Stories by Kavisha Mathur on Medium

The Backend Concepts Every Engineer Revisits (And Should Actually Understand)

Kavisha Mathur — Fri, 19 Jun 2026 15:48:14 GMT

There’s a specific kind of embarrassment that hits mid-interview or mid-PR review when someone asks “why did you pick JWT here?” and you go blank for half a second. You’ve used JWT in five projects. You know it works. But explaining why the actual tradeoffs is harder than it should be.

This is that refresher. Not a beginner tutorial. More like: you’ve built things, you’ve copy-pasted some boilerplate, and now you want the mental model to actually stick.

While going through these:
1. https://www.youtube.com/watch?v=SubuU1iOC2s&list=PLCuXwbTYPNWf8_a0YjVQ6xTjhhmAMe2-h&index=6
2. https://www.youtube.com/watch?v=vzg90tY3uM0&list=PLCuXwbTYPNWf8_a0YjVQ6xTjhhmAMe2-h&index=7 3. https://www.youtube.com/watch?v=A95rliroC8Q&list=PPSV
4. https://www.youtube.com/watch?v=qedj_JjjL-U&list=PPSV
5. https://www.youtube.com/watch?v=hyc-7w3pee8&list=PPSV

The playlist for “Backend Engineering from First Principles” I made a list of notes on Obsidian. These notes have been converted to a structured format for this article :)

Routes First -> Static, Dynamic, and Query Params

Before auth even enters the picture, let’s talk about how APIs express intent through their URLs.

Static routes return the same structure every time. /api/status, /api/config — nothing dynamic, nothing context-dependent. Easy.

Dynamic routes are where it gets semantic. /api/users/123 — that 123 isn't just a number, it's the identifier that scopes the entire request. The route means something: "give me the resource for this specific entity." REST treats this as a resource representation, not a function call.

Query params sit outside the resource path and carry filters, sorts, or search intent. /search?q=some+value&page=2 — notice the ? separating the resource from the parameters. Query params don't define the resource; they refine how you access it.

A common pattern that trips people up: one endpoint returns a collection (/api/books) and the individual items have IDs that need to be threaded into subsequent calls (/api/books/42/chapters). The resource hierarchy in the URL is doing real design work -it's telling the consumer how the data is structured.

REST Isn’t Just “use HTTP correctly”

Roy Fielding designed the constraints for REST because the early web couldn’t handle scale. He wasn’t building an API spec — he was describing an architectural style. The constraints:

Client-server — separation of concerns between UI and data
Uniform interface — consistent, predictable URL and method conventions
Layered system — clients don’t know if they’re talking to the origin server or a CDN
Cache — responses declare their cacheability
Stateless — every request carries all the context needed; the server holds nothing between calls
Code on demand (optional) — servers can send executable code to clients

The acronym REST itself tells you:

Representational — resources exist in a format. JSON for server-to-server, HTML for server-to-client, XML when it’s 2009.
State — you’re transferring the state of a resource. On Amazon, the cart object has a state: items, quantities, prices. That’s what gets transferred.
Transfer — you’re moving that state over the wire.

One thing worth locking in: POST is the only non-idempotent HTTP method. Every other method — GET, PUT, PATCH, DELETE — can be called multiple times with the same result. POST creates something new each time. This is why custom actions (anything that doesn't fit neatly into CRUD) default to POST.

Authentication: The Four Models We Actually Encounter

Authentication isn’t one thing. There are four patterns, and which one you reach for depends entirely on what’s talking to what.

1. Stateful Authentication (Sessions)

This is the classic web pattern. User submits credentials → server verifies → server generates a session ID → that session ID lives in the server’s persistent storage → gets sent back to the client inside a cookie.

Every subsequent request, the browser sends that cookie automatically. The server looks up the session ID in storage, finds the associated user data, and continues.

The session ID itself can be any cryptographically random string — doesn’t need to be JWT, can be completely opaque. Its only job is to be a key that maps to server-side state.

Why this works for browsers: Browsers handle cookies natively. It’s stateful on the server, which means you have complete control — revoke a session ID and the user is immediately logged out. No questions.

The downside: You need that persistent storage. Every server in your cluster needs access to the same session store, or sticky sessions, or some other headache.

2. Stateless Authentication (JWT)

This is where it gets interesting. Instead of the server storing state, the state travels with the request.

After verifying credentials, the server creates a JWT — a token with three parts:

Header — algorithm and token type
Payload — claims: who the user is, what their role is, when it expires
Signature — created with a secret key; verifies the token hasn’t been tampered with

The server sends this token to the client. For subsequent API calls, the client sends it in the Authorization header. The server verifies the signature, reads the payload, and trusts what's in it — no database lookup needed.

This is what “stateless” means in practice: the server doesn’t remember you between requests. The token is self-contained proof of identity.

Why this scales: Horizontal scaling becomes trivial. Ten servers, a hundred — none of them need shared session storage. Each one can independently verify any JWT with the same secret key. That’s a genuine architectural advantage when you’re dealing with distributed systems.

The real disadvantage (don’t skim this part): You cannot invalidate a JWT before it expires. None. If a token is stolen, it’s valid until expiry — and the server has no mechanism to say “ignore this specific token.” To invalidate one token, you’d have to rotate the secret key, which invalidates every token for every user on every machine simultaneously.

This is not a hypothetical concern. It’s a real operational tradeoff.

The Hybrid Approach

Here’s how teams actually solve the revocation problem: they combine stateless tokens with a server-side blacklist.

The JWT still carries the user identity. But the server also does a quick lookup against a blacklist stored somewhere (Redis, usually). If the token’s ID appears on that list, deny access — regardless of what the signature says.

You get most of the scalability benefits of JWT while keeping the ability to revoke specific tokens. The payload still offloads most of the state. The blacklist is small and fast to query.

The natural follow-up question: if we’re doing a server-side lookup anyway, why not just use sessions? Fair question. The answer usually comes down to what the token carries — with JWT, you’re avoiding a full user record lookup for every request. You’re only doing the blacklist check, which is lighter.

3. API Keys

API keys are for machine-to-machine communication. When you use the OpenAI API, you’re not “logging in” — you’re presenting a key that identifies your application and gates access based on permissions.

Keys are long-lived (compared to session tokens), permission-scoped, and designed for automated systems rather than human users. The server generates them, associates them with an account, and checks them on every request.

Simple. Effective. Not ideal for user-facing auth where you’d want finer control over sessions.

4. OAuth 2.0 (and OIDC)

OAuth 2.0 is the industry-standard authorization protocol that solves a specific problem: how does App A access your data on Service B, without you giving App A your Service B password?

The answer: time-limited access tokens, issued by Service B, that grant App A scoped access. Your credentials never touch App A.

OAuth 2.0 handles authorization (what can this app do). It does not handle authentication (who is this user). That’s what OpenID Connect (OIDC) adds — an identity layer on top of OAuth 2.0 that issues an ID token (a JWT, specifically) containing user identity claims like user ID and when the token was issued.

OAuth 2.0 also has the concept of flows — different grant types for different contexts. A web app uses the Authorization Code flow. A CLI tool or device with no browser might use the Device Authorization flow. A server-to-server integration uses Client Credentials. Picking the wrong flow for your context is a real security issue, not just a code smell.

Cookies vs. Tokens: A Quick Clarification

These get conflated constantly. A cookie is a storage mechanism — a way of persisting something on the client side. A token is a credential format. A JWT can live in a cookie. A session ID can live in a cookie. These are orthogonal concepts.

What matters is what’s stored and how it’s protected (HttpOnly, Secure, SameSite flags if you’re using cookies), not which container it travels in.

Middleware-

Middleware sits between the routing layer and your controllers. It receives the same req and res objects as a route handler, plus one additional argument: next.

Calling next() hands control to the next middleware in the chain (or the final route handler). Not calling it — or calling res.send() instead — short-circuits the chain. That short-circuit behavior is exactly what makes middleware useful for auth: if the token is invalid, return a 401 right there. Never reach the controller.

Request → [Middleware 1] → [Middleware 2] → [Controller] → Response
               ↓ (can return early)

The order matters. A lot. If your auth middleware runs after your logging middleware, the logger has already captured a request that might not be authorized. Think through the sequence deliberately.

Common middleware responsibilities:

CORS — the server checks the request origin, decides whether it’s in the allowed list, and sets the appropriate headers. v1/v2 versioning affects which origins and paths are allowed.
Rate limiting — prevents abuse by capping requests per IP or per token over a time window
Authentication — validates tokens, sessions, or API keys before the request proceeds
Compression — gzip/brotli before sending responses
Data parsing — turning raw request bodies into usable objects (JSON, form data, etc.)
Logging and monitoring — capture timing, status codes, errors
Global error handling — catch uncaught exceptions in a single place rather than every controller

Request context is the underrated concept here. Once your auth middleware extracts the user ID from a token, how does the controller downstream know who the user is? Not by re-reading the token — by reading from a shared request context. It’s a key-value store scoped to the lifetime of one request, modifiable by all layers. Each middleware can write to it; each subsequent handler can read from it. It’s loosely coupled — the controller doesn’t know or care how the user ID got there, just that it’s available.

Putting It Together: What This Looks Like in a Real Architecture

A production request lifecycle looks roughly like this:

Request hits your load balancer
Goes through a CDN layer (caching, DDoS protection)
Reaches your API server
Logging middleware captures the incoming request
CORS middleware validates the origin
Rate limiting middleware checks the quota
Auth middleware validates the JWT (and maybe checks a blacklist)
Auth middleware writes userId to request context
Request context flows through to the service layer
Controller calls service, service calls repository, data comes back
Response goes out, logging middleware captures status and timing

Each layer has a single job. None of them need to know what the others are doing internally.

The Mental Model Worth Keeping

Auth is fundamentally a spectrum between convenience and control:

Sessions give you maximum control (instant revocation) at the cost of state management overhead
JWT gives you maximum scalability at the cost of revocation ability
Hybrid gives you a workable middle ground at the cost of some complexity
OAuth delegates the problem to someone better equipped to handle it

There’s no universally correct answer. The right one depends on what you’re building, who’s using it, and what your threat model looks like.

Middleware is just functions in a pipeline — but the order you put them in, and what you let them share via request context, determines how decoupled and maintainable your codebase stays.

REST isn’t a set of rules. It’s a set of constraints that push your API design toward something predictable and scalable. Violating them isn’t always wrong — but you should know you’re doing it and why.

If any of this clicked differently than it did the first time you learned it — that’s the point. The concepts don’t change, but understanding them deeply enough to explain the tradeoffs is a different skill than knowing which library to import.

LinkedIn Profile: https://www.linkedin.com/in/kavisha-mathur/
Github: https://github.com/Kavisha4
Portfolio: https://animated-gumption-c26500.netlify.app/
Medium: https://medium.com/@KavishaMathur
Instagram: https://www.instagram.com/chao.tech_/

The Backend Concepts Every Engineer Revisits (And Should Actually Understand) was originally published in Javarevisited on Medium, where people are continuing the conversation by highlighting and responding to this story.

Inside Claude Architect Certification: A Practical Guide to Claude Projects, Skills, and AI…

Kavisha Mathur — Sun, 17 May 2026 08:07:35 GMT

Inside Claude Architect Certification: A Practical Guide to Claude Projects, Skills, and AI Workflows

Introduction

Artificial Intelligence is rapidly transforming the way we work, build, and collaborate. Among the most powerful AI systems available today, Anthropic’s Claude ecosystem introduces a new approach to productivity through intelligent collaboration, automation, coding assistance, and context-aware workflows.

The Claude Architect Certification explores how humans and AI can work together effectively through concepts such as delegation, prompt design, discernment, and responsible AI usage. It also introduces the broader Claude ecosystem — including Chat, CoWork, Claude Code, Projects, Skills, Subagents, Hooks, MCP servers, and Retrieval Augmented Generation (RAG).

In this article, we’ll break down the core concepts covered in the certification, understand when to use different Claude environments, explore how Projects and Skills improve workflows, and learn how developers can build scalable AI-assisted systems using Claude APIs and integrations.

Whether you’re a developer, AI enthusiast, technical writer, product manager, or someone exploring AI-powered productivity, this guide will help you understand how to work smarter with Claude and build more efficient human-AI collaboration systems.

