Senior Software Engineer 2, IAM

The Identity & Access Management team owns the identity, authentication, and access control infrastructure that every customer uses to access the platform and that every internal platform service relies on for trust boundaries. The team focuses on several key pillars:

• Authentication: SSO (SAML 2.0, OIDC), session/token management, and MFA for enterprise customers with large user populations and sophisticated identity setups.
• Authorization: Access control models ranging from RBAC to fine-grained authorization for internal services and AI-driven actions.
• Provisioning & Lifecycle: SCIM 2.0 provisioning for enterprise customers like Okta and Microsoft Entra ID, including group-to-role mapping and conflict resolution.
• Identity Sync Infrastructure: Maintaining accurate workforce data via integrations with Okta, M365, and Google at enterprise scale.
• Auth for Platform Services and AI: Providing trust primitives and supporting human-in-the-loop authorization patterns for AI features and agentic workflows.

Responsibilities

• Design and operate the authentication surface, including SSO integrations, session handling, and flexible enterprise identity configurations.
• Contribute to the authorization architecture, collaborating on policy engines (RBAC vs. ABAC) and observability of access decisions.
• Build and harden SCIM provisioning at enterprise scale, managing group sync, role mapping, and IdP-specific behaviors.
• Build and operate identity sync workflows with robust observability, retry semantics, and parity guarantees.
• Develop authentication and authorization for AI features, including scoped credentials for agents and human-in-the-loop approval workflows.
• Provide auth primitives for other platform services and represent IAM in cross-team architecture discussions.
• Threat-model identity surfaces, partner with security on hardening, and lead responses to identity-related incidents.

Requirements

• 7+ years of experience building production software, with a focus on authentication, authorization, or identity infrastructure.
• 3+ years of experience in a NodeJS / TypeScript codebase with a deep understanding of TypeScript.
• Working knowledge of identity protocols including OAuth 2.0, OIDC, SAML 2.0, and SCIM 2.0.
• Experience designing or operating access control systems (RBAC, ABAC, or relationship-based authorization).
• Knowledge of surfacing observability and security information from complex systems.
• Experience collaborating on API design and architecture.
• Strong fundamentals in session management, token lifecycle, MFA, and associated security tradeoffs.
• Production experience operating on a major cloud provider (AWS preferred).
• Security-first instinct with the ability to defend design decisions against threat models.
• Comfortable in collaborative architecture work and owning execution on specific components.

Preferred Qualifications

• Experience integrating with identity platforms such as Okta, Microsoft Entra ID, Auth0, Ping, or WorkOS.
• Experience with authorization engines like OpenFGA, Cedar, or OPA.
• Experience operating SCIM, SSO, or identity sync at enterprise scale.
• Familiarity with durable workflow engines such as Temporal.
• Experience with HRIS API integrations.
• Context in compliance frameworks like SOC 2, ISO 27001, NIST, or FedRAMP.
• Experience building auth for AI agents, MCP servers, or agentic-system contexts.
• Background in bug bounty, appsec, or red-team activities on identity surfaces.

Benefits

• Shared Success: Stock equity to ensure you share directly in the company's growth.
• Health & Wellness: Up to 100% employer-paid premiums for medical, dental, and vision coverage for employees and their dependents.
• Financial Well-being: 401(k) plan and company-paid life and disability insurance.
• Family Support: Paid Parental Leave policy available after six months of employment.
• Growth & Development: Generous annual stipends for both professional and personal development.
• Time Off & Flexibility: Flexible vacation policy and paid holidays to support work-life balance.