 1
Warm up with cursor pagination contract
Easy APIs arena: cursor design, stable ordering, and backward compatibility
Step 2
Warm up with idempotency key design
Easy APIs arena: safe retries, request hashes, and conflict responses
Step 3
Stabilize webhook replay window defense
Medium Security Basics arena: HMAC signatures, timestamp tolerance, idempotency, and delivery dedupe
Step 4
Stabilize rate limit error envelope
Medium APIs arena: 429 responses, Retry-After, quotas, and client backoff
Step 5
Harden webhook signature verifier
Hard APIs arena: HMAC verification, replay windows, and raw body handling
Step 6
Harden RBAC admin leak closure
Hard Security Basics arena: server-side authorization, role checks, object ownership, and audit logging
Step 7
Rescue OpenAPI evolution review
Extreme APIs arena: schema compatibility, required fields, and versioning
Step 8
Master distributed rate limiter
Insane System Design arena: token buckets, sliding windows, clock drift, and tenant isolation