What Claude helps in and how you can refine your prompt?

Delegation: Deciding on what work should be done by humans, what work should be done by AI, and how to distribute tasks between them. Includes understanding your goals, AI capabilities, and making strategic choices about collaboration.
Description: Effectively communicating with AI systems. Includes clearly defining outputs, guiding AI processes, and specifying desired AI behaviors and interactions.
Discernment: Thoughtfully and critically evaluating AI outputs, processes, behaviors and interactions. Includes assessing quality, accuracy, appropriateness, and determining areas for improvement.
Diligence: Using AI responsibly and ethically. Includes making thoughtful choices about AI systems and interactions, maintaining transparency, and taking accountability for AI-assisted work.

Chat vs CoWork vs Code

Chat excels when you need to ask questions, brainstorm, draft, or work through problems back and forth.

Its for quick entry, screenshots, window sharing, desktop connectors.

Claude Cowork is built for work that takes real effort: pulling information from many sources, making sense of it, and producing something finished.
Its used with folder access, subagents, scheduled tasks, plugins

The Code tab gives you access to the power of Claude Code, running directly inside the desktop app. This gives you a full development environment for building software.

Projects

Projects are ideal for storing knowledge Claude should reference, organizing related chats around a specific topic or work area, and collaborating with team members who need access to the same shared context.
Reference materials are needed continuously, within teams, consistent requirements.

Projects automatically scale to handle large amounts through a process called Retrieval Augmented Generation (RAG). At a high level, this means that Claude can automatically find and use the most relevant parts of your uploaded documents when answering, without you needing to tell it which file to look at.

When your project knowledge approaches the context window limit, Claude seamlessly enables RAG mode. Instead of loading all project content into memory at once, Claude intelligently searches and retrieves only the most relevant information needed to answer your questions. This expands your project’s capacity by up to 10x while maintaining response quality.

Q4 product launch
Research support
Client account hub
Event planning workspace
Job description generator

Claude also has

Connectors
Enterprise Search
Research Mode

Claude Partner Network Learning Path

We will be covering the below topics further as part of this article

Introduction to Agent Skills
Building with Claude API
Introduction to MCP
Claude Code in Action

Introduction to Agent Skills

Skills are folders of instructions that Claude Code can discover and use to handle tasks more accurately. Each skill lives in a SKILL.md file with a name and description in its frontmatter
Claude uses the description to match skills to requests. When you ask Claude to do something, it compares your request against available skill descriptions and activates the ones that match
Personal skills go in ~/.claude/skills and follow you across all projects. Project skills go in .claude/skills inside a repository and are shared with anyone who clones it
Skills load on demand — unlike CLAUDE.md (which loads into every conversation) or slash commands (which require explicit invocation), skills activate automatically when Claude recognizes the situation
If you find yourself explaining the same thing to Claude repeatedly, that’s a skill waiting to be written

Personal vs Project skills

Personal skills go in ~/.claude/skills (your home directory). These follow you across all your projects — your commit message style, your documentation format, how you like code explained.
Project skills go in .claude/skills inside the root directory of your repository. Anyone who clones the repo gets these skills automatically. This is where team standards live, like your company's brand guidelines, preferred fonts, and colors for web design.

First, create a directory for your skill inside the skills folder. The directory name should match your skill name:

mkdir -p ~/.claude/skills/pr-description

Then create a SKILL.md file inside that directory. The file has two parts separated by frontmatter dashes:

---
name: pr-description
description: Writes pull request descriptions. Use when creating a PR, writing a PR, or when the user asks to summarize changes for a pull request.
---

When writing a PR description:

1. Run `git diff main...HEAD` to see all changes on this branch
2. Write a description following this format:

## What
One sentence explaining what this PR does.

## Why
Brief context on why this change is needed

## Changes
- Bullet points of specific changes made
- Group related changes together
- Mention any files deleted or renamed

The name identifies your skill. The description tells Claude when to use it — this is the matching criteria. Everything after the second set of dashes is the instructions Claude follows when the skill is activated.

CLAUDE.md vs Skills

CLAUDE.md loads into every conversation, always. If you want Claude to use TypeScript strict mode in your project, put it in your CLAUDE.md file.

Skills load on demand.

Use CLAUDE.md for:

Project-wide standards that always apply
Constraints like “never modify the database schema”
Framework preferences and coding style

Use Skills for:

Task-specific expertise
Knowledge that’s only relevant sometimes
Detailed procedures that would clutter every conversation

Subagents vs Skills

Use Subagents when:

You want to delegate a task to a separate execution context
You need different tool access than the main conversation
You want isolation between delegated work and your main context

Use Skills when:

You want to enhance Claude’s knowledge for the current task
The expertise applies throughout a conversation

Hooks vs Skills

Use Hooks for:

Operations that should run on every file save
Validation before specific tool calls
Automated side effects of Claude’s actions

Use Skills for:

Knowledge that informs how Claude handles requests
Guidelines that affect Claude’s reasoning

Summary

A typical setup might include:

CLAUDE.md — always-on project standards
Skills — task-specific expertise that loads on demand
Hooks — automated operations triggered by events
Subagents — isolated execution contexts for delegated work
MCP servers — external tools and integrations

Troubleshooting skills

Use the skills validator to catch structural issues before debugging
Diagnose and fix common skill triggering and loading problems

Quick Troubleshooting Checklist

Not triggering? Improve your description and add trigger phrases.
Not loading? Check your path, file name, and YAML syntax.
Wrong skill used? Make descriptions more distinct from each other.
Being shadowed? Check the priority hierarchy and rename if needed.
Plugin skills missing? Clear cache and reinstall.
Runtime failure? Check dependencies, permissions, and paths.

In the next article we will be

Building with Claude API
Introduction to MCP
Claude Code in Action

As AI tools continue to evolve, the ability to effectively collaborate with systems like Claude will become an increasingly valuable skill across industries. Learning how to organize context, automate expertise, and guide AI behavior thoughtfully is no longer optional — it’s becoming a core part of modern digital work.

In the upcoming sections and future articles, we’ll continue exploring advanced topics such as building with the Claude API, understanding MCP architecture, and using Claude Code in real-world development environments.

I Hit 150,000 Impressions on One More LinkedIn Post. Here’s the Exact System I Used!

Kavisha Mathur — Sat, 25 Apr 2026 16:17:22 GMT

I Hit 150,000 Impressions on One More LinkedIn Post. Here’s the Exact System I Used — and How You Can Replicate It.

No hacks. No paid promotions. Just a repeatable framework that actually works.

Here is my LinkedIn as your POC to better understand this breakdown: https://www.linkedin.com/in/kavisha-mathur/

Its important we get the right inbounds, one of the most lucrative inbounds I have gotten were recruiters from Google, which resulted in me giving all the rounds (more on that later). But I want YOU to be BOMBARDED with recruiters, the right people and opportunities on your LINKEDIN!

LinkedIn is no longer a digital resume. It’s a publishing platform, a personal brand engine, and the most underrated place on the internet to attract career-defining opportunities — if you know how to use it.

I recently had a post cross 150,000 impressions. Not from a massive following. Not from going viral by accident. From a system — one I’ve refined over months of testing, failing, and doubling down on what works.

This article breaks down everything: the psychology behind what makes a LinkedIn post explode, how to stay consistent without burning out, and the full funnel that turns impressions into inbound opportunities from recruiters, collaborators, and people inside your niche.

Part 1: Why Most LinkedIn Posts Die in the First Hour

Before we talk about going viral, you need to understand how LinkedIn’s algorithm actually decides what to amplify.

LinkedIn doesn’t show your post to all your followers at once. It starts small — showing your content to a seed audience of roughly 10–15% of your network. It then watches for one thing above everything else:

Dwell time + early engagement.

If people stop scrolling to read your post, and then comment within the first 30–60 minutes, LinkedIn interprets that as a signal of quality and pushes the post further. If people scroll past it, the post dies. It’s that ruthless.

This means every decision — your opening line, your format, your posting time — is in service of earning those first few engagements fast.

Part 2: The Anatomy of a Viral LinkedIn Post

Every post that breaks through shares the same structural DNA. Here it is, dissected.

The Hook (Lines 1–2): Your Entire Job Is to Stop the Scroll

LinkedIn shows only the first two lines of your post before the “see more” button. Those two lines are the only thing standing between you and irrelevance.

Great hooks do one of three things:

1. Make a bold, counterintuitive claim

“Most people optimize for getting hired. The smartest people I know optimize for being found.”

2. Open with a number and a specific result

“I sent 0 cold applications this year. Here’s how 3 inbound offers came to me instead.”

3. Start mid-story, in the tension

“My manager told me I wasn’t ready for a promotion. Six months later, I was leading his team.”

The worst hooks start with “I’m excited to share…” or “Thrilled to announce…” — these are signals to the reader that what follows is self-promotional content and they should move on. Avoid them entirely.

The Body: Format for F-Pattern Readers

People on LinkedIn do not read. They scan. Write accordingly.

One idea per line. White space is your friend.
Short sentences. Under 15 words where possible.
No walls of text. Break every 3–4 lines with a gap.
Use tension and release. Build toward a payoff the reader wants.

The best-performing post formats on LinkedIn right now are:

The Story Arc — Personal experience → the lesson → the broader truth. This is the format most likely to generate emotional resonance and shares.

The Listicle with a Twist — “5 things I wish I knew before joining a startup” works not because of the format, but because of the specificity and the implied promise of insider knowledge.

The Counterintuitive Take — Challenging a commonly held belief in your niche positions you as a thinker, not just a professional. It generates debate, which generates comments, which feeds the algorithm.

The Vulnerable Confession — Posts that share failure, rejection, or self-doubt consistently outperform polish. LinkedIn users are exhausted by performative success. Authenticity cuts through.

The Ending: Always Plant a Seed for Comments

The algorithm rewards comments above almost everything else. Engineer for them.

End your post with one of these:

A direct question: “Have you ever had a manager who changed how you think? Drop their name below.”
A challenge to disagree: “Controversial opinion — tell me why I’m wrong.”
A call to relate: “If this resonates, I’d love to know what your experience has been.”

Never end on a passive full stop. End with an open door.

Part 3: The Consistency System That Doesn’t Burn You Out

Going viral once is luck. Going viral repeatedly is a system.

Most people fail at LinkedIn consistency for one reason: they treat content creation as a creative act that requires inspiration. The fix is to treat it like a production pipeline.

Step 1: Build Your Content Bank

Every week, set a 20-minute timer and do a brain dump into a running doc. Pull from:

Things that frustrated you this week at work
Advice you gave someone in a DM or meeting
Something you read that you agreed or disagreed with strongly
A milestone — even a small one — you hit or missed
An observation about your industry that others might not have noticed

You’re not writing posts. You’re collecting raw material. You should have 15–20 entries per month. That’s your content bank.

Step 2: The 3-Post-a-Week Rule

Consistency on LinkedIn doesn’t mean daily posting. The research consistently shows that 3–4 posts per week is the sweet spot for audience growth without algorithmic penalty for low-quality output.

Here’s a simple weekly cadence that works:

Day Post Type Purpose Monday Personal story or lesson Emotional connection, shares Wednesday Niche insight or take Authority building, niche reach Friday Engagement bait (question, list, poll) Comment volume, algorithmic boost

This gives you reach, depth, and engagement — all three things the algorithm rewards.

Step 3: Batch Write, Schedule, and Forget

Set aside 90 minutes on Sunday. Write all three posts for the week. Schedule them using LinkedIn’s native scheduler (or a tool like Buffer). Then don’t think about LinkedIn content again until the following Sunday.

This is how you post consistently for months without it feeling like a second job.

Part 4: The Niche Positioning Framework

Here’s what separates people with 500 followers who get 0 opportunities from people with 5,000 followers who get interviewed by top companies every quarter:

Positioning.

LinkedIn is not the place to be a generalist. It rewards people who are known for one specific thing in one specific context.

Complete these sentences to find your niche position:

“I help [specific type of person] achieve [specific outcome] through [specific method or lens].”

Examples:

“I help early-career engineers navigate their first promotion using systems thinking.”
“I write about the intersection of product design and behavioral psychology.”
“I document what it’s actually like to build a startup in Southeast Asia.”

