HLDsystem_design~12 mins

API authentication (OAuth, JWT, API keys) in HLD - Architecture Diagram

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

System Overview - API authentication (OAuth, JWT, API keys)

This system secures API access using three common methods: OAuth for delegated access, JWT for stateless token validation, and API keys for simple client identification. It ensures only authorized users or applications can use the API, protecting resources and data.

Architecture Diagram

User
  |
  v
Load Balancer
  |
  v
API Gateway
  |
  +-------------------------+
  |                         |
  v                         v
Auth Service             Resource Service
  |                         |
  v                         v
Token Store (DB)         Data Store (DB)
  |
  v
Cache (for tokens)

Components

User

client

Initiates API requests with authentication credentials

Load Balancer

load_balancer

Distributes incoming API requests evenly to API Gateway instances

API Gateway

api_gateway

Central entry point that validates authentication and routes requests

Auth Service

service

Handles OAuth flows, issues JWT tokens, and validates API keys

Token Store (DB)

database

Stores OAuth tokens and API key metadata securely

Cache (for tokens)

cache

Caches token validation results for faster authentication checks

Resource Service

service

Processes authorized API requests and accesses protected data

Data Store (DB)

database

Stores the actual protected resources and application data

Request Flow - 14 Hops

User → Load Balancer

Load Balancer → API Gateway

API Gateway → Cache (for tokens)

Cache (for tokens) → API Gateway

API Gateway → Auth Service

Auth Service → Token Store (DB)

Token Store (DB) → Auth Service

Auth Service → Cache (for tokens)

Auth Service → API Gateway

API Gateway → Resource Service

Resource Service → Data Store (DB)

Resource Service → API Gateway

API Gateway → Load Balancer

Load Balancer → User

Failure Scenario

Component Fails:Token Store (DB)

Impact:Auth Service cannot validate tokens or API keys, causing authentication failures and blocking API access.

Mitigation:Use replicated databases for high availability and fallback to cache for recent token validations to allow read-only access temporarily.

Architecture Quiz - 3 Questions

Test your understanding

Which component first checks if a token validation result is already available to speed up authentication?

AAuth Service

BAPI Gateway

CCache (for tokens)

DToken Store (DB)

Design Principle

This architecture uses a layered approach to authentication, combining caching for speed, a dedicated Auth Service for security logic, and a central API Gateway for request control. It balances performance and security by validating tokens efficiently and isolating responsibilities.