Staff Software Engineer

CGWS - COME GROW WITH US

Staff Software Engineer leading architectures for BambooHR's permission service. Responsible for AuthN/AuthZ standards and delivering permission service features.

Posted 6/27/2026full-timeRemote • Utah • 🇺🇸 United StatesLeadWebsite

Tech Stack

Tools & technologies

PHP

About the role

Key responsibilities & impact

Drive the architecture and delivery of a new permission service — from first design doc to production, including data model, policy evaluation engine, enforcement APIs, and token contract
Define BambooHR's AuthN/AuthZ standards — the patterns for authentication flows, token issuance, scoped authorization, and role/attribute-based access control that product teams rely on
Design the API contract for the permission service: how callers request access decisions, how policies are defined, and how enforcement is decoupled from individual product domains
Drive token strategy — JWT issuance, rotation, scoping, revocation, and the relationship between tokens and permissions across both human and machine (API/agent) callers
Partner with product and platform teams to translate domain-specific access control requirements into reusable permission primitives that scale across the organization
Lead architectural reviews for features with AuthN/AuthZ implications; catch design debt before it ships
Collaborate with Security and Compliance to ensure the permission service meets audit, least-privilege, and zero-trust requirements
Set the technical bar for the Token Titans team: mentor engineers, lead RFCs, and ensure implementation quality matches architectural intent

Requirements

What you’ll need

10+ years of software engineering experience, with at least 3 years operating at Staff or Principal level
Deep expertise in identity and access management — authentication protocols (OAuth 2.0, OIDC, SAML), authorization models (RBAC, ABAC, ReBAC), and token lifecycle management (JWTs, opaque tokens, refresh/rotation strategies)
Demonstrated experience designing and building AuthN/AuthZ systems at scale — not just integrating with them, but owning the architecture that others build on
Strong instincts for policy-as-code, permission modeling, and how to express complex access rules as a clean, evolvable data model
Experience designing or reviewing OpenAPI specifications, event-driven architectures, and cross-service communication patterns in a service-oriented or microservice environment
Strong backend engineering fundamentals; comfort working in a PHP monolith with modern architectural patterns
Proven ability to drive org-wide architectural decisions — writing RFCs, leading reviews, building consensus across teams with competing priorities
Excellent communication skills: precise written specs, verbal presentations to engineering leadership, and the ability to explain tradeoffs in identity and security without losing the room.

Benefits

Comp & perks

Comprehensive health, life, and disability insurance
Generous leave policies that include 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off so you can enjoy quality of life
401k plans with up to 6% company match
$2000 Paid-Paid Vacation bonus
EAP through Headspace
Check out all our benefits that benefit you

ATS Keywords

✓ Tailor your resume

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

identity and access managementauthentication protocolsOAuth 2.0OIDCSAMLauthorization modelsRBACABACReBACtoken lifecycle management

Soft Skills

mentoringleading RFCsarchitectural reviewsbuilding consensusexcellent communication