Skip to content
BaselayerBaselayerSan Francisco, CA

Senior Engineer, Agentic Identity

Build and own core components of KYA (Know Your Agent), a cryptographic identity substrate for AI agents using verifiable credentials, JWS, OAuth, and Merkle logs. Requires production experience shipping cryptographically correct identity systems in Python and Go.

230k – 340k/yr
Hybrid5+ YOESecurity Engineering

About the role

What You'll Do

  • Build and maintain the runtime issuer/mint: OAuth Token Exchange (RFC 8693), JWS credentials (RFC 7515/7519, SD-JWT-VC), and Merkle audit log with real-time revocation.
  • Own and evolve the wire format and claim registry: JWT profile, verification_level/verification_method enums, and eIDAS/NIST IAL/FATF CDD crosswalk.
  • Implement sub-millisecond JWS verification and Web Bot Auth signature checks (RFC 9421) at the HTTP edge for counterparty CDNs, merchants, and publisher paywalls.
  • Build and maintain Passport - the user's cloud-resident principal account with canonical handle, KYC/KYB record, authorized-operators list, audit feed, and authenticator binding.
  • Develop operator integration: embedded KYB onboarding inside first OAuth 2.0 consent, per-operator opt-in, and webhook delivery via Svix.
  • Work across a Python 3.13 monorepo (FastAPI, Cloud Tasks, Cloud Run, SQLModel/SQLAlchemy) and Go for performance-critical substrate components.

Minimum Requirements

  • Shipped systems where cryptographic correctness was load-bearing: OAuth/OIDC IdP, token issuer, signing service, HSM-backed signer, passkey/WebAuthn flow, or similar.
  • Fluent in Python and Go, or strong in one with a track record of learning the other quickly.
  • Reads RFCs as primary sources and holds informed opinions on JWK thumbprint canonicalization, pairwise-sub derivation, and Signature-Input header serialization.
  • Deep understanding of the distinction between identity and authorization, mandate and claim, snapshot and live state.
  • Production experience with async Python on Postgres, including migration safety and observability.

What Sets You Apart

  • Verifiable credentials / SSI / DID work - especially SD-JWT-VC, OID4VC, or the W3C VC stack.
  • Certificate Transparency, Trillian, or similar append-only-log experience.
  • KYC/KYB pipeline experience: provider abstraction, evidence retention, eIDAS/FATF CDD level mapping, ownership-chain resolution.
  • Edge/CDN engineering - Cloudflare Workers, Fastly Compute, Envoy filters, or mTLS at the edge.
  • Familiarity with AP2, x402, MPP, UCP, or Mastercard VI specs and how identity rides alongside mandate.

Skills

PythonGoOAuthOIDCJwsSd-Jwt-VcJwtRfc 8693Rfc 7515Rfc 7519Rfc 9421FastAPIPostgresSqlalchemySqlmodel
Notion

Security Engineer, Detection and Response

NotionSan Francisco, CA +1

Build and operate detection systems for cloud, identity, endpoints, and SaaS. Design high-signal detections, improve detection platforms, and participate in incident response.

230k – 260k/yr
Hybrid6+ YOESecurity Engineering
Vanta

Manager, GRC Subject Matter Experts, Product

VantaUnited States

Lead and develop a team of GRC subject matter experts responsible for the lifecycle, quality, and product integration of Vanta's security and compliance frameworks. Own end-to-end framework release processes while partnering with Product and Engineering.

230k – 311k/yr
Remote7+ YOESecurity Engineering
Luma AI

Security Engineer - Tech Lead

Luma AIPalo Alto, CA

Lead design and implementation of security foundations including access governance, RBAC/ABAC, secrets management, and agent permissions for AI platforms. Partner with teams to embed secure practices while maintaining velocity; requires hands-on coding and production security experience.

230k – 360k/yr
HybridSecurity Engineering
Replit

Security Architecture Lead

ReplitFoster City, CA

Leads security architecture for a multi-tenant SaaS platform, defining vision, mentoring engineers, conducting reviews, and managing risks. Requires 8+ years in security engineering, technical leadership, and cloud-native expertise, especially GCP.

228k – 363k/yr
Hybrid8+ YOESecurity Engineering
Vanta

Senior Security Engineer

VantaUnited States

Senior Security Engineer owning risk identification, threat modeling, vulnerability management, and secure architecture projects. Partners with engineering to build security culture and tools while minimizing operational friction. Requires independent ownership, software development experience, and strong collaboration skills.

227k – 267k/yr
Remote5+ YOESecurity Engineering