Senior Software Engineer - Identity & Authorization Platform

About The Position

Requirements

• Minimum 4+ years building production backend systems at scale.
• Comfort with at least one systems language (Go, Rust, C++) and one application language (TypeScript, Python).
• Hands-on experience designing and implementing an authentication or authorization service. Examples include building a token issuer, an OIDC or OAuth2 provider, a policy engine, a permissions model, or an FGA/ReBAC system in the style of Zanzibar, OpenFGA, SpiceDB, or Cedar.
• Working knowledge of SAML, SCIM, OIDC, and OAuth2 at the protocol level and are able to implement them.
• Experience designing APIs and SDKs that other engineers depend on, with strong opinions on what makes them adoptable.
• Experience operating distributed systems at scale, including caching strategies, consistency tradeoffs, and multi-region concerns.
• Familiarity with identity vendors (Auth0, WorkOS, AWS/GCP/Azure IAM) as building blocks you've extended or integrated into a larger platform.
• Strong production debugging instincts and a high bar for systems that are easy to develop against.

Nice To Haves

• You've built or contributed to a Zanzibar-style authorization system, or run an OpenFGA or SpiceDB deployment beyond the demo.
• You've designed a multi-tenant permission model that survived real customer requirements like custom roles, hierarchies, delegation, and ABAC attributes.
• You've shipped an SDK that product teams across an org actually adopted, and have opinions about why most internal SDKs fail.

Responsibilities

• Design and build the platform services that power authentication, authorization, and audit across ClickHouse Cloud. This includes a unified RBAC/ReBAC service, token issuance and session handling, and the SDKs that product teams embed to make authorization decision.
• Model permissions and access control primitives (resources, roles, relationships, policies) that work across ClickHouse, SQL Console, ClickPipes, and HyperDX. Ship the libraries and APIs that other engineers build against.
• Implement protocol-level support for SAML, SCIM, OIDC, OAuth2, and MFA/passwordless flows. Own the integrations that make enterprise SSO and provisioning work end to end.
• Build the audit and authorization-decision telemetry pipeline so every access decision is observable, queryable, and surfaceable to customers.
• Partner with product engineering teams to migrate bespoke per-product auth implementations onto the shared platform, and design APIs that make adoption straightforward.
• Carry the platform on-call rotation and own production reliability for systems on the critical path of every customer request.

Benefits

• Employer contributions towards your healthcare.
• Stock options.
• Flexible time off in the US, generous entitlement in other countries.
• A $500 Home office setup if you’re a remote employee.
• Global Gatherings – We believe in the power of in-person connection and offer opportunities to engage with colleagues at company-wide offsites.