Staff Software Engineer, Cloud Identity
Temporal Technologies
•$212,000 - $286,000•Remote
About The Position
Temporal is hiring a Staff Software Engineer for Identity to design, build, and operate the identity and access platform behind Temporal Cloud — a multi-tenant SaaS serving high-throughput workloads. You'll own the systems that authenticate humans and workloads, authorize fine-grained access to namespaces and APIs, federate with customer IdPs, and distribute auth material to clients and workers at scale. This role partners closely with Security, Product, and platform teams to deliver "secure by default" capabilities without compromising developer or operator experience.
Requirements
- Deep hands-on experience building and operating production identity systems — OAuth 2.0/2.1, OIDC, SAML, JWT/JOSE, JWKS rotation, SCIM, and at least some exposure to workload identity (SPIFFE/SPIRE, WIF, mTLS, or short-lived federated credentials)
- Strong grasp of authorization at scale (RBAC, ABAC, ReBAC/Zanzibar) and familiarity with policy engines like OPA, Cedar, or OpenFGA
- Track record operating latency-sensitive distributed systems in production, including on-call ownership and operational excellence
- Proficiency in Go; experience with Python, Java, or Kotlin is a plus
- Strong communication skills with the ability to align stakeholders across security, product, and engineering and drive execution end-to-end
Nice To Haves
- Contributions to identity OSS projects (Keycloak, Ory, Dex, OpenFGA, SPIRE) or standards bodies (IETF OAuth WG, OpenID Foundation)
- Experience with compliance frameworks (FedRAMP, SOC 2, ISO 27001, HIPAA) as they apply to IAM
- Familiarity with Temporal or other durable-execution engines, especially auth implications around workers and task queues
- Experience designing customer-facing API auth (scoped tokens, API keys, rotation UX) and building well-structured APIs
Responsibilities
- Design and build Temporal Cloud's identity platform end-to-end — authentication (OAuth 2.0/2.1, OIDC, SAML, token exchange), authorization (RBAC/ReBAC/policy engines), and workload identity federation — so customers and workloads authenticate without long-lived secrets
- Scale the auth hot path to meet Temporal Cloud's SLOs: in-memory auth bundles, JWKS caching, decision caching, and revocation strategies that keep latency low and eliminate single points of failure
- Integrate with enterprise IdPs (Okta, Entra ID, Google Workspace, SAML/OIDC), own SCIM 2.0 provisioning, and threat-model identity flows against token replay, confused deputy, scope escalation, and mix-up attacks
- Partner with Security, Product, and platform teams to ship secure-by-default patterns, define IAM lifecycle and audit strategies, and shape the technical roadmap by tracking emerging standards (IETF OAuth WG, OpenID Foundation)
- Mentor engineers, maintain clear architecture docs, and engage directly with customers to understand requirements and unblock adoption
Benefits
- Unlimited PTO
- 12 Holidays + 2 Floating Holidays
- 100% Premiums Coverage for Medical, Dental, and Vision
- AD&D, LT & ST Disability, and Life Insurance (Standard & Supplemental Available)
- Empower 401K Plan
- Learning & Development
- Lifestyle Spending
- In-Home Office Setup
- Professional Memberships
- WFH Meals
- Internet Stipend
- Calm App Subscription for Mental Health & Wellness
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
Upload and Match Resume
What This Job Offers
Job Type
Full-time
Career Level
Senior
Education Level
No Education Listed
