Senior Software Engineer - Identity & Authorization Platform

Details

Recognized on the 2025 Forbes Cloud 100 list, ClickHouse is a fast-growing private cloud company focused on real-time analytics, data warehousing, observability, and AI workloads. The Platform Auth team’s goal is to support a ‘one customer identity’ vision by providing tools, processes, and expertise for engineering teams to create a unified access management experience and standardize engineering patterns for authentication and authorization.

Responsibilities

• Design and build platform services that power authentication, authorization, and audit across ClickHouse Cloud, including a unified RBAC/ReBAC service, token issuance and session handling, and SDKs for product teams.
• Model permissions and access control primitives (resources, roles, relationships, policies) that work across ClickHouse products (ClickHouse, SQL Console, ClickPipes, HyperDX) and ship libraries and APIs for other engineers.
• Implement protocol-level support and integrations for SAML, SCIM, OIDC, OAuth2, and MFA/passwordless flows to enable enterprise SSO and provisioning.
• Build the audit and authorization-decision telemetry pipeline so access decisions are observable and queryable by customers.
• Partner with product engineering teams to migrate bespoke per-product auth implementations onto the shared platform and design adoption-friendly APIs.
• Participate in platform on-call rotation and own production reliability for systems on the critical path of customer requests.

Requirements

• Minimum 4+ years building production backend systems at scale.
• Comfort with at least one systems language (Go, Rust, C++) and one application language (TypeScript, Python).
• Hands-on experience designing and implementing an authentication or authorization service (examples: token issuer, OIDC/OAuth2 provider, policy engine, permissions model, FGA/ReBAC systems such as Zanzibar/OpenFGA/SpiceDB/Cedar).
• Working knowledge of SAML, SCIM, OIDC, and OAuth2 at the protocol level and ability to implement them.
• Experience designing APIs and SDKs that other engineers depend on, with strong opinions on adoptability.
• Experience operating distributed systems at scale, including caching strategies, consistency tradeoffs, and multi-region concerns.
• Familiarity with identity vendors (Auth0, WorkOS, AWS/GCP/Azure IAM) used as building blocks or integrated into larger platforms.
• Strong production debugging instincts and a high bar for systems that are easy to develop against.

Bonus

• Experience building or contributing to a Zanzibar-style authorization system, or running OpenFGA/SpiceDB beyond demo use.
• Designing multi-tenant permission models that address custom roles, hierarchies, delegation, and ABAC attributes.
• Shipping internal SDKs that product teams across an organization actually adopted, with opinions about why internal SDKs fail.

Compensation

• Typical starting salary for this role in the United States: $141,000 - $208,000 USD.
• Typical starting salary for US Premium Markets (e.g., San Francisco Bay Area, New York City Metro Area): $157,000 - $232,000 USD.

Benefits

• Flexible work environment; ClickHouse is globally distributed and remote-friendly.
• Employer contributions towards healthcare.
• Stock options for new team members.
• Flexible time off in the US and generous entitlement in other countries.
• $500 home office setup for remote employees.
• Global gatherings and company-wide offsites.

Culture

• As part of a rapidly scaling startup, employees help shape company culture. More information about values and company updates are available on ClickHouse's careers page and blog.

Equal Opportunity & Privacy

• ClickHouse provides equal employment opportunities and prohibits discrimination and harassment. See the applicant privacy notice for details.