Senior Software Engineer - Identity & Authorization Platform

The Platform Auth team’s goal is to support our ‘one customer identity’ vision by providing tools, processes, and expertise for our engineering teams to create a unified access management experience while simplifying and standardizing engineering patterns in the space. We are looking for engineers to join our growing team!  What you will be doing: - Design and build the platform services that power authentication, authorization, and audit across ClickHouse Cloud. This includes a unified RBAC/ReBAC service, token issuance and session handling, and the SDKs that product teams embed to make authorization decision. - Model permissions and access control primitives (resources, roles, relationships, policies) that work across ClickHouse, SQL Console, ClickPipes, and HyperDX. Ship the libraries and APIs that other engineers build against. - Implement protocol-level support for SAML, SCIM, OIDC, OAuth2, and MFA/passwordless flows. Own the integrations that make enterprise SSO and provisioning work end to end. - Build the audit and authorization-decision telemetry pipeline so every access decision is observable, queryable, and surfaceable to customers. - Partner with product engineering teams to migrate bespoke per-product auth implementations onto the shared platform, and design APIs that make adoption straightforward. - Carry the platform on-call rotation and own production reliability for systems on the critical path of every customer request. What you bring along: - Minimum 4+ years building production backend systems at scale. Comfort with at least one systems language (Go, Rust, C++) and one application language (TypeScript, Python). - Hands-on experience designing and implementing an authentication or authorization service. Examples include building a token issuer, an OIDC or OAuth2 provider, a policy engine, a permissions model, or an FGA/ReBAC system in the style of Zanzibar, OpenFGA, SpiceDB, or Cedar. - Working knowledge of SAML, SCIM, OIDC, and OAuth2 at the protocol level and are able to implement them. - Experience designing APIs and SDKs that other engineers depend on, with strong opinions on what makes them adoptable. - Experience operating distributed systems at scale, including caching strategies, consistency tradeoffs, and multi-region concerns. - Familiarity with identity vendors (Auth0, WorkOS, AWS/GCP/Azure IAM) as building blocks you've extended or integrated into a larger platform. - Strong production debugging instincts and a high bar for systems that are easy to develop against. Bonus: - You've built or contributed to a Zanzibar-style authorization system, or run an OpenFGA or SpiceDB deployment beyond the demo. - You've designed a multi-tenant permission model that survived real customer requirements like custom roles, hierarchies, delegation, and ABAC attributes. - You've shipped an SDK that product teams across an org actually adopted, and have opinions about why most internal SDKs fail.