Senior Engineer, Agentic Identity

Baselayer•San Francisco, CA

1d•$135,000 - $220,000•Hybrid

About The Position

AI agents are beginning to act on behalf of people and businesses against publishers, banks, payment networks, and APIs. Every counterparty today answers identity questions on its own - self-asserted API keys, third-party cookies, pixel trackers. That model breaks the moment the actor is an agent. We're building KYA (Know Your Agent) - a cryptographic identity substrate that replaces self-assertion with third-party-issued credentials, verifiable by any counterparty. We're hiring an engineer to own a meaningful surface of the substrate - issuer mint, edge verification, Passport, or Merkle audit log - and ship it to production.

Requirements

Shipped systems where cryptographic correctness was load-bearing: OAuth/OIDC IdP, token issuer, signing service, HSM-backed signer, passkey/WebAuthn flow, or similar.
Fluent in Python and Go, or strong in one with a track record of learning the other quickly.
Reads RFCs as primary sources and holds informed opinions on JWK thumbprint canonicalization, pairwise-sub derivation, and Signature-Input header serialization.
Deep understanding of the distinction between identity and authorization, mandate and claim, snapshot and live state.
Production experience with async Python on Postgres, including migration safety and observability.

Nice To Haves

Verifiable credentials / SSI / DID work - especially SD-JWT-VC, OID4VC, or the W3C VC stack.
Certificate Transparency, Trillian, or similar append-only-log experience.
KYC/KYB pipeline experience: provider abstraction, evidence retention, eIDAS/FATF CDD level mapping, ownership-chain resolution.
Edge/CDN engineering - Cloudflare Workers, Fastly Compute, Envoy filters, or mTLS at the edge.
Familiarity with AP2, x402, MPP, UCP, or Mastercard VI specs and how identity rides alongside mandate.

Responsibilities

Build and maintain the runtime issuer/mint: OAuth Token Exchange (RFC 8693), JWS credentials (RFC 7515/7519, SD-JWT-VC), and Merkle audit log with real-time revocation.
Own and evolve the wire format and claim registry: JWT profile, verification_level/verification_method enums, and eIDAS/NIST IAL/FATF CDD crosswalk.
Implement sub-millisecond JWS verification and Web Bot Auth signature checks (RFC 9421) at the HTTP edge for counterparty CDNs, merchants, and publisher paywalls.
Build and maintain Passport - the user's cloud-resident principal account with canonical handle, KYC/KYB record, authorized-operators list, audit feed, and authenticator binding.
Develop operator integration: embedded KYB onboarding inside first OAuth 2.0 consent, per-operator opt-in, and webhook delivery via Svix.
Work across a Python 3.13 monorepo (FastAPI, Cloud Tasks, Cloud Run, SQLModel/SQLAlchemy) and Go for performance-critical substrate components.