Lead Engineer - Users & Permissions

About HighLevel: HighLevel is an AI powered, all-in-one white-label sales & marketing platform that empowers agencies, entrepreneurs, and businesses to elevate their digital presence and drive growth. We are proud to support a global and growing community of over 2 million businesses, comprised of agencies, consultants, and businesses of all sizes and industries. HighLevel empowers users  with all the tools needed to capture, nurture, and close new leads into repeat customers. As of mid 2025, HighLevel processes over 4 billion API hits and handles more than 2.5 billion message events every day. Our platform manages over 470 terabytes of data distributed across five databases, operates with a network of over 250 microservices, and supports over 1 million hostnames. Our People: With over 1,500 team members across 15+ countries, we operate in a global, remote-first environment. We are building more than software; we are building a global community rooted in creativity, collaboration, and impact. We take pride in cultivating a culture where innovation thrives, ideas are celebrated, and people come first, no matter where they call home. Our Impact: As of mid 2025, our platform powers over 1.5 billion messages, helps generate over 200 million leads, and facilitates over 20 million conversations for the more than 2 million businesses we serve each month. Behind those numbers are real people growing their companies, connecting with customers, and making their mark - and we get to help make that happen. About the Role: You’ll be the point of the spear for auth, security, and permissions across a massive multi-tenant SaaS (millions of users, thousands of orgs). Own design and delivery of rock-solid authentication, enterprise-grade SSO/IdP integrations, and a next-gen permissions platform (RBAC/ABAC) that just works at scale. Expect deep system design, hard reliability problems, airtight security posture, and ruthless pragmatism. Responsibilities:

Design and ship highly available auth services (99.99%+ SLO) with clear SLI/SLOs and runbooks

Build and evolve REST APIs for authn/authz, session, MFA, and permissions evaluation

Implement battle-tested token/session lifecycles (JWT/opaque tokens), rotation, revocation, device binding, and secure cookie strategy

Introduce async patterns (Pub/Sub, outbox, idempotency) for login events, audit streams, and policy updates at scale

Drive cost/perf wins via caching (server/client, edge), hot path optimization, and backpressure controls

Lead AuthN: OAuth 2.1/OIDC, PKCE, refresh-token hardening, WebAuthn/FIDO2, TOTP, backup codes

Lead SSO/Enterprise: SAML 2.0, OIDC federation, SCIM 2.0 (JIT provisioning, deprovisioning), IdP-initiated flows

Lead AuthZ: ship RBAC→ABAC evolution; design a policy engine (OPA/Cedar style) with hierarchical tenants, resource scoping, and conditional grants

Build admin UX for roles, permission templates, impersonation/delegation, and access reviews (recertification)

Define permission versioning and migration strategies without downtime

Model multi-tenant user/identity/credential graphs across MongoDB/Firestore/Clickhouse/Redis; guarantee referential integrity and fast lookups

Index for blazing permission checks (e.g., pre-computed edges, bitmap/columnar via ClickHouse/Elasticsearch) with strict consistency semantics where needed

Ship durable audit trails for every sensitive mutating action; partition/TTL intelligently; support eDiscovery and exports

Champion threat modeling (STRIDE), secure defaults, and layered defenses (rate-limits, device fingerprints, anomaly detection, IP reputation)

Enforce crypto best practices: KMS/HSM-backed keys, envelope encryption, periodic rotation, and least-privileged access

Build detection/response hooks for brute-force, token theft, session hijack; integrate with SIEM

Align with GDPR/CCPA and data residency; implement consent capture, retention, and subject access tooling

Sub-10ms median permission checks via caching, precomputation, and adaptive evaluation

Zero-downtime deploys, canary+progressive delivery, and circuit-breaker patterns for upstream dependencies

Capacity planning, load testing, chaos drills; own error budgets and drive operational excellence

Lead cross-functional design with Product, Security, and Platform; write crisp RFCs and ADRs

Mentor peers on auth/system design; raise the bar in reviews

Own on-call for your domain; drive incident postmortems and preventative engineering

Required Candidate Profile:

5+ years building backend systems, with 2+ years focused on auth/IAM for multi-tenant SaaS

Shipped enterprise SSO/SCIM integrations and at least one production policy engine (RBAC/ABAC/OPA/Cedar)

Track record of owning high-availability services and incident response

Required Technical Skills

Languages/Runtime: TypeScript/Node.js (NestJS/Express)

Auth/IAM: OAuth 2.1, OIDC, SAML, SCIM, JWT/opaque tokens, WebAuthn/FIDO2, MFA

Datastores: MongoDB, Firestore, SQL; Search/Analytics: Elasticsearch, ClickHouse

Cloud/Infra: GCP (GKE/Cloud Run), Pub/Sub, KMS; CI/CD and IaC fundamentals

Architecture: Microservices, event-driven patterns, caching, rate limiting, observability (logs/metrics/traces)