Every post you write should connect back to this positioning. If a post has nothing to do with what you’re known for, don’t post it — or reframe it until it does.

This is how you build a content moat: over time, LinkedIn and its search algorithm associate your name with specific keywords, and people inside your niche start finding you organically.

Part 5: The Full Funnel — From Impressions to Opportunities

Going viral is the top of the funnel. Here’s the complete system for converting attention into career momentum.

IMPRESSIONS (Reach)
       ↓
PROFILE VISITS (Interest)
       ↓
FOLLOWERS / CONNECTION REQUESTS (Trust)
       ↓
DMs / COMMENTS (Engagement)
       ↓
OPPORTUNITIES (Conversion)

Layer 1: Impressions → Profile Visits

When your post performs, people will click on your name. Your profile needs to do three things in 5 seconds:

Your headline should say what you do and for whom — not just your job title. “Product Manager @ XYZ” is invisible. “Product Manager | Building AI tools for healthcare | Writing about PM craft for 40K readers” is magnetic.
Your banner image should reinforce your niche with a visual or a tagline.
Your featured section should show your best post, a newsletter, or a portfolio piece — not a job announcement from 3 years ago.

Layer 2: Profile Visits → Followers

If your profile passes the 5-second test, people follow you. This is where a pinned post becomes crucial. Your pinned post should:

Introduce who you are
State clearly what you write about
Tell people exactly what they’ll get from following you
Have a call to action (follow, connect, or subscribe)

Think of it as your LinkedIn landing page.

Layer 3: Followers → DMs

This is where most people stall. They get followers but never convert them into real conversations.

The fix: reply to every comment on every post, especially in the first hour. Not with a thumbs up. With a genuine response that extends the conversation. This does two things — it feeds the algorithm more comment signals, and it builds micro-relationships with the people who will eventually DM you.

Additionally, send a welcome message to every new connection that mentions a specific post or topic. Not a sales pitch. Just a human acknowledgment.

Layer 4: DMs → Opportunities

When recruiters, founders, or collaborators reach out, they’re already warm. They’ve seen your content, they know your perspective, they have a reason to trust you.

To accelerate this layer:

Make your email or booking link visible on your profile.
Post explicitly about what you’re open to — whether that’s consulting, speaking, collaborating, or a new role. LinkedIn allows this. Most people are too shy to do it.
When you hit a content milestone (like 150K impressions on a post), post about it — it signals social proof and invites curiosity from people who want to understand how you did it.

Part 6: What Makes Recruiters Notice You Specifically

Recruiters on LinkedIn are not passively scrolling. They are actively searching for keywords. Here’s how to show up in those searches:

1. Keyword-load your headline and About section — Use the exact titles and skills that job descriptions in your target role use. If you want to be found for “machine learning engineer” roles, that phrase needs to appear in your headline, About section, and experience descriptions.

2. Post content that demonstrates skills, not just opinions — A post that walks through how you solved a technical problem or led a project is worth ten times more to a recruiter than a motivational quote. Show don’t tell.

3. Engage in niche communities before you need them — Comment thoughtfully on posts from leaders in your target industry for 30 days. When you eventually put out a post about your job search or expertise, you’ll have built up enough ambient recognition that it lands differently.

4. Use the “Open to Work” feature strategically — The green banner is visible but often stigmatized. Instead, use the private “Open to Work” signal that only recruiters can see, while publicly posting content that positions you as someone worth recruiting regardless.

The 30-Day LinkedIn Sprint

If you’re starting from zero or want to reset your presence, here’s a 30-day sprint:

Week 1 — Foundation

Rewrite your headline, About section, and banner
Set your pinned post
Write your first 3 posts from your content bank
Comment 10× per day on posts in your niche

Week 2 — Volume

Post 3× this week. Experiment with a story, a list, and a question
Track which format gets the most comments
Identify 5–10 accounts in your niche to engage with consistently

Week 3 — Double Down

Repost your best-performing post from Week 2 with a new hook
Write one long-form newsletter article or document post
Reach out to 3 people who engaged with your content and start a real conversation

Week 4 — Amplify

Write a post about what you learned in 30 days
Ask your most engaged follower or connection to collaborate on a post or share something
Review your analytics: what format, topic, and posting time drove the most reach?

By Day 30, you’ll have a content rhythm, a clearer niche, and a profile that converts visitors into followers and followers into opportunities.

Final Thought

The biggest misconception about LinkedIn is that it’s about followers. It’s not. It’s about positioning — making sure that the right 500 people know exactly who you are and what you stand for.

My 150K impression post didn’t happen because I got lucky. It happened because I posted consistently for long enough that my audience knew what to expect from me, trusted my perspective, and hit share when something resonated.

The algorithm is just math. Build the habits, and the math starts working for you.

Connect with me on:

Backend from First End Principles: Deepdive into HTTP

Kavisha Mathur — Tue, 14 Apr 2026 18:51:38 GMT

backend

Backend engineering is deceptively broad. Ask ten developers what it means and you’ll get ten different answers — usually shaped by whichever framework they learned first. Express, Spring Boot, Ruby on Rails. The lens changes, but the underlying system stays the same.

That’s the problem this guide is trying to solve.

Most developers start with a limited scope — a bootcamp, a university course, a single language — and then spend years filling in the gaps through trial and error, reading other people’s code, and asking seniors questions they probably should have been taught upfront. The goal here is to compress that journey. Not to replace the years of practice, but to give you the map before you start walking.

This is a first-principles walkthrough of backend engineering — the concepts that matter in 90% of codebases, regardless of the stack.

1. How a Request Actually Works

Before writing a single line of backend code, you should be able to close your eyes and visualise what happens when a user types a URL and hits Enter.

The request leaves the browser, travels through the user’s local network, crosses the internet via routers and DNS, passes through firewalls and load balancers, and eventually lands on a server sitting in an AWS data centre somewhere. That server processes it and sends a response back through the same chain. The round trip often takes under 100 milliseconds.

Understanding this flow — at least at a conceptual level — anchors everything else. It tells you where your code lives in the broader system, and why decisions like connection pooling, caching, or graceful shutdown actually matter.

2. HTTP: The Language of the Web

HTTP is the protocol through which browsers talk to servers. Two ideas sit at its core.

The first is statelessness. Each HTTP request carries all the information the server needs to process it — headers, URL, method, body. After responding, the server forgets. There’s no memory of the previous request. This simplifies server architecture dramatically and makes it easy to scale horizontally: any server can handle any request because no single server needs to track session state. When you need continuity — for logins, shopping carts — developers layer state management on top using cookies, sessions, or tokens.

The second is the client-server model. Communication is always initiated by the client. The server waits, receives, processes, responds. That’s the fundamental contract.

HTTP Messages

A raw HTTP request looks something like this:

GET /users/123 HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGci...
Accept: application/json

And a response:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: max-age=10

{ "id": 123, "name": "Priya" }

Every part of this — method, URL, version, headers, status code, body — is intentional. Understanding why each piece exists is more valuable than memorising the syntax.

HTTP Headers

Think of headers like the label on a parcel. The courier doesn’t need to open the box to know where it’s going, who sent it, or how fragile it is. That metadata lives on the outside. HTTP headers serve the same purpose — they carry metadata about the request or response so that servers, proxies, and browsers can make decisions without reading the full body.

Headers fall into a few categories:

Request headers tell the server about the client — the user agent, what content formats it accepts, and authentication credentials.

General headers apply to both requests and responses — cache control directives, connection settings, the date of the message.

Representation headers describe the body — content type (JSON, HTML, XML), content length, content encoding.

Security headers instruct the browser on how to behave — Content-Security-Policy prevents XSS by restricting which scripts can run, HSTS forces HTTPS connections, X-Frame-Options prevents clickjacking.

Headers also make HTTP extensible. Adding a new header changes behaviour without touching the underlying protocol. This is why HTTP has survived for decades and adapted to new use cases.

HTTP Methods and Idempotency

Methods define the intent of a request:

GET — retrieve data, never modify it
POST — create a new resource
PUT — completely replace a resource
PATCH — partially update a resource
DELETE — remove a resource

A concept that trips many developers up is idempotency. An idempotent operation produces the same result no matter how many times you repeat it. GET, PUT, and DELETE are idempotent — fetching the same resource twice gives you the same result, deleting something twice still leaves it deleted. POST is not — submitting a form twice creates two records.

This matters in practice when handling network failures and retries.

CORS: Why Your Browser Blocks Cross-Origin Requests

Browsers enforce the Same-Origin Policy: a page on example.com cannot by default make requests to api.another.com. CORS (Cross-Origin Resource Sharing) is the mechanism that allows servers to explicitly permit cross-origin requests.

When a browser detects a cross-origin request, it behaves differently depending on complexity. For simple requests (GET/POST with basic content types), the browser sends the request and checks the response for an Access-Control-Allow-Origin header. If the header is absent or doesn't match the origin, the browser blocks the response.

For more complex requests — anything with PUT, DELETE, a JSON body, or an Authorization header — the browser first sends a preflight request using the OPTIONS method. This is the browser asking: "Hey server, do you support this method, these headers, from this origin?" Only if the server responds affirmatively does the browser send the actual request.

Understanding preflight requests saves hours of debugging network tabs.

HTTP Status Codes

Status codes are the server’s standardised way of communicating outcome. They fall into five families:

2xx — Success: 200 OK, 201 Created, 204 No Content

3xx — Redirection: 301 Moved Permanently, 302 Temporary Redirect, 304 Not Modified (the resource hasn't changed, use your cached version)

4xx — Client errors: 400 Bad Request, 401 Unauthorized (not authenticated), 403 Forbidden (authenticated but not permitted), 404 Not Found, 409 Conflict, 429 Too Many Requests

5xx — Server errors: 500 Internal Server Error, 503 Service Unavailable, 504 Gateway Timeout

The distinction between 401 and 403 trips up many developers. 401 means the server doesn’t know who you are. 403 means it knows exactly who you are — you just don’t have permission.

HTTP Caching

Caching reduces server load and improves response times by reusing previously fetched resources. The key headers are:

Cache-Control: max-age=10 — cache this resource for 10 seconds
ETag — a hash of the resource (often a short string like "abc123")
Last-Modified — the timestamp of the last change

On subsequent requests, the client sends If-None-Match with the ETag it has cached. If the resource hasn't changed, the server responds with 304 Not Modified and no body — saving bandwidth. If the resource has changed, it sends a fresh 200 with the new content and a new ETag.

3. Routing

Routing maps incoming URLs to the code that handles them. It sounds simple but involves more design decisions than most developers realise:

Path parameters (/users/:id) vs query parameters (/users?role=admin)
Static routes vs dynamic routes vs wildcard routes
Route grouping for shared middleware (all /admin/* routes require admin auth)
API versioning — URI-based (/v1/users), header-based, or query-string-based
Deprecation strategy — you need a plan for retiring old versions without breaking existing clients

Route ordering matters. More specific routes should be matched before wildcards. Getting this wrong produces silent bugs that only surface in edge cases.

4. Serialisation and Deserialisation

Before data travels over the network, it needs to be encoded into a transmittable format. That’s serialisation. Decoding it on the other end is deserialisation.

The two dominant formats are:

Text-based (JSON, XML) — human-readable, easy to inspect in a network tab, universally supported. The trade-off is size and parsing speed.

Binary (Protocol Buffers) — compact, fast, typed. The trade-off is that you can’t read the payload without a schema definition. Used heavily in internal microservices where performance matters more than debuggability.

JSON is the lingua franca of web APIs. Key things to handle carefully: null values, date serialisation (timezones are a common source of bugs), missing vs extra fields, and nested objects. Always validate JSON schemas before processing — never trust the client.

5. Authentication and Authorisation

Authentication answers: who are you? Authorisation answers: what are you allowed to do?

They’re distinct problems that get conflated constantly.

Authentication approaches

Session-based (stateful): The server stores session data. The client carries a session ID in a cookie. Easy to implement, but doesn’t scale well horizontally without a shared session store.

Token-based (stateless): The server issues a JWT (JSON Web Token) signed with a secret. The client sends it with every request. The server verifies the signature — no lookup required. Scales cleanly across multiple servers.

