Lead Engineer - Users & Permissions

HighLevel is seeking a Lead Engineer - Users & Permissions to design and deliver rock-solid authentication, enterprise-grade SSO/IdP integrations, and a next-gen permissions platform. The role involves owning high-availability services, implementing battle-tested token/session lifecycles, and driving cost/perf wins via caching and hot path optimization. The successful candidate will have 5+ years of experience building backend systems, with 2+ years focused on auth/IAM for multi-tenant SaaS.

Requirements

• Design and ship highly available auth services (99.99%+ SLO) with clear SLI/SLOs and runbooks
• Build and evolve REST APIs for authn/authz, session, MFA, and permissions evaluation
• Implement battle-tested token/session lifecycles (JWT/opaque tokens), rotation, revocation, device binding, and secure cookie strategy
• Drive cost/perf wins via caching (server/client, edge), hot path optimization, and backpressure controls
• Lead AuthN: OAuth 2.1/OIDC, PKCE, refresh-token hardening, WebAuthn/FIDO2, TOTP, backup codes
• Lead SSO/Enterprise: SAML 2.0, OIDC federation, SCIM 2.0 (JIT provisioning, deprovisioning), IdP-initiated flows
• Lead AuthZ: ship RBAC→ABAC evolution; design a policy engine (OPA/Cedar style) with hierarchical tenants, resource scoping, and conditional grants
• Build admin UX for roles, permission templates, impersonation/delegation, and access reviews (recertification)
• Define permission versioning and migration strategies without downtime
• Model multi-tenant user/identity/credential graphs across MongoDB/Firestore/Clickhouse/Redis; guarantee referential integrity and fast lookups
• Index for blazing permission checks (e.g., pre-computed edges, bitmap/columnar via ClickHouse/Elasticsearch) with strict consistency semantics where needed
• Ship durable audit trails for every sensitive mutating action; partition/TTL intelligently; support eDiscovery and exports
• Champion threat modeling (STRIDE), secure defaults, and layered defenses (rate-limits, device fingerprints, anomaly detection, IP reputation)
• Enforce crypto best practices: KMS/HSM-backed keys, envelope encryption, periodic rotation, and least-privileged access
• Build detection/response hooks for brute-force, token theft, session hijack; integrate with SIEM
• Align with GDPR/CCPA and data residency; implement consent capture, retention, and subject access tooling
• Sub-10ms median permission checks via caching, precomputation, and adaptive evaluation
• Zero-downtime deploys, canary+progressive delivery, and circuit-breaker patterns for upstream dependencies
• Capacity planning, load testing, chaos drills; own error budgets and drive operational excellence
• Lead cross-functional design with Product, Security, and Platform; write crisp RFCs and ADRs
• Mentor peers on auth/system design; raise the bar in reviews
• Own on-call for your domain; drive incident postmortems and preventative engineering

Benefits

• Competitive salary
• Opportunity to work with a global and growing community
• Chance to make a real impact in the industry
• Collaborative and innovative work environment
• Professional growth and development opportunities
• Flexible work arrangements (remote work)
• Employee benefits and perks (e.g. medical, dental, vision insurance)
• Paid time off and holidays
• 401k matching and retirement plan
• Generous parental leave and tuition reimbursement