Job Title: Principal Engineer
Location: Denver, CO preferred (Hybrid)

About FusionAuth

FusionAuth is a fast-growing startup and leading provider of customer identity and access management (CIAM) software headquartered in Denver, Colorado. Our mission is to make authentication and authorization simple and secure for every developer. Our product helps businesses securely manage customer identities and access, ensuring a seamless and safe user experience for some of the largest brands in the world. We are committed to delivering exceptional value and satisfaction to our clients through top-notch service and support. With a great team and strong investors, we are expanding our team to help accelerate our growth and take FusionAuth to the next level.

Job Summary

FusionAuth is hiring a Principal Engineer to serve as a senior technical authority on customer identity. This person will be a key contributor to the architectural direction of the FusionAuth platform, carry deep protocol expertise (OAuth 2.x, OpenID Connect, SCIM, SAML), and guide enterprise customers on how FusionAuth fits into their identity architectures. The role reports directly to the SVP of Engineering & Technology.

This is a hands-on position. You will write production code, review technical designs, and contribute to critical architectural decisions on a Java-based platform trusted by thousands of organizations and downloaded over 10 million times. You will be the person enterprise customers turn to when the questions get hard: protocol edge cases, security tradeoffs, migration architectures, and integration patterns that don’t fit neatly into documentation.

The timing matters. FusionAuth is at an inflection point: expanding the engineering team, shaping the product roadmap for the next several years, and building into a problem space that is accelerating. AI agents need their own authentication and authorization. Passkeys are replacing passwords. New protocol extensions are rewriting token security. The decisions you make here will directly shape a product that developers and end users worldwide depend on. FusionAuth runs in self-hosted, on-premise, and dedicated cloud environments across thousands of customer-managed deployments. Every architectural decision carries backward compatibility weight. Every protocol implementation must be correct across versions. These are hard, consequential problems, and you will have real influence over how we solve them. You will work closely with Product Management to evaluate industry trends and translate them into product roadmap decisions. You will track not just protocol evolution but broader technology shifts (frameworks, languages, infrastructure patterns) that should influence the platform’s direction. We need someone who holds strong technical convictions to uphold the integrity of the architecture and platform, but who also listens well and adapts when presented with better evidence. If you want to be the definitive CIAM expert at a company whose entire product is CIAM, this is the role.

Responsibilities

• Development: Write, review, and own high-quality, secure production code on the FusionAuth core application. This is a hands-on technical leadership role, not a design-only position.
• Architecture: Provide leadership for the platform’s architectural evolution. Draft and review Technical Design Documents (TDDs), ensuring designs meet FusionAuth’s standards for scalability, security, and quality before implementation begins.
• CIAM Protocol Expertise: Serve as a go-to expert on OAuth 2.x, OIDC, SCIM, and SAML. Guide protocol-correct implementation across the product. Answer hard protocol questions from engineering, Support, Solutions Engineering, and customers.
• Customer Engagement: Engage directly with enterprise prospects and customers on architectural and integration design decisions. Translate complex CIAM concepts clearly for both technical and semi-technical audiences.
• Industry & Technology Leadership: Track where the identity industry is heading: passkeys/FIDO2, device authorization, DPoP, token binding, emerging OAuth and OIDC drafts, and the rapidly evolving intersection of AI and identity (agent authentication, scoped credential issuance, authorization for AI-driven workflows). Monitor broader technology trends and bring well-reasoned perspectives on what FusionAuth should build, adopt, or avoid. Partner with Product Management to translate these insights into roadmap decisions.
• Industry Representation: Represent FusionAuth at industry conferences, working groups, and community events. Build FusionAuth’s technical credibility in the identity and security ecosystem.
• Deployment & Compatibility: Factor FusionAuth’s diverse deployment targets into every architectural and feature decision. Ensure backward compatibility, API versioning integrity, upgrade paths, and sound schema migration strategy for a product running across thousands of customer-managed environments.
• Team Development: Mentor engineers across the team. Raise CIAM knowledge through code reviews, design discussions, architectural sessions, and informal knowledge sharing.
• Cross-Functional Collaboration: Work closely with Product Management, Solutions Engineering, and Customer Success on complex customer situations, roadmap decisions, and new feature design.

Qualifications

Required

• Education: Bachelor’s degree in Computer Science or equivalent demonstrable technical depth.
• CIAM Protocol Depth: Production-grade expertise in OAuth 2.x, OIDC, SCIM, and SAML. The ability to identify subtle misimplementations, guide protocol-correct designs, and explain nuanced tradeoffs.
• Experience: 12+ years of professional software engineering, including 5+ years focused on identity, authentication, or security, with meaningful time at the principal, staff, or architect level.
• Hands-On Development: Proven track record of shipping code alongside architectural responsibilities. Not an architect who stopped coding.
• Distributed Systems: Experience with enterprise-grade, highly available, high-performance distributed systems.
• Deployment Architecture: Experience designing or supporting software deployed across self-hosted, on-premise, or dedicated cloud environments. Understanding of backward compatibility, upgrade paths, and performance tuning across customer-managed infrastructure.
• Customer-Facing Experience: Demonstrated ability to engage directly with enterprise customers and prospects on technical design and architecture.
• Design Review: Experience reviewing and approving technical designs in a formal or informal architecture review capacity.
• Emerging Standards: Familiarity with emerging identity protocols and standards (FIDO2/passkeys, DPoP, token binding, OAuth 2.x drafts, etc.).
• AI Tooling: Willingness to adopt and use AI-assisted development tools (e.g., Claude Code, GitHub Copilot) as part of everyday workflow.
• Pragmatism: Appreciates first-principles thinking, but knows when to stop theorizing and start building.

Preferred

• CIAM Product Experience: Direct experience building or working within a CIAM product or identity platform.
• Open Source & Thought Leadership: History of contributing to open-source identity or security projects, or publishing technical writing on identity topics.
• AI-Native Development Practices: Experience leading or supporting an engineering team’s transition to AI-native development workflows. FusionAuth is actively standardizing on AI-native tooling across the SDLC, and this role will help shape that adoption.
• Security & Compliance: Familiarity with compliance frameworks (SOC 2, FedRAMP, GDPR) and their impact on architectural decisions around data residency, encryption, and audit logging.
• Database Expertise: Experience with PostgreSQL or MySQL at scale, including schema evolution strategy, query performance tuning, and data migration planning for a self-hosted product.
• Java Proficiency: Strong Java skills. FusionAuth’s core application is Java-based.
• Communication Style: Strong communicator who holds strong technical opinions while remaining open to other perspectives.

Compensation

• $225k–$270k expected base salary range*

If you are passionate about technology that solves real-world customer problems, and want to join a company that is moving the industry forward, FusionAuth is a perfect fit for you!

Equal Employment Opportunity
FusionAuth provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.
E-Verify | Right to Work

Recruiters
FusionAuth does not accept unsolicited resumes from recruiters or employment agencies. In the absence of a signed agreement, we reserve the right to pursue and hire candidates without any financial obligation to the recruiter or agency. Any unsolicited resumes, including those submitted directly to hiring managers, are deemed to be the property of FusionAuth.