Building production-ready services

  • Security
  • Configurability
  • Observability


  • Authentication: Verify the identity of human or application
  • Authorization: Verify if the user/app is allowed to perform the requested operation. Implemented via Role-based security or ACLs.
  • Auditing: Track the operation performed by the user/app (principal).
  • Secure IPC: Services communicate over TLS
  • In individual services
  • In API gateway
  • Unauthenticated service will enter the internal system
  • Each service has to manage the security component


  • Role-based
  • ACLs
  • JWT is a standard way of representing the claims, such as identity and roles.
  • It is signed with a secret that’s only known to the creator of the JWT, such as API gateway and the token receiver services.
  • JWT token is self-contained. Hence, no way to revoke an individual token in case it falls into the hands of a malicious third party.
  • Keep short-lived JWT token
  • The application keeps on generating the JWT token after a short time, increasing the load on the auth server.
  • Authorization server: Provides API for authentication user, obtaining access token, refreshing access token.
  • Access token: Token to grant access to a resource server.
  • Refresh token: Long-lived yet revocable token that clients use to obtain the access token.
  • Resource server: A service that uses the access token to authorize access. In microservice, architecture services are resource servers.
  • Client: That wants to access the resource server.


  • Push model: Deployment infra passes configuration to the service using env variables or configuration files.
  • Pull model: Service instance reads the configuration file from the configuration server


  • Requests per second
  • Resource utilization
  • Errors
  • Health Check APIs: Expose endpoint to check the health of the service
  • Log aggregation: Log service activity and write the log to a centralized place.
  • Distributed tracing: Add a request Id to each external request and trace requests as they flow in the system.
  • Exception tracking: Send exceptions to the exception tracing service, which deduplicate the exception, alert the developers and track the resolution of each exception
  • Application metrics: The service maintains the metrics and exposes them to the metrics server.
  • Audit logging: Log user actions.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store