API keys: Long-lived credentials for server-to-server communication.

OAuth 2.0 / OpenID Connect: Delegated authorisation — allowing a third party to act on a user’s behalf without exposing their credentials. Used by every “Login with Google” button.

Authorisation models

RBAC (Role-Based Access Control): Access determined by role (admin, editor, viewer)
ABAC (Attribute-Based Access Control): Access determined by attributes of the user, resource, and environment

Security practices that matter

Hash passwords with bcrypt or Argon2 — never store plaintext, never use MD5 or SHA1 alone
Use HTTPS-only, HttpOnly, SameSite cookies
Rate limit login attempts — lock accounts after repeated failures
Make error messages consistent — “invalid credentials” rather than “user not found” or “wrong password” (the latter leaks information attackers can exploit)
Protect against timing attacks: operations that take different amounts of time based on input can leak information about valid usernames

6. Validation and Transformation

Every piece of data entering your system from the outside world is untrusted. Validation is the gate.

Types of validation:

Syntactic: Is this string a valid email format? Is this a valid date?
Semantic: Is this birth date in the past? Is the age between 0 and 120?
Type: Is this field actually a number, not a string?
Relational: Does the confirmPassword field match password?
Conditional: Is partnerName only required when married is true?

Client-side validation improves UX by giving users instant feedback. Server-side validation is the actual security layer — it must always exist, regardless of what the client does. A malicious actor can bypass client-side validation in seconds.

Transformation happens alongside validation: converting query string parameters from strings to numbers, normalising emails to lowercase, trimming whitespace, adding country codes to phone numbers.

Sanitisation strips or escapes dangerous content — preventing SQL injection and XSS attacks.

Fail fast: return all validation errors in a single response so the user can fix everything at once.

7. Middleware

Middleware is code that runs between receiving a request and returning a response. The best way to think about it: middleware is reusable logic that applies across multiple routes.

Common middleware in any production backend:

Authentication middleware — validates tokens, populates request context with user info
Logging middleware — structured request/response logging for observability
Rate limiting middleware — throttles requests per client
CORS middleware — adds the appropriate access-control headers
Compression middleware — gzip/br compresses responses before sending
Error handling middleware — catches unhandled errors and returns consistent error shapes
Body parsing middleware — deserialises JSON, form data, file uploads

Middleware order matters. You can’t check authentication before parsing the body if the token is in the body. You can’t log the response before generating it. Think of middleware as a pipeline — request flows through each layer in sequence.

8. Request Context

When a request arrives, it’s not just the data in the URL and body that matters — there’s metadata that needs to travel through the entire lifecycle: the authenticated user, a unique trace ID, request timestamps, permission sets.

Request context is the mechanism for carrying this data without passing it explicitly to every function. In most frameworks, it’s attached to the request object and lives only for the duration of that request.

Key components of request context:

HTTP method, URL, headers, query parameters, body
Authenticated user information (populated by auth middleware)
Unique request ID / trace ID (for distributed tracing)
Request-scoped cache data

Best practice: keep context lightweight. Don’t overload it with data. Clean it up after the request completes to prevent memory leaks.

9. The Three Layers: Presentation, Business Logic, Data Access

A well-structured backend separates concerns into three layers:

Presentation layer — routes, middleware, handlers, controllers. This layer speaks HTTP. It accepts data from clients, calls the business logic, and returns responses. It doesn’t make business decisions.

Business logic layer (BLL) — services, domain models, business rules. This is the heart of your application. It doesn’t know about HTTP. It knows about your domain: users, orders, payments. It calls the data access layer to read and write data.

Data access layer (DAL) — database queries, ORM models. This layer speaks SQL (or your database’s query language). It doesn’t make business decisions. It executes queries and returns results.

This separation makes code easier to test, easier to reason about, and easier to modify. You can swap your database without touching business logic. You can add a new API endpoint without duplicating database code.

10. Databases

Databases are where most backend performance problems live.

Relational (PostgreSQL, MySQL) — structured data with relationships, ACID guarantees, strong consistency. Use when data integrity and complex queries matter.

Non-relational (MongoDB, Redis, DynamoDB) — flexible schemas, horizontal scaling, eventual consistency. Use when you need speed, scale, or document-oriented data.

Key theoretical concepts:

ACID (Atomicity, Consistency, Isolation, Durability) — the properties that make relational database transactions reliable
CAP theorem — in a distributed system, you can only guarantee two of: Consistency, Availability, Partition Tolerance

Practical concepts that affect performance daily:

Indexing — the single most impactful optimisation for read-heavy workloads. Index foreign keys and frequently queried fields.
N+1 query problem — fetching a list of records and then making a separate query for each one. Use joins or eager loading.
Connection pooling — don’t open a new database connection for every request. Pool and reuse connections.
Transactions — wrap multi-step operations in transactions to maintain consistency on failure.

11. Caching

Caching is the art of trading memory for speed.

Cache-aside (lazy loading): Check the cache first. If the data isn’t there (cache miss), fetch from the database, store in cache, return to client. Simple and effective for most use cases.

Write-through: On every write, update both the database and the cache simultaneously. Higher write latency, but cache is always fresh.

Write-behind (write-back): Write to cache immediately, persist to database asynchronously. High performance, higher risk of data loss.

Eviction strategies: LRU (Least Recently Used), LFU (Least Frequently Used), TTL (Time To Live). Choose based on your access patterns.

Levels of caching:

L1 — in-memory within the application process (fastest, smallest)
L2 — distributed cache like Redis (fast, shared across servers)
L3 — CDN for static assets

Cache invalidation is notoriously hard. The two main strategies: TTL-based (the cache expires after N seconds) and event-based (explicitly invalidate the cache when the underlying data changes).

12. Task Queuing and Background Jobs

Some operations are too slow or too unreliable to run synchronously in a request. Sending emails, processing images, making third-party API calls, batch operations — these belong in background jobs.

The pattern: the request handler pushes a job onto a queue (like Redis or RabbitMQ) and returns immediately. A separate worker process picks up the job and executes it asynchronously. The user gets an instant response, and the work happens in the background.

A task queue has four components:

Producer — the code that creates and enqueues tasks
Queue — the data structure (and backing system) that holds tasks
Consumer/Worker — the code that picks up and executes tasks
Broker — the message broker that manages delivery (Redis, RabbitMQ, SQS)

Design for failure: tasks should be idempotent (safe to retry), have retry logic with exponential backoff, and have dead-letter queues for tasks that repeatedly fail. Prioritise critical tasks (payments) over non-critical ones (notifications).

13. Error Handling

Errors fall into three categories:

Syntax errors — caught at compile time or startup
Runtime errors — unexpected failures during execution (null pointer, network timeout)
Logic errors — the code runs but produces wrong results

Good error handling strategy:

Fail fast: don’t swallow errors silently. Let them bubble up to a handler.
Use structured error types with codes, messages, and context.
Have a global error handler that catches unhandled exceptions and returns a consistent error shape.
Log errors with stack traces, request context, and user information.
Return appropriate HTTP status codes — don’t return 200 with an error body.
Never expose internal error details to clients — log them server-side, return a generic message.

Use tools like Sentry for error tracking in production. Set up alerts for error rate spikes.

14. Logging, Monitoring, and Observability

These three are related but distinct:

Logging is recording discrete events. Use structured logging (JSON format) rather than plain text — it’s parseable by machines. Log levels matter: DEBUG for development verbosity, INFO for normal operations, WARN for unexpected but handled situations, ERROR for failures, FATAL for application-ending events. Never log passwords, tokens, or PII.

Monitoring tracks system health over time — CPU, memory, request rates, error rates, response times. Tools: Prometheus for metrics collection, Grafana for dashboards. Set alert thresholds on what matters, not everything — alert fatigue is real.

Observability is the ability to understand what’s happening inside your system from the outside. The three pillars are logs, metrics, and traces. Distributed tracing (using trace IDs that follow a request across services) is essential in microservices architectures.

15. Security

A backend engineer is responsible for security at the application layer. Common vulnerabilities to understand:

SQL injection: User input is interpolated into SQL queries. Use parameterised queries always.
XSS (Cross-Site Scripting): User-supplied content is rendered as HTML. Sanitise and escape output.
CSRF (Cross-Site Request Forgery): Malicious sites trick browsers into making authenticated requests. Use CSRF tokens or SameSite cookies.
Broken authentication: Weak session management, missing token expiry, no rate limiting on login.

Security principles to live by:

Least privilege: services and users should have the minimum permissions needed.
Defence in depth: multiple layers of security — don’t rely on any single control.
Fail secure: when something goes wrong, default to denying access, not granting it.
Security by design: consider security at architecture time, not as an afterthought.

16. Scaling and Performance

Performance work follows a clear sequence: measure, identify the bottleneck, fix, measure again.

Key metrics: response time (p50, p95, p99), throughput (requests per second), error rate, CPU and memory utilisation.

Common optimisations:

Database indexes on frequently queried fields
Caching at appropriate layers
Connection pooling for databases and HTTP clients
Pagination on large result sets — never return unbounded lists
Batch processing for bulk operations
Compression on large responses
Async processing for non-critical work

Horizontal scaling (more servers) is generally preferable to vertical scaling (bigger servers) for resilience. Design for it from the start: stateless services, externalised session storage, shared caches.

Concurrency vs Parallelism: Concurrency handles multiple tasks by interleaving them (good for I/O-bound work). Parallelism runs tasks simultaneously on multiple CPU cores (good for CPU-bound work). Most web backends are I/O-bound — async/await and event loops excel here.

17. Testing

Testing isn’t optional. It’s the only way to make changes without fear.

Unit tests test individual functions in isolation. Fast to run, easy to debug.

Integration tests test how multiple components work together — your service layer hitting a real database, your API handler going through middleware.

End-to-end tests simulate real user behaviour through the full stack. Slow, brittle, but essential for critical paths.

Load and stress tests verify your system holds up under traffic. Run before every major release.

Test-driven development (TDD) — writing tests before code — is worth learning. It forces you to design APIs before implementing them.

Automate everything in CI/CD. Tests that don’t run automatically get skipped.

18. DevOps Concepts Every Backend Engineer Needs

You don’t need to be a DevOps engineer, but you need to understand:

CI/CD pipelines: Automated testing and deployment on every code change
Docker: Containerising your application for consistent, reproducible environments
Kubernetes: Orchestrating containers at scale
Infrastructure as Code: Defining infrastructure in version-controlled config files (Terraform, Pulumi)
Blue-green deployment: Running two identical environments, switching traffic to the new one with no downtime
Rolling deployment: Gradually replacing old instances with new ones
Graceful shutdown: When a server is shutting down, stop accepting new requests, finish in-flight requests, close database connections, then terminate. Not doing this drops requests and corrupts data.

The Big Picture

Backend engineering is not about knowing every API and framework. It’s about understanding systems — how data moves, how failures propagate, how to build something that holds up under real conditions.

The concepts in this guide don’t expire. HTTP, caching, databases, authentication, queuing — these are the foundations. Frameworks come and go. If you switch from Django to Go or from Express to Rust, the code looks different. The problems don’t.

That’s what first-principles thinking buys you: the ability to reason about any system, in any language, at any scale.

Thanks to https://www.linkedin.com/in/k-srinivas53168/
And his playlist
https://www.youtube.com/watch?v=a3C1DMswClQ&list=PLui3EUkuMTPgZcV0QhQrOcwMPcBCcd_Q1&index=5

Connect with me on:

The Backend Concepts Nobody Teaches You But Everyone Expects You to Know

Kavisha Mathur — Sun, 15 Mar 2026 10:05:25 GMT

If you are aiming for senior engineering positions, technical interviews will probe you on system-level thinking — not just whether you can write code, but whether you understand what happens at scale. This article covers the five backend domains that come up most in design rounds, code reviews, and on-calls. Read it, internalise it, and use it as a reference when you build.

🔥 Top Tech Jobs Are Hiring NOW — Don’t Miss Out.

🚀 Multiple Roles Available
👉 Apply & Secure Your Job

1. Caching Strategies

Caching is one of the highest-leverage tools in a backend engineer’s kit. Done well, it cuts latency by orders of magnitude and takes pressure off your database. Done poorly, it serves stale data and hides bugs. At SDE 2, you are expected to know not just how to add a cache, but which strategy fits the situation.

