What is Django DRF authentication and permissions?
Why Interviewers Ask This
Candidates at the intermediate level are expected to not only know this concept but explain the trade-offs involved. Interviewers use this question to see if you can reason about design decisions, not just recall facts.
Answer
DRF provides pluggable authentication and permission systems: Authentication classes determine "who is the user?" REST_FRAMEWORK = {"DEFAULT_AUTHENTICATION_CLASSES": ["rest_framework.authentication.SessionAuthentication", "rest_framework_simplejwt.authentication.JWTAuthentication", "rest_framework.authentication.BasicAuthentication"]}. Authentication is per-view or global. Provides request.user and request.auth. JWT with simplejwt: pip install djangorestframework-simplejwt. Endpoints: POST /token/ returns access + refresh tokens; POST /token/refresh/ refreshes access token. Custom JWT payload: class MyTokenObtainPairSerializer(TokenObtainPairSerializer): @classmethod def get_token(cls, user): token = super().get_token(user); token["name"] = user.get_full_name(); token["role"] = user.role; return token. Permission classes determine "can this user do this?" class IsOwnerOrReadOnly(BasePermission): def has_object_permission(self, request, view, obj): if request.method in SAFE_METHODS: return True return obj.author == request.user. Per-view permission: permission_classes = [IsAuthenticated, IsOwnerOrReadOnly]. Built-in permissions: AllowAny, IsAuthenticated, IsAdminUser, IsAuthenticatedOrReadOnly, DjangoModelPermissions, DjangoObjectPermissions. Throttling: rate limiting — DEFAULT_THROTTLE_RATES = {"anon": "100/day", "user": "1000/day"}. Filtering: pip install django-filter; integrate with DjangoFilterBackend.
Pro Tip
Back up your answer with a specific project or situation. Saying 'In my last Django project, I used this when...' immediately makes your answer more credible and memorable.
Previous
What is Django DRF serializers in depth?
Next
What are Django model relationships in depth?