About HighLevel:
HighLevel is an AI powered, all-in-one white-label sales & marketing platform that empowers agencies, entrepreneurs, and businesses to elevate their digital presence and drive growth. We are proud to support a global and growing community of over 2 million businesses, comprised of agencies, consultants, and businesses of all sizes and industries. HighLevel empowers users with all the tools needed to capture, nurture, and close new leads into repeat customers. As of mid 2025, HighLevel processes over 4 billion API hits and handles more than 2.5 billion message events every day. Our platform manages over 470 terabytes of data distributed across five databases, operates with a network of over 250 microservices, and supports over 1 million hostnames.
Our People:
With over 1,500 team members across 15+ countries, we operate in a global, remote-first environment. We are building more than software; we are building a global community rooted in creativity, collaboration, and impact. We take pride in cultivating a culture where innovation thrives, ideas are celebrated, and people come first, no matter where they call home.
Our Impact:
As of mid 2025, our platform powers over 1.5 billion messages, helps generate over 200 million leads, and facilitates over 20 million conversations for the more than 2 million businesses we serve each month. Behind those numbers are real people growing their companies, connecting with customers, and making their mark - and we get to help make that happen.
About the Role:
You’ll be the point of the spear for auth, security, and permissions across a massive multi-tenant SaaS (millions of users, thousands of orgs). Own design and delivery of rock-solid authentication, enterprise-grade SSO/IdP integrations, and a next-gen permissions platform (RBAC/ABAC) that just works at scale. Expect deep system design, hard reliability problems, airtight security posture, and ruthless pragmatism.
Responsibilities: Design and ship highly available auth services (99.99%+ SLO) with clear SLI/SLOs and runbooksBuild and evolve REST APIs for authn/authz, session, MFA, and permissions evaluationImplement battle-tested token/session lifecycles (JWT/opaque tokens), rotation, revocation, device binding, and secure cookie strategyIntroduce async patterns (Pub/Sub, outbox, idempotency) for login events, audit streams, and policy updates at scaleDrive cost/perf wins via caching (server/client, edge), hot path optimization, and backpressure controlsLead AuthN: OAuth 2.1/OIDC, PKCE, refresh-token hardening, WebAuthn/FIDO2, TOTP, backup codesLead SSO/Enterprise: SAML 2.0, OIDC federation, SCIM 2.0 (JIT provisioning, deprovisioning), IdP-initiated flowsLead AuthZ: ship RBAC→ABAC evolution; design a policy engine (OPA/Cedar style) with hierarchical tenants, resource scoping, and conditional grantsBuild admin UX for roles, permission templates, impersonation/delegation, and access reviews (recertification)Define permission versioning and migration strategies without downtimeModel multi-tenant user/identity/credential graphs across MongoDB/Firestore/Clickhouse/Redis; guarantee referential integrity and fast lookupsIndex for blazing permission checks (e.g., pre-computed edges, bitmap/columnar via ClickHouse/Elasticsearch) with strict consistency semantics where neededShip durable audit trails for every sensitive mutating action; partition/TTL intelligently; support eDiscovery and exportsChampion threat modeling (STRIDE), secure defaults, and layered defenses (rate-limits, device fingerprints, anomaly detection, IP reputation)Enforce crypto best practices: KMS/HSM-backed keys, envelope encryption, periodic rotation, and least-privileged accessBuild detection/response hooks for brute-force, token theft, session hijack; integrate with SIEMAlign with GDPR/CCPA and data residency; implement consent capture, retention, and subject access toolingSub-10ms median permission checks via caching, precomputation, and adaptive evaluationZero-downtime deploys, canary+progressive delivery, and circuit-breaker patterns for upstream dependenciesCapacity planning, load testing, chaos drills; own error budgets and drive operational excellenceLead cross-functional design with Product, Security, and Platform; write crisp RFCs and ADRsMentor peers on auth/system design; raise the bar in reviewsOwn on-call for your domain; drive incident postmortems and preventative engineering Required Candidate Profile: 5+ years building backend systems, with 2+ years focused on auth/IAM for multi-tenant SaaSShipped enterprise SSO/SCIM integrations and at least one production policy engine (RBAC/ABAC/OPA/Cedar)Track record of owning high-availability services and incident response Required Technical Skills Languages/Runtime: TypeScript/Node.js (NestJS/Express)Auth/IAM: OAuth 2.1, OIDC, SAML, SCIM, JWT/opaque tokens, WebAuthn/FIDO2, MFADatastores: MongoDB, Firestore, SQL; Search/Analytics: Elasticsearch, ClickHouseCloud/Infra: GCP (GKE/Cloud Run), Pub/Sub, KMS; CI/CD and IaC fundamentalsArchitecture: Microservices, event-driven patterns, caching, rate limiting, observability (logs/metrics/traces) Additional Information EEO Statement:
The company is an Equal Opportunity Employer. As an employer subject to affirmative action regulations, we invite you to voluntarily provide the following demographic information. This information is used solely for compliance with government recordkeeping, reporting, and other legal requirements. Providing this information is voluntary and refusal to do so will not affect your application status. This data will be kept separate from your application and will not be used in the hiring decision.
#LI-Remote #LI-HB1
