Principal Software Engineer

FusionAuth•Denver, CO

20d•$225,000 - $270,000•Hybrid

About The Position

FusionAuth is hiring a Principal Engineer to serve as a senior technical authority on customer identity. This person will be a key contributor to the architectural direction of the FusionAuth platform, carry deep protocol expertise (OAuth 2.x, OpenID Connect, SCIM, SAML), and guide enterprise customers on how FusionAuth fits into their identity architectures. The role reports directly to the SVP of Engineering & Technology. This is a hands-on position. You will write production code, review technical designs, and contribute to critical architectural decisions on a Java-based platform trusted by thousands of organizations and downloaded over 10 million times. You will be the person enterprise customers turn to when the questions get hard: protocol edge cases, security tradeoffs, migration architectures, and integration patterns that don’t fit neatly into documentation. The timing matters. FusionAuth is at an inflection point: expanding the engineering team, shaping the product roadmap for the next several years, and building into a problem space that is accelerating. AI agents need their own authentication and authorization. Passkeys are replacing passwords. New protocol extensions are rewriting token security. The decisions you make here will directly shape a product that developers and end users worldwide depend on. FusionAuth runs in self-hosted, on-premise, and dedicated cloud environments across thousands of customer-managed deployments. Every architectural decision carries backward compatibility weight. Every protocol implementation must be correct across versions. These are hard, consequential problems, and you will have real influence over how we solve them. You will work closely with Product Management to evaluate industry trends and translate them into product roadmap decisions. You will track not just protocol evolution but broader technology shifts (frameworks, languages, infrastructure patterns) that should influence the platform’s direction. We need someone who holds strong technical convictions to uphold the integrity of the architecture and platform, but who also listens well and adapts when presented with better evidence. If you want to be the definitive CIAM expert at a company whose entire product is CIAM, this is the role.

Requirements

Bachelor’s degree in Computer Science or equivalent demonstrable technical depth.
Production-grade expertise in OAuth 2.x, OIDC, SCIM, and SAML. The ability to identify subtle misimplementations, guide protocol-correct designs, and explain nuanced tradeoffs.
12+ years of professional software engineering, including 5+ years focused on identity, authentication, or security, with meaningful time at the principal, staff, or architect level.
Proven track record of shipping code alongside architectural responsibilities. Not an architect who stopped coding.
Experience with enterprise-grade, highly available, high-performance distributed systems.
Experience designing or supporting software deployed across self-hosted, on-premise, or dedicated cloud environments. Understanding of backward compatibility, upgrade paths, and performance tuning across customer-managed infrastructure.
Demonstrated ability to engage directly with enterprise customers and prospects on technical design and architecture.
Experience reviewing and approving technical designs in a formal or informal architecture review capacity.
Familiarity with emerging identity protocols and standards (FIDO2/passkeys, DPoP, token binding, OAuth 2.x drafts, etc.).
Willingness to adopt and use AI-assisted development tools (e.g., Claude Code, GitHub Copilot) as part of everyday workflow.
Appreciates first-principles thinking, but knows when to stop theorizing and start building.

Nice To Haves

Direct experience building or working within a CIAM product or identity platform.
History of contributing to open-source identity or security projects, or publishing technical writing on identity topics.
Experience leading or supporting an engineering team’s transition to AI-native development workflows. FusionAuth is actively standardizing on AI-native tooling across the SDLC, and this role will help shape that adoption.
Familiarity with compliance frameworks (SOC 2, FedRAMP, GDPR) and their impact on architectural decisions around data residency, encryption, and audit logging.
Experience with PostgreSQL or MySQL at scale, including schema evolution strategy, query performance tuning, and data migration planning for a self-hosted product.
Strong Java skills. FusionAuth’s core application is Java-based.
Strong communicator who holds strong technical opinions while remaining open to other perspectives.

Responsibilities

Write, review, and own high-quality, secure production code on the FusionAuth core application. This is a hands-on technical leadership role, not a design-only position.
Provide leadership for the platform’s architectural evolution. Draft and review Technical Design Documents (TDDs), ensuring designs meet FusionAuth’s standards for scalability, security, and quality before implementation begins.
Serve as a go-to expert on OAuth 2.x, OIDC, SCIM, and SAML. Guide protocol-correct implementation across the product. Answer hard protocol questions from engineering, Support, Solutions Engineering, and customers.
Engage directly with enterprise prospects and customers on architectural and integration design decisions. Translate complex CIAM concepts clearly for both technical and semi-technical audiences.
Track where the identity industry is heading: passkeys/FIDO2, device authorization, DPoP, token binding, emerging OAuth and OIDC drafts, and the rapidly evolving intersection of AI and identity (agent authentication, scoped credential issuance, authorization for AI-driven workflows). Monitor broader technology trends and bring well-reasoned perspectives on what FusionAuth should build, adopt, or avoid. Partner with Product Management to translate these insights into roadmap decisions.
Represent FusionAuth at industry conferences, working groups, and community events. Build FusionAuth’s technical credibility in the identity and security ecosystem.
Factor FusionAuth’s diverse deployment targets into every architectural and feature decision. Ensure backward compatibility, API versioning integrity, upgrade paths, and sound schema migration strategy for a product running across thousands of customer-managed environments.
Mentor engineers across the team. Raise CIAM knowledge through code reviews, design discussions, architectural sessions, and informal knowledge sharing.
Work closely with Product Management, Solutions Engineering, and Customer Success on complex customer situations, roadmap decisions, and new feature design.

Benefits

Comprehensive health insurance including medical, dental, and vision coverage, with the company covering the majority of your medical premiums to keep your costs low
Fully employer-paid High Deductible Health Plan (HDHP) option paired with a Health Savings Account (HSA), including employer contributions
Basic life insurance and short- and long-term disability coverage fully paid by the company for essential financial protection
Voluntary life insurance options to provide additional financial protection for you and your loved ones
Healthcare and Dependent Care Flexible Spending Accounts (FSAs) to save pre-tax dollars on eligible expenses
401(k) plan with company match to help you save for retirement
Generous paid time off (PTO) plus paid company holidays to support work-life balance
Employee Assistance Program (EAP) offering confidential counseling and support services
Professional growth and development opportunities to boost your career journey
Eligibility for performance-based bonuses or variable compensation tied to individual, team, or company results