Cache-aside (Lazy Loading)

The most common pattern. The application is responsible for all cache interaction.

– On read: check cache first. On miss, fetch from DB, write to cache, return data.

– On write: update the DB, then invalidate or update the cache entry.

– Pros: only caches what is actually requested; cache failures are survivable.

– Cons: first request always misses; risk of stale data if invalidation is missed.

Use cache-aside as your default pattern for read-heavy workloads. It is predictable and debuggable.

Write-through

The application writes to cache and DB simultaneously on every write.

– Cache is always in sync with the DB.

– Cons: slower writes; cache fills with data that may never be read again.

– Best suited for systems where read consistency is critical, such as financial dashboards.

Write-behind (Write-back)

Write to cache immediately; persist to DB asynchronously in the background.

– Pros: extremely fast writes; great for high-throughput ingestion pipelines.

– Cons: risk of data loss if the cache node dies before the async write completes.

– Only use this when you can tolerate some data loss, or you have durable queues in front of the DB write.

Eviction Policies

– LRU (Least Recently Used): evicts the entry that has not been accessed for the longest time. Default in Redis. Correct for most use cases.

– LFU (Least Frequently Used): evicts entries with the lowest access count. Better for workloads with stable hot keys.

– TTL (Time to Live): entries expire after a set duration regardless of access. Essential for data with known staleness windows, such as session tokens or rate limit counters.

Where to Cache

– Client-side: browser cache, HTTP cache headers (Cache-Control, ETag). Free latency savings for public assets.

– CDN layer: Cloudflare, CloudFront. Ideal for static files, images, and read-heavy API responses.

– Reverse proxy: Nginx or Varnish can cache responses before they hit your app server.

– Application layer: in-process (local HashMap) for tiny, ultra-hot data; distributed (Redis, Memcached) for shared state across instances.

– DB query cache: most databases have one. Do not rely on it; use Redis explicitly.

The classic mistake: caching at the wrong layer. A CDN cache on user-specific data leaks data across users. Always think about who shares the cache.

2. API Design & Rate Limiting

APIs are contracts. As an SDE 2, you own the API surface for at least one service. You need to design APIs that are intuitive for consumers, stable over time, and resilient to abuse.

REST vs GraphQL vs gRPC

– REST: resource-oriented, uses HTTP verbs and status codes. Simple, widely understood, cacheable. The right default for most external APIs.

– GraphQL: clients request exactly the fields they need. Eliminates over-fetching and under-fetching. Adds complexity on the server (resolvers, N+1 query problems, no HTTP-level caching). Use for frontend-driven products with many consumer types.

– gRPC: uses Protocol Buffers over HTTP/2. Strongly typed, fast, great for streaming. Ideal for internal service-to-service communication. Poor browser support without a proxy layer.

Versioning

Never ship a public API without a version. Changing an unversioned API breaks consumers silently.

– URL versioning: /v1/users — explicit, easy to route, industry standard.

– Header versioning: Accept: application/vnd.api+json;version=2 — clean URLs but harder to test.

– Always maintain at least one previous major version while clients migrate. Deprecation windows should be communicated via response headers (Sunset: Sat, 31 Dec 2025 00:00:00 GMT).

Pagination

– Offset pagination: ?page=2&limit=20. Simple. Breaks when items are inserted or deleted during pagination — the same record appears twice or is skipped.

– Cursor-based pagination: ?cursor=eyJpZCI6MTAwfQ==. Stable on live data. Use a cursor that encodes a stable sort key (e.g., id or created_at). This is the correct default for any paginated list.

– Always cap limit server-side. Never allow unlimited fetches.

Cursor-based pagination is required knowledge for any SDE 2 interview. Know how to generate and decode the cursor, and why offset breaks on live data.

Rate Limiting Strategies

– Fixed window: count requests per minute in a fixed time bucket. Simple but allows a burst at the window boundary (100 requests at 00:59 + 100 at 01:00 = 200 in 2 seconds).

– Sliding window: count requests in a rolling window. Smooth distribution. More expensive to implement with Redis (use a sorted set with timestamps as scores).

– Token bucket: a bucket fills at a constant rate; each request consumes a token. Allows short bursts up to bucket size. Most commonly used in practice.

– Leaky bucket: requests enter a queue and are processed at a fixed rate. Zero burstiness. Good for protecting downstream services from spikes.

– Rate limit by user ID, API key, and IP simultaneously. Return 429 Too Many Requests with Retry-After header.

Response Design & Idempotency

– Use HTTP status codes correctly: 200 success, 201 created, 400 bad client input, 401 unauthenticated, 403 unauthorised, 404 not found, 409 conflict, 422 unprocessable entity, 429 rate limited, 500 server error.

– Consistent error envelope: { error: { code: ‘VALIDATION_FAILED’, message: ‘…’, details: […] } }. Never return different error shapes from different endpoints.

– Idempotency keys: for non-idempotent operations (payments, order creation), clients should send a unique Idempotency-Key header. Server stores the result; duplicate requests return the cached result instead of executing again. This is critical for safe retries.

3. Load Balancing & Horizontal Scaling

You are expected to reason about how your service handles 10x or 100x traffic growth. Horizontal scaling is the standard answer — but it only works if your application is designed to support it.

Load Balancing Algorithms

– Round robin: requests go to each server in rotation. Works when all servers are equivalent.

– Least connections: routes to the server with the fewest active connections. Better when request processing time varies significantly.

– IP hash / sticky routing: same client IP always routes to the same server. Used when you have server-side session state that cannot be externalised. Breaks true statelessness.

– Weighted round robin: assign weights to servers based on capacity. Useful during rolling deploys or when mixing instance types.

Horizontal vs Vertical Scaling

– Vertical scaling (scale up): bigger CPU, more RAM. Fast to implement, no code changes. Hard ceiling, single point of failure, expensive at the top end.

– Horizontal scaling (scale out): more instances behind a load balancer. No ceiling, fault tolerant, cost-efficient with auto-scaling. Requires stateless services.

The reason scaling is hard is not the load balancer — it is state. Any in-memory state (sessions, caches, counters) must move to a shared store before you can scale out.

Stateless Services

A stateless service stores no user-specific state in memory between requests. Any instance can serve any request.

– Sessions go in Redis or a DB, not in-process memory.

– Uploaded files go in object storage (S3), not the local filesystem.

– Distributed caches, not local hashmaps, for shared counters or flags.

– Stateless services can be killed and replaced without affecting users.

Health Checks & Auto-scaling

– Health checks: load balancers poll /health or /ping. Unhealthy instances are removed from rotation automatically. Your health endpoint must check real dependencies — DB connection, Redis connectivity — not just return 200 OK unconditionally.

– Liveness vs readiness: Kubernetes distinguishes these. Liveness = is the process alive? Readiness = is the service ready to accept traffic? Fail readiness during startup and graceful shutdown.

– Auto-scaling: scale out when CPU > 70% for 3 minutes; scale in when CPU < 30%. Always set a minimum of 2 instances for redundancy. Use target tracking policies over step scaling.

4. Environment & Secret Management

Leaked credentials are the cause of a significant proportion of production security incidents. Secret management is not optional — it is table stakes for any production system. SDE 2 engineers are expected to implement it correctly without being asked.

Never Hardcode Secrets

This is not a guideline. It is a rule with no exceptions.

– No API keys, DB passwords, JWT secrets, or private keys in source code.

– No secrets in .env files committed to version control. .env goes in .gitignore.

– No secrets in Docker images, build logs, or CI/CD output.

– If a secret is ever committed to git, rotate it immediately — even if the repo is private. Git history is permanent and git repos get leaked.

Environment Variables

– Use .env files locally (via dotenv). Never commit them.

– In production, inject environment variables through your platform: ECS task definitions, Kubernetes secrets (base64-encoded, mounted as env vars), Heroku config vars.

– Separate config (non-sensitive: PORT, LOG_LEVEL, FEATURE_FLAG_X) from secrets (sensitive: DB_PASSWORD, JWT_SECRET). Config can go in version control. Secrets cannot.

Secret Managers

– AWS Secrets Manager: store, rotate, and access secrets via SDK or IAM role. Automatic rotation for RDS credentials. The right choice if you are on AWS.

– HashiCorp Vault: open-source, cloud-agnostic, powerful. Dynamic secrets (generates a new DB credential per request, revokes on expiry). Higher operational overhead.

– GCP Secret Manager / Azure Key Vault: first-party equivalents for those clouds.

– Application retrieves secrets at runtime via SDK, not at build time. This means secrets are never baked into artefacts.

The gold standard: your application has an IAM role that allows it to read specific secrets from Secrets Manager. No secret is ever stored in an environment variable in production.

Secret Rotation

– Secrets should expire and rotate. Systems must handle rotation without downtime.

– Pattern: support two versions of a secret simultaneously (old and new). Rotate the secret, wait for all instances to pick up the new version, then invalidate the old one.

– Automate rotation. Manual rotation is always delayed and often forgotten.

5. Authentication & Authorisation

Auth is the most consequential part of a backend system to get wrong. Vulnerabilities here are high-severity by default. SDE 2 engineers are expected to own this end-to-end, including the subtle parts.

Login Methods

– Password + hash: never store passwords in plaintext or with MD5/SHA1. Use bcrypt or argon2. Both are deliberately slow to resist brute-force. Set work factor to make hashing take ~100–300ms on your hardware.

– Magic links / OTP: generate a short-lived signed token, email it to the user, they click it to authenticate. Passwordless and phishing-resistant. Use for low-friction consumer apps.

– OAuth / Social login: delegate authentication to Google, GitHub, Apple etc. You never see the user’s password. Use PKCE flow for web and native apps. Handle email collision (user signs in with two providers that share an email) explicitly.

– Passkeys (WebAuthn): the modern standard. Public-key cryptography; the private key never leaves the device. Phishing-resistant by design. Increasingly expected in new systems.

Sessions vs JWTs

– Sessions: server stores session state in Redis or DB. Session ID in an httpOnly cookie. Easy to revoke (delete from store). Requires a session store; adds a lookup per request.

– JWT (JSON Web Token): self-contained signed token. Server is stateless — no DB lookup per request. Signed with a secret (HMAC) or key pair (RS256). The fundamental problem: JWTs cannot be revoked before expiry without a denylist, which reintroduces state.

– Best practice: short-lived access tokens (15 minutes) + long-lived refresh tokens (7–30 days) stored in httpOnly cookies. On expiry, use the refresh token to issue a new access token silently. Rotate refresh tokens on each use.

– Never store JWTs in localStorage — they are accessible to XSS. Use httpOnly; Secure; SameSite=Strict cookies.

OAuth 2.0 vs OpenID Connect

– OAuth 2.0 is an authorisation framework. It grants an application access to resources on behalf of a user (via scopes). It does not tell you who the user is.

– OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0. It adds an ID token (a JWT) that contains claims about the user (sub, email, name). When you implement “Login with Google”, you are using OIDC.

– Know the OAuth flows: Authorization Code + PKCE for user-facing apps (the secure default); Client Credentials for machine-to-machine; Device Code for CLIs and TVs. The Implicit flow is deprecated.

Roles & Permissions (RBAC, ABAC, PBAC)

– RBAC (Role-Based Access Control): assign roles to users (admin, editor, viewer). Each role has a set of permitted actions. Simple to implement and reason about. Correct for most applications.

– ABAC (Attribute-Based Access Control): access decisions based on attributes of the user, the resource, and the environment (e.g., user.department == resource.owner_department AND time.hour < 18). Flexible but complex.

– PBAC (Policy-Based Access Control): centralised policy engine (e.g., Open Policy Agent). Policies are code, version-controlled, testable. Ideal for microservices where authorisation logic must be consistent across many services.

Start with RBAC. Add ABAC only when RBAC produces an explosion of roles. Add a policy engine only when you need consistent authorisation across many services.

MFA & Hardening

– Enforce MFA on admin panels, billing operations, data export, and any action with irreversible consequences. Do not make it opt-in; make it the default.

