Lead Engineer - Users & Permissions
Company:
Location:United States, Canada, EST, PST
Languages:English
Seniority level:Lead, 5+ years
Experience:5+ years
Skills:
Backend DevelopmentLeadershipNode.jsSQLElasticSearchExpress.jsGCPMongoDBOAuthSoftware ArchitectureTypeScriptClickhouseNest.jsCI/CDMentoringMicroservices
Requirements:
5+ years building backend systems 2+ years focused on auth/IAM for multi-tenant SaaS Shipped enterprise SSO/SCIM integrations Shipped at least one production policy engine (RBAC/ABAC/OPA/Cedar) Track record of owning high-availability services and incident response TypeScript/Node.js (NestJS/Express) OAuth 2.1, OIDC, SAML, SCIM, JWT/opaque tokens, WebAuthn/FIDO2, MFA MongoDB, Firestore, SQL Elasticsearch, ClickHouse GCP (GKE/Cloud Run), Pub/Sub, KMS CI/CD and IaC fundamentals Microservices, event-driven patterns, caching, rate limiting, observability (logs/metrics/traces)
Responsibilities:
Design and ship highly available auth services (99.99%+ SLO) Build and evolve REST APIs for authn/authz, session, MFA, and permissions evaluation Implement token/session lifecycles, rotation, revocation, device binding, and secure cookie strategy Introduce async patterns for login events, audit streams, and policy updates Drive cost/perf wins via caching, hot path optimization, and backpressure controls Lead AuthN: OAuth 2.1/OIDC, PKCE, refresh-token hardening, WebAuthn/FIDO2, TOTP, backup codes Lead SSO/Enterprise: SAML 2.0, OIDC federation, SCIM 2.0 Lead AuthZ: RBAC→ABAC evolution; design a policy engine Build admin UX for roles, permission templates, impersonation/delegation, and access reviews Define permission versioning and migration strategies Model multi-tenant user/identity/credential graphs across MongoDB/Firestore/Clickhouse/Redis Index for permission checks Ship durable audit trails for every sensitive mutating action Champion threat modeling, secure defaults, and layered defenses Enforce crypto best practices Build detection/response hooks for brute-force, token theft, session hijack Align with GDPR/CCPA and data residency Achieve sub-10ms median permission checks Implement zero-downtime deploys, canary+progressive delivery, and circuit-breaker patterns Perform capacity planning, load testing, chaos drills Lead cross-functional design with Product, Security, and Platform Mentor peers on auth/system design Own on-call for your domain; drive incident postmortems
