Staff Software Engineer

This is a fully remote position, open to applicants in Utah.

📋 Description

• Lead the architecture and implementation of a new permission service — from initial design documentation to production, encompassing data modeling, policy evaluation engine, enforcement APIs, and token contracts.

• Establish BambooHR's authentication and authorization standards — the frameworks for authentication flows, token issuance, scoped authorization, and role/attribute-based access control that product teams depend on.

• Create the API contract for the permission service: detailing how callers request access decisions, how policies are established, and how enforcement is separated from individual product domains.

• Drive the token strategy — including JWT issuance, rotation, scoping, revocation, and the connection between tokens and permissions for both human and machine (API/agent) callers.

• Collaborate with product and platform teams to convert domain-specific access control needs into reusable permission primitives that can scale across the organization.

• Conduct architectural reviews for features with authentication and authorization implications; identify design debt prior to deployment.

• Work alongside Security and Compliance teams to guarantee the permission service complies with audit, least-privilege, and zero-trust requirements.

• Set a high technical standard for the Token Titans team: mentor engineers, lead requests for comments (RFCs), and ensure that implementation quality aligns with architectural goals.

⛳️ Requirements

• Over 10 years of software engineering experience, including at least 3 years in a Staff or Principal role.

• Extensive knowledge in identity and access management — including authentication protocols (OAuth 2.0, OIDC, SAML), authorization models (RBAC, ABAC, ReBAC), and token lifecycle management (JWTs, opaque tokens, refresh/rotation strategies).

• Proven experience in designing and developing authentication and authorization systems at scale — not merely integrating with them, but taking ownership of the architecture that others build upon.

• Strong intuition for policy-as-code, permission modeling, and the ability to articulate complex access rules as a clear, adaptable data model.

• Experience in designing or reviewing OpenAPI specifications, event-driven architectures, and cross-service communication patterns within a service-oriented or microservice environment.

• Solid backend engineering fundamentals; adeptness in working within a PHP monolith utilizing modern architectural patterns.

• Demonstrated capability to influence organization-wide architectural decisions — drafting RFCs, leading reviews, and building consensus among teams with competing priorities.

• Exceptional communication skills: precise written specifications, effective verbal presentations to engineering leadership, and the ability to discuss trade-offs in identity and security without losing the audience.

🏝️ Benefits

• Comprehensive health, life, and disability insurance.

• Generous leave policies that offer 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off to promote quality of life.

• 401k plans featuring up to a 6% company match.

• $2000 Paid-Paid Vacation bonus.

• Employee Assistance Program (EAP) through Headspace.

• Explore all our benefits designed to support you.