– TOTP (Google Authenticator, Authy) is the minimum acceptable MFA. Hardware keys (YubiKey, WebAuthn) for privileged accounts.

– Hardening checklist: HTTPS only with HSTS. httpOnly; Secure; SameSite cookies. CSRF tokens on state-changing requests. Rate limiting on all auth endpoints. Account lockout after N failed attempts. Audit log every authentication event. Rotate secrets and revoke sessions on password change.

Common Mistakes That Reach Production

– Broken Object Level Authorisation (BOLA/IDOR): user A fetches /api/orders/9999 and gets user B’s order because the backend only checks authentication, not authorisation. This is OWASP API Security #1. Always verify ownership at the row level.

– No rate limiting on /login: allows unlimited brute-force attempts.

– Long-lived, non-rotating tokens: a leaked token means permanent access.

– Auth logic scattered across handlers: one handler forgets the check. Centralise authorisation in middleware.

– Returning 403 vs 404: when a resource exists but the user cannot access it, return 404 rather than 403 to avoid leaking information about resource existence.

You should not need a senior engineer to tell you to version your API, use cursor pagination, or store secrets in a vault. These should be defaults you bring to every project.

The concepts in this article are not advanced — they are standard. If any section felt unfamiliar, build something with it. Read the documentation for Redis, the OAuth 2.0 RFC, the OWASP API Security Top 10. The engineers who are genuinely strong at SDE 2 have not just read about these things — they have felt the pain of getting them wrong.

Build deliberately.

Happy Building! :)

Connect with me on:

The Backend Concepts Nobody Teaches You But Everyone Expects You to Know was originally published in CodeToDeploy on Medium, where people are continuing the conversation by highlighting and responding to this story.

How to Write a CFP That Gets You on Stage at Major Tech Conferences + Template that works

Kavisha Mathur — Sat, 14 Mar 2026 14:08:20 GMT

How to Write a CFP That Gets You on Stage at Major Tech Conferences (With a Template That Actually Works)

Most proposals get rejected in the first 30 seconds. Here’s how to make sure yours doesn’t.

Every year, thousands of brilliant engineers, designers, and technologists submit proposals to speak at conferences like Google I/O, Grace Hopper, KubeCon, and Atlassian Summit. Most of them get rejected — not because the ideas are bad, but because the proposals are written wrong.

I know because I was one of them.

My first three CFPs were polished, detailed, and completely focused on the wrong thing: me. My experience. My background. My credentials. I thought I was making a case for why I deserved to be on stage. What I didn’t understand is that conference committees aren’t looking for deserving speakers. They’re looking for the right talk for their audience.

The moment I understood that distinction, everything changed.

This is everything I’ve learned about writing proposals that get accepted — distilled into a framework you can use starting today.

First, Understand What a CFP Committee Actually Wants

Before you write a single word, you need to get inside the head of the person reviewing your proposal.

They are not your hiring manager. They are not evaluating your résumé. They are a volunteer (usually) who has read sixty proposals today and has a headache. They’re asking one question, over and over, for every submission they read:

“Will this talk make our attendees’ experience better?”

That’s it. Everything else — your title, your bio, your abstract — is only valuable insofar as it answers that question convincingly and quickly.

Most proposals fail because they answer a different question: “Why is this speaker credible?” Credibility matters, but it’s secondary. Value to the audience comes first, always.

The Anatomy of a Winning CFP

A strong proposal has five components. Miss any one of them and you’re leaving the decision to chance.

1. The Title — Your First (and Sometimes Only) Impression

Conference committees often sort proposals by title before reading the abstract. Your title needs to do two things simultaneously: promise a clear outcome and create just enough curiosity to make them want to read further.

Weak titles describe what you’ll cover:

“Introduction to Kubernetes”
“My Journey with GraphQL”
“Lessons from Building at Scale”

Strong titles make a specific promise or create a tension:

“Why Your Kubernetes Setup Will Fail at 10x Traffic (And How to Fix It Before It Does)”
“GraphQL Broke Our API — Here’s What We Built Instead”
“We Scaled to 10 Million Users Without a Dedicated Platform Team. Here’s the Playbook.”

Notice the pattern. Strong titles are specific, they imply stakes, and they suggest the audience will gain something concrete. A/B test your title with colleagues before submitting. If they say “oh that’s interesting, what do you mean by that?” — you have a winner.

2. The Abstract — Sell the Outcome, Not the Journey

Your abstract is where most proposals die. The average abstract reads like this:

“In this talk, I will share my experience with distributed systems. We will explore various approaches to handling failures and discuss the lessons our team learned over three years of building our infrastructure.”

This abstract says almost nothing. It’s vague. It’s passive. And it gives the reviewer no reason to choose it over the forty other distributed systems talks they’re reading.

A strong abstract follows this structure:

Open with the problem the audience has (not the problem you solved) Establish the stakes (what happens if they don’t solve it) Preview your solution (not the full answer — just enough) State the takeaway explicitly (what they will leave knowing or able to do)

Here’s the same talk, rewritten:

“Distributed systems fail in predictable ways — but most engineering teams only discover those patterns after something breaks in production at 2am. In this talk, I’ll share the five failure modes we hit while scaling our platform to 50 million requests per day, and the specific architectural decisions that would have prevented each one. You’ll leave with a failure-mode checklist you can run against your own system this week.”

Same speaker. Same experience. Completely different result.

3. The Takeaways — Make the Value Scannable

Most CFP forms ask for three to five key takeaways. Treat these seriously — reviewers often skip to this section first.

Bad takeaways are vague:

“A better understanding of distributed systems”
“Inspiration to improve their codebase”

Good takeaways are specific and actionable:

“How to identify the three most common distributed system failure modes before they hit production”
“A framework for deciding between synchronous and asynchronous communication at the service boundary”
“A concrete checklist to run a failure-mode audit on any existing architecture”

The test: could your attendee tell a colleague exactly what they learned from your talk? If your takeaway is specific enough to pass that test, it’s strong enough to include.

4. The Bio — Brief, Relevant, and Third-Person

Your bio should be three to four sentences. No more. It needs to establish exactly one thing: that you are credible to speak on this specific topic. Not your entire career. Not every technology you’ve ever touched.

If your talk is about scaling infrastructure, your bio should mention scaling infrastructure. If your talk is about accessibility in design systems, your bio should mention accessibility or design systems. The relevance signal matters more than the prestige signal.

Also: write in third person. It feels unnatural but it reads better in the conference program.

Example: “Priya has spent six years building developer tooling at companies ranging from early-stage startups to large-scale platforms. She’s a Google Developer Expert in Web Technologies and has spoken at Google DevFest, Atlassian Summit, and Grace Hopper. She writes about engineering culture and developer experience on her blog.”

Clean. Relevant. Done.

5. The Supporting Evidence — Proof You Can Deliver

Many conferences ask for a link to a previous talk, a blog post, or any public-facing content. If you have it, include it. If you don’t, create it before you submit.

A five-minute lightning talk recording from a local meetup is worth more than ten years of experience with no evidence. It tells the committee: this person can communicate, they’re comfortable in front of an audience, and they won’t freeze on our stage.

If you have nothing yet: record yourself giving a ten-minute version of your talk on your phone, upload it to YouTube as unlisted, and link it. That is enough to clear the credibility bar for most mid-tier conferences.

The CFP Template (Copy and Adapt)

Here is the exact structure I use. Fill in the brackets for your own talk.

Title: [Specific outcome or tension] — [The Stakes or the Surprise]

Example: “Why Most API Rate Limiters Break Under Load — And a Pattern That Doesn’t”

Abstract:

[One sentence that names the exact problem your audience is dealing with.]

[One to two sentences on why this problem is harder than it looks, or why conventional wisdom gets it wrong.]

[One to two sentences previewing your approach — not the full answer, just enough to create curiosity.]

[One clear sentence stating what the audience will walk away with.]

Example:

Rate limiting sounds simple until you’re doing it at scale. Most teams reach for a token bucket or a sliding window algorithm, deploy it, and discover three months later that it works beautifully in testing and catastrophically in production under distributed load. In this talk, I’ll walk through the specific failure scenarios we hit at 100K requests per second and the cell-based architecture we built to solve them — without adding a dedicated infrastructure layer. You’ll leave with a decision framework for choosing the right rate-limiting pattern for your scale, and a set of load-testing benchmarks to validate it before you ship.

Key Takeaways:

[Specific thing they will know]
[Specific thing they will be able to do]
[Specific thing they will be able to avoid or decide differently]

Speaker Bio:

[Name] is a [role] with [X years] of experience in [specific domain relevant to the talk]. [One sentence about a specific relevant achievement or project.] [One sentence about past speaking or writing, if applicable.]

Session Format: [Talk / Workshop / Lightning Talk / Panel] Duration: [20 / 30 / 45 / 60 minutes] Audience Level: [Beginner / Intermediate / Advanced] Supporting Material: [Link to previous talk, article, or unlisted YouTube recording]

The Submission Strategy Nobody Talks About

Writing a great CFP is only half the equation. Here’s how to maximize your chances across the board.

Submit to more conferences than feels comfortable. A 20% acceptance rate is considered good in tech speaking. If you’ve submitted to three conferences and gotten rejected, you haven’t been rejected — you’ve taken three shots. Submit to fifteen.

Tailor, don’t copy-paste. Read each conference’s theme and past talks. Use their language in your abstract. If they care about sustainability, frame your talk through that lens. If they care about emerging markets, find the angle. One talk can be submitted in many forms.

Follow up after rejection. Some conferences share reviewer feedback. Ask for it. The ones who provide it are giving you a free coaching session. Use it.

Build your speaking history deliberately. GDG meetups, internal company talks, online webinars, podcast appearances — all of it counts as evidence that you can deliver. The conference circuit rewards momentum. Once you have two or three credits, the next door opens faster.

Start before you’re ready. The speakers who get on the biggest stages are almost never the ones who waited until they felt qualified. They’re the ones who showed up early, gave the imperfect talk, learned from it, and did it again.

One Last Thing

The talk you want to give — the one that’s been sitting in your head as “maybe someday” — someone in your audience needs to hear it. Not a version of it from a more senior person, not a polished TED-style production. Your version. With your specific context and your specific hard-won lessons.

The CFP is just the door. Write something honest, specific, and audience-first.

Then knock.

Happy Building! :)

If you found this useful, I share practical advice on tech speaking, developer community, and engineering career growth. Follow along, and feel free to share this with someone who’s been thinking about submitting their first CFP.

Connect with me on:

The Ultimate Hackathon Resource Vault: Everything You Need to Win Consistently

Kavisha Mathur — Sat, 28 Feb 2026 10:57:03 GMT

If you haven’t read these yet, start here:

Finding the right events:
https://medium.com/@KavishaMathur/the-ultimate-guide-to-finding-tech-events-that-actually-matter-5c501503567c

Winning execution strategy:
https://medium.com/codetodeploy/the-hackathon-insider-playbook-from-a-8x-winner-de83d138bab5

This article is different.

This is your curated resource vault — everything you need to master hackathons.

Where to Find Hackathons

Global Platforms

Devfolio — https://devfolio.co
Devpost — https://devpost.com
MLH (Major League Hacking) — https://mlh.io
Unstop — https://unstop.com
HackerEarth — https://hackerearth.com
Hack2Skill — https://hack2skill.com
Hackathon.com — https://hackathon.com

Community & Ecosystem Events

Google Developer Groups — https://gdg.community.dev
Microsoft Reactor — https://developer.microsoft.com/reactor
AWS Events — https://aws.amazon.com/events
GitHub Events — https://github.com/events
T-Hub — https://t-hub.co
NASSCOM — https://nasscom.in

Elevator Pitch & Presentation Resources

Study Real Pitch Decks

Y Combinator Library — https://www.ycombinator.com/library
Sequoia Pitch Guide — https://www.sequoiacap.com/article/writing-a-business-plan/
Airbnb Pitch Deck — https://www.slideshare.net/PitchDeckCoach/airbnb-first-pitch-deck-editable

Practice & Delivery

Loom (record yourself) — https://www.loom.com
TED Talks (delivery style) — https://www.ted.com/talks
Slidebean Tutorials — https://slidebean.com/blog
Toastmasters — https://www.toastmasters.org

Free Slide Templates

Canva Pitch Decks — https://www.canva.com/templates/startup-pitch-deck/
Slidesgo — https://slidesgo.com
Google Slides — https://docs.google.com/presentation

Team Building & Collaboration Tools

Notion — https://notion.so
Trello — https://trello.com
Miro — https://miro.com
FigJam — https://figma.com/figjam
Slack — https://slack.com
Discord — https://discord.com
GitHub — https://github.com

MVP Building Stack

You don’t need more motivation.

