About HighLevel:
HighLevel is an AI powered, all-in-one white-label sales & marketing platform that empowers agencies, entrepreneurs, and businesses to elevate their digital presence and drive growth. We are proud to support a global and growing community of over 2 million businesses, comprised of agencies, consultants, and businesses of all sizes and industries. HighLevel empowers users with all the tools needed to capture, nurture, and close new leads into repeat customers. As of mid 2025, HighLevel processes over 4 billion API hits and handles more than 2.5 billion message events every day. Our platform manages over 470 terabytes of data distributed across five databases, operates with a network of over 250 microservices, and supports over 1 million hostnames.
Our People:
With over 1,500 team members across 15+ countries, we operate in a global, remote-first environment. We are building more than software; we are building a global community rooted in creativity, collaboration, and impact. We take pride in cultivating a culture where innovation thrives, ideas are celebrated, and people come first, no matter where they call home.
Our Impact:
As of mid 2025, our platform powers over 1.5 billion messages, helps generate over 200 million leads, and facilitates over 20 million conversations for the more than 2 million businesses we serve each month. Behind those numbers are real people growing their companies, connecting with customers, and making their mark - and we get to help make that happen.
About the Role:
You’ll be the point of the spear for auth, security, and permissions across a massive multi-tenant SaaS (millions of users, thousands of orgs). Own design and delivery of rock-solid authentication, enterprise-grade SSO/IdP integrations, and a next-gen permissions platform (RBAC/ABAC) that just works at scale. Expect deep system design, hard reliability problems, airtight security posture, and ruthless pragmatism.
Responsibilities:
- Design and ship highly available auth services (99.99%+ SLO) with clear SLI/SLOs and runbooks
- Build and evolve REST APIs for authn/authz, session, MFA, and permissions evaluation
- Implement battle-tested token/session lifecycles (JWT/opaque tokens), rotation, revocation, device binding, and secure cookie strategy
- Introduce async patterns (Pub/Sub, outbox, idempotency) for login events, audit streams, and policy updates at scale
- Drive cost/perf wins via caching (server/client, edge), hot path optimization, and backpressure controls
- Lead AuthN: OAuth 2.1/OIDC, PKCE, refresh-token hardening, WebAuthn/FIDO2, TOTP, backup codes
- Lead SSO/Enterprise: SAML 2.0, OIDC federation, SCIM 2.0 (JIT provisioning, deprovisioning), IdP-initiated flows
- Lead AuthZ: ship RBAC→ABAC evolution; design a policy engine (OPA/Cedar style) with hierarchical tenants, resource scoping, and conditional grants
- Build admin UX for roles, permission templates, impersonation/delegation, and access reviews (recertification)
- Define permission versioning and migration strategies without downtime
- Model multi-tenant user/identity/credential graphs across MongoDB/Firestore/Clickhouse/Redis; guarantee referential integrity and fast lookups
- Index for blazing permission checks (e.g., pre-computed edges, bitmap/columnar via ClickHouse/Elasticsearch) with strict consistency semantics where needed
- Ship durable audit trails for every sensitive mutating action; partition/TTL intelligently; support eDiscovery and exports
- Champion threat modeling (STRIDE), secure defaults, and layered defenses (rate-limits, device fingerprints, anomaly detection, IP reputation)
- Enforce crypto best practices: KMS/HSM-backed keys, envelope encryption, periodic rotation, and least-privileged access
- Build detection/response hooks for brute-force, token theft, session hijack; integrate with SIEM
- Align with GDPR/CCPA and data residency; implement consent capture, retention, and subject access tooling
- Sub-10ms median permission checks via caching, precomputation, and adaptive evaluation
- Zero-downtime deploys, canary+progressive delivery, and circuit-breaker patterns for upstream dependencies
- Capacity planning, load testing, chaos drills; own error budgets and drive operational excellence
- Lead cross-functional design with Product, Security, and Platform; write crisp RFCs and ADRs
- Mentor peers on auth/system design; raise the bar in reviews
- Own on-call for your domain; drive incident postmortems and preventative engineering
Required Candidate Profile:
- 5+ years building backend systems, with 2+ years focused on auth/IAM for multi-tenant SaaS
- Shipped enterprise SSO/SCIM integrations and at least one production policy engine (RBAC/ABAC/OPA/Cedar)
- Track record of owning high-availability services and incident response
Required Technical Skills
- Languages/Runtime: TypeScript/Node.js (NestJS/Express)
- Auth/IAM: OAuth 2.1, OIDC, SAML, SCIM, JWT/opaque tokens, WebAuthn/FIDO2, MFA
- Datastores: MongoDB, Firestore, SQL; Search/Analytics: Elasticsearch, ClickHouse
- Cloud/Infra: GCP (GKE/Cloud Run), Pub/Sub, KMS; CI/CD and IaC fundamentals
- Architecture: Microservices, event-driven patterns, caching, rate limiting, observability (logs/metrics/traces)
EEO Statement:
The company is an Equal Opportunity Employer. As an employer subject to affirmative action regulations, we invite you to voluntarily provide the following demographic information. This information is used solely for compliance with government recordkeeping, reporting, and other legal requirements. Providing this information is voluntary and refusal to do so will not affect your application status. This data will be kept separate from your application and will not be used in the hiring decision.
#LI-Remote #LI-HB1
Postuler maintenant
