System Design: Resilient, Secure Request Flow with Unreliable Third‑Party Authorization

Context

You are designing a multi‑region, HTTP/JSON API where clients must obtain an access token from a third‑party authorization service before calling your main API. The third‑party service is intermittently unreliable: it may return malformed responses, time out, or fail.

Assume:

• Tokens can be JWTs (signed with rotating keys) or opaque tokens (requiring introspection).
• Your system must operate in multiple regions with strict isolation to contain blast radius.
• Clients perform both read and write operations against your API.

Task

Design an end‑to‑end request flow that is resilient and secure. Explicitly cover:

1. Token acquisition patterns, validation, caching and proactive refresh.
2. Retries with exponential backoff and jitter; bounded attempts.
3. Circuit breakers and request hedging to the third‑party.
4. Idempotency keys for client‑visible mutations.
5. Fallback paths (e.g., degraded mode, cached permissions) under dependency failures.
6. Quarantining/poison‑pill detection for malformed or dangerous responses.
7. Observability: metrics, tracing, logs, and alerts.
8. Rate limiting and abuse‑prevention controls.
9. SLA/SLO objectives and error‑budget‑driven degradation.
10. Blast‑radius containment across regions and tenants.
11. Describe external and internal APIs and key data models.
12. Provide failure‑mode playbooks for common outage scenarios.

Be explicit about security controls (key management, token handling, storage, and transport security), and call out trade‑offs and pitfalls.