You need:
• A resource stack
• A reusable system
• A pre-built template ecosystem

Most teams Google randomly during a hackathon.

Winners already have these bookmarked.

Build your stack once.
Reuse forever.
Refine after every event.

That’s how hackathons compound into career leverage.

Happy Building! :)

Connect with me on:

The Ultimate Guide to Finding Tech Events That Actually Matter

Kavisha Mathur — Wed, 25 Feb 2026 17:33:14 GMT

https://www.instagram.com/p/DVME5aNj8MV/?igsh=MTFjdzg2M29qdHI1MA==

First — What Do You Actually Get From Tech Events?

Before we talk about how to find them, let me show you what “showing up” has quietly given me.

Everyday Swag (That Adds Up Fast)

From multiple tech events and programs, I’ve received:

Notebooks
Signed books from authors
Stickers, pens, pop sockets
Multiple coffee flasks and bottles (including one from Amazon ML Summer School)

If you attend enough events, you genuinely stop buying stationery.

Estimated value: ~₹6,000+

Lifestyle Upgrades (The Unexpected Part)

This is where it gets interesting.

Wells Fargo fanny bag
A leather travel bag
Bliss Club vouchers + cap
Two full-sized perfumes
Lip gloss
Concealer
Sunscreens
Sirona products

Tech events are often backed by lifestyle sponsors.

You don’t realize it at first, but your wardrobe and travel gear quietly upgrade.

Estimated value: ₹20,000+

Productivity & Tech Accessories

These are things I would have otherwise bought myself:

HP wireless mouse
Multi-port hub
Modular cable kit (USB-C, Apple, B-type connectors in one compact case)
Magnetic wallet card holder
Humidifier

I haven’t purchased basic tech accessories in years.

Estimated value: ₹10,000–₹12,000

Comfort & Work Setup

If you code long hours, these are elite:

Frido neck pillow
Frido seat cushion

Estimated value: ~₹5,000

Smart Tech & Premium Devices

Then came the serious upgrades:

Google Home / Assistant
UltraHuman Ring (₹30,000)

The UltraHuman ring tracks sleep, stress, activity, recovery, and menstrual cycle insights.

I didn’t buy it.

I earned it by participating.

Total Estimated Value?

Conservatively: ₹80,000+

And that’s just tangible items.

Now let’s talk about the real value.

When I was in college, I thought opportunities were “luck.”

There’s a system to finding them — and once you understand it, opportunities stop feeling rare.

This is the exact framework I use to discover high-quality tech events consistently.

Step 1: Stop Searching “Hackathons Near Me”

Most people do this:

Google → “Hackathons 2026 India”

That’s noise.

Instead, search by organizer, not event.

Big tech companies and ecosystems run recurring programs. If you follow them once, you never miss future editions.

For example:

Google (Build programs, Cloud events, DevFests, Agentic AI challenges)
Microsoft (Student cohorts, Chhalaang-style hackathons, Reactor sessions)
Amazon (ML Summer School, AWS community days)
Major League Hacking (Global hackathons & fellowships)
Linux Foundation (Scholarships, LFX mentorships)

Follow their:

LinkedIn pages
Twitter/X accounts
Developer newsletters
Community chapters

Events repeat. Ecosystems compound.

Step 2: Track Developer Communities (Not Just Companies)

The highest ROI events often come from communities, not corporations.

Look for:

Google Developer Groups (GDG)
AWS User Groups
Kubernetes / Cloud Native communities
Women in Tech collectives
University tech clubs (even after you graduate)

Communities give you:

Early access
Insider recommendations
Smaller, high-quality events
Speaking opportunities

Most people only discover these after 2–3 years in industry.

You don’t have to.

Step 3: Use Platforms That Aggregate Events

Here are reliable discovery platforms:

Dev & Hackathon Platforms

Devpost
Unstop
Major League Hacking
HackerEarth

These host:

Online hackathons
Corporate challenges
Startup competitions
Fellowship applications

Newsletters Worth Subscribing To

Company-specific developer newsletters (Google Cloud, AWS, Microsoft)
Product Hunt newsletters
Indie Hackers
Tech Twitter curated lists

Your inbox should bring you opportunities.

Not distractions.

Step 4: Build a Personal Opportunity System

This changed everything for me.

Instead of reacting to events, I built a tracker.

Simple Notion sheet:

Columns:

Event Name
Organizer
Type (Hackathon / Scholarship / Speaker / Fellowship)
Deadline
Eligibility
Prize / Perks
Link
Status

I check it weekly.

Opportunities feel abundant when they’re visible.

Step 5: Don’t Ignore Offline Events

Some of my best upgrades came from offline conferences:

Swag
Gadgets
Smart devices

But more importantly:

Conversations
Mentors
Future referrals

Search on:

Meetup
Eventbrite
LinkedIn Events
Google “City + Developer Meetup”

If you’re in a metro city, there’s something happening almost every month.

Step 6: Understand Which Events Are Worth It

Not all events are equal.

Here’s my filter:

High ROI Events:

Backed by major tech companies
Provide mentorship
Offer structured learning
Have clear deliverables
Offer networking access
Recognized brand value

Low ROI Events:

Vague themes
No clarity on judging
No known organizers
Overpromise, underdeliver

Time is currency.

Choose wisely.

Step 7: Turn Events Into Compounding Assets

Attending is step one.

The real leverage comes from:

Writing about your experience
Posting insights on LinkedIn
Sharing frameworks on Instagram
Publishing long-form on Medium
Staying connected with organizers

One event should give you:

A project
A story
A network
A content piece
A future opportunity

That’s how it compounds.

Final Thought

When I started, I thought opportunities were rare.

They’re not.

They’re just unevenly distributed among people who look for them strategically.

You don’t need to attend everything.

You need to:

Follow the right ecosystems
Track deadlines
Show up consistently
And extract value beyond the event itself

That’s how:

Skills improve
Network expands
And yes — sometimes your lifestyle upgrades too

But more than the goodies?

You upgrade yourself.

Happy Building! :)

Connect with me on:

From 100 Views to 500K: How I Engineered a Viral Trial Reel (Without “Viral” Editing)

Kavisha Mathur — Sat, 14 Feb 2026 17:09:57 GMT

I run a instagram page ChaoTech ( spin off on the word Chaotic- Instagram: https://www.instagram.com/chao.tech_/) where I cover tech content, like going to hackathons, tech events, networking events and recently I posted 4 trial reels, where 2 reels cross 100k views, and the others cross 75k views ( and its still growing)

I love editing. Clean transitions. Tight cuts. Aesthetic frames.
So when my most viral reel was literally two basic pictures and text… it hurt a little.

But it worked.

In one week:

My professional dashboard crossed half a million views
My Instagram followers 4x’d
I redirected traffic to Medium and boosted distribution there

This wasn’t luck. It was understanding how trial reels are evaluated and distributed.

Here’s the real breakdown.

1. First Principle: Trial Reels Are Not About Your Followers

Trial reels are shown primarily to non-followers.

That changes everything.

The algorithm doesn’t care about:

Your brand aesthetic
Your editing complexity
Your attachment to your content style

It cares about:

Initial engagement velocity
Watch time
Saves
Shares
Comments

Especially from users who share similar interest clusters.

If people who engage with hackathon, tech, Google, Microsoft, startup, or AI content engage with your reel — the system pushes it into those interest buckets.

That’s the lever.

2. The Content Structure That Worked

Instead of focusing on visuals, I focused on value density.

My positioning:
“I’ve won 8 hackathons — including Google Agentic AI, Google Build & Blog, and Microsoft Chhalaang.”

I didn’t flex.
I translated credibility into actionable insight.

The reel format:

2 simple images
Bold hook text
Direct value
Strong CTA

No cinematic edit.
No overproduction.

Just clarity.

3. The CTA That Made the Difference

This was the real multiplier.

Instead of:
“Follow for more”

I used:

“Save this before your next hackathon.”
“Comment HACK and I’ll DM you my structure.”
“If you’re building for Google or Microsoft — read this.”

Why this works:

Saves signal long-term value.
Comments signal conversation.
Shares signal relevance.

Engagement depth > surface-level likes.

When people saved it, the reel kept resurfacing.

4. The Description Was Not an Afterthought

Most creators treat captions like filler.

I used mine as a secondary content channel.

My description:

Expanded the reel
Added structured bullet points
Included keywords like hackathon strategy, Google AI, Microsoft competition, agentic systems
Redirected to Medium with contextual framing

Not “link in bio.”

But:
“If you want the full framework, I’ve broken it down step-by-step on Medium.”

That made the transition natural.

5. The Algorithm Insight Most People Miss

The reel doesn’t go viral because your followers love it.

It goes viral because:
People who don’t follow you interact with it.

And when similar-interest clusters engage early, the system identifies a pattern:

“Users who engage with hackathon content also engage with this reel.”

So it keeps testing.

Your job is to:
Make it easy for the right audience to self-identify.

That’s why specificity beats aesthetics.

6. Imposter Syndrome vs. Market Feedback

I’ll be honest.

It didn’t feel like “me.”

I’m big on editing.
I like high-quality transitions.
Structured storytelling.

This reel felt low-effort.

But here’s the uncomfortable truth:

You are not making content for yourself.

You’re making it for:

The 3rd-year BTech student
The builder preparing for Google
The developer entering their first hackathon

Customer is king.

Once you build audience gravity, you can layer your style back in.

But first, you earn distribution.

7. The Growth Flywheel I Built

Here’s how everything connected:

Reel → Saves & Shares → Non-follower Reach
Non-follower Reach → Follower Growth (4x in a week)
Follower Growth → Higher baseline engagement
Caption → Medium redirection
Medium reads → Authority positioning
Authority positioning → Stronger future reels

Distribution compounds.

Most people stop at views.

Views are vanity.
Redirection is strategy.

8. Tactical Playbook You Can Use

If you want to replicate this, here’s the structure:

Lead with authority proof (specific, not vague).
Deliver 3–5 actionable points.
Use a save-driven CTA.
Make the caption richer than the reel.
Target a narrow interest cluster.
Don’t over-edit trial reels.
Redirect intentionally (not aggressively).

And most importantly:

Make content that solves a real micro-problem.

9. Why This Worked for My Niche

I wasn’t selling motivation.

I was giving:
“How to win hackathons.”

Concrete.
Specific.
Repeatable.

And I backed it with:

Google Agentic AI participation
Google Build & Blog
Microsoft Chhalaang etc

When credibility meets clarity, distribution follows.

10. Final Takeaway

Virality is not aesthetic.

It is engineered alignment between:
Value × Audience Cluster × Engagement Signals × Retention

The reel that felt “too simple” outperformed my most edited ones.

Sometimes growth requires you to detach from your ego and listen to the data.

And once you understand the system, you don’t chase virality.

You design for it.

Happy Building! :)

Connect with me on:

The hackathon insider playbook — from a 8x winner

Kavisha Mathur — Wed, 11 Feb 2026 18:25:30 GMT

How to Win Hackathons Consistently — The Insider Playbook

Most people attend hackathons to participate.
A few attend to win.

After multiple hackathons, wins, losses, late-night debugging sessions, and pitch-stage realizations, I understood something:

Hackathons are not about coding the most.
They’re about thinking the clearest.

This is the Hackathon Mastery Blueprint — the exact framework that separates finalists from the rest.

If you’re tired of “almost winning,” read this carefully.

1. How to Make a Strong Elevator Pitch (30–45 seconds)

A winning pitch answers four things quickly and clearly:

Problem

State the real pain point in one crisp line.
Example:
“Student teams struggle with Git, and most projects fail because they can’t collaborate properly.”

Solution

What exactly are you building?
Example:
“We built an AI-guided Git workspace that helps beginners learn version control while actually collaborating.”

Why You

What is unique about your approach?
Example:
“We added conflict-resolution assistance and a visual branching map — something no beginner tool offers.”

Impact

Quantifiable outcomes matter more than adjectives.
Example:
“In two hours, 40 students completed their first pull request with zero merge conflicts.”

Judge insight:
If you don’t capture interest in the first 15 seconds, you blend in. Start with a hook, statistic, or surprising line.

The Four-Part Pitch Formula That Actually Works:

Problem (10 seconds): State the pain so specifically that people feel it.

NO -“Students struggle with collaboration tools.”
YES- “Three students just spent four hours on a group project. At midnight, one person force-pushed to main and deleted everyone’s work. This happens at every hackathon.”

See the difference? The second one makes you feel the problem.

Solution (15 seconds): What are you building? Make it visceral, not vague.

NO- “We built a Git learning platform.”
YES -“We built an AI workspace that guides beginners through Git like a patient mentor sitting next to them, catching mistakes before they happen.”

Why You (10 seconds): What’s your unfair advantage? What do you have that no one else thought of?

Real example from my Smart Campus Automation win: “Every ‘smart campus’ solution needs new hardware. We’re the only team that works with the motion sensors already installed in every building — hardware that’s currently doing nothing but turning lights on.”

That line got us into the finals.

Impact (10 seconds): Numbers. Always numbers.

NO — “Our solution will help many students.”
YES — “In our two-hour pilot, 40 students who’d never used Git successfully completed their first pull request with zero merge conflicts.”

Judges live for quantifiable impact.

The Hook Strategy:

Start with one of these, always:

A shocking statistic: “Eighty percent of hackathon projects fail because of something that has nothing to do with code.”
A relatable disaster: “Raise your hand if you’ve ever had a team member say ‘just push to main’ at 2 AM.” (Hands go up, you’ve got them)
A provocative question: “What if I told you the best hackathon projects aren’t the most technically complex?”

2. How to Build a Good Team

Winning teams almost always have three types of people:

The Thinker

Understands product flows, problem statements, user research.

The Builder

Backend, frontend, or ML: someone who can ship quickly.

The Storyteller

Handles pitch deck, demo flow, and final presentation.

You need all three functions. A team with only coders and no presenter often loses to a simpler project that’s explained better.

Finding teammates even if you don’t know anyone:

Hackathon WhatsApp groups
Devfolio Discord
LinkedIn posts
Event ice-breakers
MLH servers

Good teammate indicators:

People who say “Let’s scope this down”
People who push code early
People who communicate clearly
People who don’t fight for tech-stack ego

Red flags:

“We will build a full app in three hours”
“I will learn React right now and build later”
“Just trust me” with no deliverables

The Team Agreement I Make Every Time Now:

Hour 1, after idea selection, we have this conversation:

Communication check-ins: Every 3 hours, quick sync. Not optional.
Merge strategy: Main branch is locked. Everyone works on feature branches. No exceptions.
The “cut scope” signal: Anyone can say “this is too much” and we listen. No ego.
Sleep strategy (for 48hr hacks): Rotate. Two people sleep while two build. Never let everyone crash at once.

This 10-minute conversation has saved me from so many late-night disasters.

3. How to Build an MVP in 24 Hours

This is the exact approach used in most winning teams:

First 2 Hours

Finalize the idea
Freeze scope
Select tech stack
Write user flow
Decide on ONE core feature only

Next 6 Hours

Build only what is essential:

Core functionality
Basic UI
Minimal backend

Avoid login pages, animations, and unnecessary screens.

Next 4 Hours

Add one “wow factor”:

AI-driven component
Smart automation
Visual dashboard
Recommender system
Interesting visualization

The “wow factor” often decides top 3 placements.

Next 4 Hours

Integration, testing, bug fixing.

Final 3–4 Hours

Prepare:

Demo script
Slide deck
Pitch
Video (if required)

More hackathons are won at the pitch stage than during coding.

4. How to Ask Mentors and Judges for Help Strategically

Avoid vague questions. Judges appreciate clarity.

Do not ask:

“Is our idea good?”
“What should we build?”
“We are stuck; can you help?”

Ask instead:

“We shortlisted two ideas; which one aligns best with the problem statement?”
“We built X and are stuck at Y. Here are two approaches. Which one seems more practical?”
“What do judges typically expect in the implementation section?”
“Is our scope realistic for the remaining time?”

This shows that you have thought through the problem, which earns more respect and more detailed guidance.

5. How to Network with Judges and Mentors

Judges remember teams that demonstrate clarity, improvement, and humility.

After the hackathon, message them concisely:

“Thank you for your feedback today. We implemented your suggestions on ___ and it improved the project significantly. Would love to stay connected.”

This professional follow-up opens doors to:

Internships
Mentorship
Future hackathon invitations
Community leadership roles
Startup opportunities

Networking is one of the most undervalued outcomes of hackathons.
The Best Question I Ever Asked a Judge:

At hour 18 of a 48-hour hack, I was exhausted. Our project was working but felt… meh. A judge was walking by.

Our team: “Can I get your honest feedback? We have 30 hours left. Here’s what we’ve built [quick 30-second demo]. What would make this go from ‘interesting’ to ‘oh, that’s actually clever?’”

Judge: “You’re solving the problem, but you’re not showing me WHY it matters. Who is this helping? Show me a real person benefiting.”

That one piece of feedback changed everything. We spent the next 6 hours adding a “success stories” dashboard showing real testimonials from our user testing. We placed second.

The lesson: Judges remember teams that take feedback and act on it.

Questions That Get You 20 Minutes of Mentorship:

“We’re deciding between two approaches: [A] and [B]. Here’s what we’ve considered for each. Which would you pick given our timeline?”
“We built X but we’re stuck at Y. We’ve tried [approach 1] and [approach 2]. Here’s the error we’re getting. Any ideas?”
“We’re about to make a technical decision between these two database options. Given that we have [constraint], which would you recommend?”
“Does our project scope seem realistic for the next 12 hours? Here’s what we have left.”

The pattern: Show your work. Ask specific questions. Respect their time.

6. Demo & Pitch Prep

This is where hackathons are won.

More teams lose because of bad presentations than bad code.

“Hi, I’m [Name]. Meet Sarah — she’s a college student trying to collaborate on a group project.

[DEMO: Show Sarah opening the app]

Right now, Sarah’s team uses Git. But look what happens when she tries to merge her code.

[DEMO: Show the typical merge conflict error]

Forty-seven conflicts. Her teammates’ code. Four hours of work gone.

[DEMO: Show your solution]

With our tool, Sarah gets AI-guided help. It shows her exactly what conflicted, why it happened, and how to fix it.

[DEMO: Show the resolution]

One click. Conflict resolved. Code merged.

[DEMO: Show the result]

Sarah’s team just saved four hours and a lot of frustration.”

Record your demo video

2 minutes max
Show, don’t tell
No code on screen unless it’s impressively visual
Use screen recording with your voice + basic text overlays

7. How to Find Hackathons

Platforms

Devfolio
Unstop
MLH
HackerEarth
Hack2Skill
Hackathon.com

Developer Communities

GDG
Microsoft Reactor
AWS Community Day
GitHub Community Events

Startup Ecosystem

T-Hub
Nasscom
Accelerators and incubators

Social Media

Follow keywords on LinkedIn: “hackathon”, “innovation challenge”, “tech competition”, “Devfest”, “Build for Bharat”.

You will get constant opportunities.

8. How Judges Actually Score Projects

Scoring generally follows these categories:

Problem Understanding — 20%

Did you pick a real, high-quality problem?

Solution Fit — 20%

Does your solution address the pain point logically?

Implementation — 20%

Quality over quantity.

Innovation / Wow Factor — 20%

One standout element often decides the top three.

Presentation — 20%

A clear, confident narrative wins even if the product is slightly simpler.

9. Slide Deck Structure for Winning Presentations

Hook (one shocking stat or story)
Problem (make them feel it)
Current solutions (and why they fail)
Your solution (high-level)
Demo (this can be video or “let me show you live”)
How it works (architecture, but make it visual)
Impact (numbers, testimonials, potential)
Technical highlights (the wow factor explained)
What’s next (roadmap)
Team

Clean slides with fewer words perform better.

Slide 1: The Hook

Bad:

“Welcome to our presentation”
Team names and photos
Hackathon logo

Good:

A provocative stat: “67% of first-year CS students have failed a group project because of Git”
A relatable scenario: “It’s 2 AM. You just pushed your code. You broke the entire codebase. Your teammates are asleep. What do you do?”
A single powerful image that makes people curious

My go-to structure: One sentence. One statistic. One visual. That’s it.

Slides 2–3: Problem

Bad:

Wall of text explaining everything wrong with the world
Generic problems everyone knows
No evidence the problem exists

Good:

One slide showing WHO has the problem
One slide showing WHAT the problem costs them
Specificity is everything

Example from one of winning decks: Slide 2:
Visual: Photo of frustrated student at 3 AM
Text: “Meet Sarah. She’s been working on her group project for 6 hours.”

Slide 3:
Visual: Git merge conflict screenshot
Text: “One git push. 43 conflicts. 6 hours of work potentially lost.”

Slides 4–5: Solution

Bad:

Architecture diagram with too many boxes
List of every feature you built
Technical jargon judges don’t understand

Good:

ONE slide showing what you built (high level)
ONE slide showing how it works (visually)

The rule: If you can’t explain your solution to your non-technical friend, your slide is too complex.

Slide 6: Demo

Option 1: Embedded video (safer)
Option 2: Live demo (riskier but more impressive)
Option 3: GIF showing key interaction

Never: Just screenshots. They’re boring.

Slide 7: Impact

This is where you win or lose.

Bad:

“This will help many students”
“This could revolutionize education”
Hypothetical future impact

Good:

“40 students tested our tool. 38 completed their first merge with zero errors.”
“Reduced collaboration setup time from 2 hours to 5 minutes.”
“Already implemented in 3 classes at our university.”

Numbers. Testimonials. Real results.

Slide 8: Technical Highlights

This is your “wow factor” slide.

Show, don’t tell:

NO — “We used machine learning”
Yes — Visual showing how your ML model makes predictions with 94% accuracy

Make it visual:

System architecture that actually looks good
Data flow diagram with color coding
Before/after comparison

Slide 9: What’s Next

Bad:

Vague roadmap with no dates
“We plan to add many features”

Good:

Clear next steps: “Pilot with 3 university CS departments (Fall 2026)”
Specific asks: “Looking for beta testers from [specific group]”
Realistic timeline

Slide 10: Team

Bad:

Just names and photos
Generic roles

Good:

Name + ONE impressive credential each
Relevant experience: “Kavisha — Won 8 hackathons, SDE at Tesco”

Keep it brief. This slide gets 5 seconds of attention max.

Design Rules I Never Break:

One idea per slide — If you need to explain two things, use two slides
Big text — If you can’t read it from 10 feet away, it’s too small
High contrast — Dark background + light text, or vice versa
Maximum 20 words per slide — Ideally closer to 10
No bullet points — Images, numbers, and short sentences only

Font: Something clean. I use Inter, Poppins, or Montserrat. Never Comic Sans. Please.

Colors: Your brand palette. Stick to 3 colors max, brownie point if it aligns with the brand colours

10. 24-Hour Hackathon Checklist

Idea locked
Problem validated
MVP defined
Wow factor added
Demo flow practiced
Slides ready
Video recorded (if needed)
Submission uploaded early

This puts you ahead of at least 70 percent of teams.

At the end of the day, hackathons are compressed simulations of the real tech world.

You are evaluated on:

How clearly you think
How quickly you execute
How well you communicate

Not just how much you code.

Master these three — and you won’t just win hackathons.
You’ll build like a real engineer.

And that compounds far beyond a trophy.

Happy Building! :)

Connect with me on:

Thank you for being a part of the community

Before you go:

👉 Be sure to clap and follow the writer ️👏️️

👉 Follow us: Linkedin| Medium

👉 CodeToDeploy Tech Community is live on Discord — Join now!

Note: This Post may contain affiliate links.

The hackathon insider playbook — from a 8x winner was originally published in CodeToDeploy on Medium, where people are continuing the conversation by highlighting and responding to this story.