FreeHire

BambooHR

Staff Software Engineer

Show

Please Note: This is a remote position available in the state listed on this job. Additionally, employment with BambooHR is contingent on passing both a background and credit check.

AI at BambooHR
At BambooHR, we’re all about setting people free to do great work, and we believe AI is a powerful partner in that mission. We’re leaning into intelligent tools to streamline our workflows, giving us more time for high-impact innovation. We look for curious, forward-thinking people who are ready to explore how AI can elevate their work and help us reimagine the future of HR.

Essential Job Duties

Our ideal Staff Software Engineer, Permissions will be the technical authority for BambooHR's next-generation permission service — designing and building the system that securely controls what every user, token, and agent can do across our platform. You'll own the architecture of a greenfield permissions service from the ground up, define AuthN/AuthZ patterns for 180+ product domains, and be the connective tissue between the Token Titans team and the engineering organization that depends on the work you ship. If you get energy from solving hard identity and access problems at scale — and doing it in a way that other engineers actually want to build on — this role is for you.

You will:

  • Drive the architecture and delivery of a new permission service — from first design doc to production, including data model, policy evaluation engine, enforcement APIs, and token contract
  • Define BambooHR's AuthN/AuthZ standards — the patterns for authentication flows, token issuance, scoped authorization, and role/attribute-based access control that product teams rely on
  • Design the API contract for the permission service: how callers request access decisions, how policies are defined, and how enforcement is decoupled from individual product domains
  • Drive token strategy — JWT issuance, rotation, scoping, revocation, and the relationship between tokens and permissions across both human and machine (API/agent) callers
  • Partner with product and platform teams to translate domain-specific access control requirements into reusable permission primitives that scale across the organization
  • Lead architectural reviews for features with AuthN/AuthZ implications; catch design debt before it ships
  • Collaborate with Security and Compliance to ensure the permission service meets audit, least-privilege, and zero-trust requirements
  • Set the technical bar for the Token Titans team: mentor engineers, lead RFCs, and ensure implementation quality matches architectural intent

What You Need to Get the Job Done

  • 10+ years of software engineering experience, with at least 3 years operating at Staff or Principal level
  • Deep expertise in identity and access management — authentication protocols (OAuth 2.0, OIDC, SAML), authorization models (RBAC, ABAC, ReBAC), and token lifecycle management (JWTs, opaque tokens, refresh/rotation strategies)
  • Demonstrated experience designing and building AuthN/AuthZ systems at scale — not just integrating with them, but owning the architecture that others build on
  • Strong instincts for policy-as-code, permission modeling, and how to express complex access rules as a clean, evolvable data model
  • Experience designing or reviewing OpenAPI specifications, event-driven architectures, and cross-service communication patterns in a service-oriented or microservice environment
  • Strong backend engineering fundamentals; comfort working in a PHP monolith with modern architectural patterns
  • Proven ability to drive org-wide architectural decisions — writing RFCs, leading reviews, building consensus across teams with competing priorities
  • Excellent communication skills: precise written specs, verbal presentations to engineering leadership, and the ability to explain tradeoffs in identity and security without losing the room

What Will Make Us REALLY Love You

  • Hands-on experience building a permission service or authorization framework from scratch (e.g., Zanzibar-style, OPA-based, or custom policy engine)
  • Familiarity with Okta, Auth0, or similar identity platforms — and a clear sense of what to build vs. what to buy
  • Experience with fine-grained authorization patterns (relationship-based access control, contextual policies, delegated permissions)
  • Background in multi-tenant SaaS — understanding how permission models must account for org hierarchy, role inheritance, and tenant isolation
  • Prior work on API token systems — scoped tokens, machine-to-machine auth, token introspection, or access token exchange (OAuth token exchange RFC 8693)
  • Experience with secrets management, certificate rotation, or secure credential storage in production environments
  • Familiarity with zero-trust architecture principles and how they apply to internal service-to-service authorization

What You'll Love About Us

  • A Great Company Culture that has been recognized by multiple organizations like Inc, and Salt Lake Tribune
  • Comprehensive health, life, and disability insurance
  • Generous leave policies that include 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off so you can enjoy quality of life
  • 401k plans with up to 6% company match
  • $2000 Paid-Paid Vacation bonus
  • EAP through Headspace
  • Check out all our benefits that benefit you

About Us

At BambooHR, we're building something different: we're building a people intelligence platform that transforms HR and sets people free to do great work! We're a proven market leader driving innovation while building lasting success through thoughtful, sustainable growth. Here, you'll find a place that champions growth: both professional and personal, both individual and collective.

We invest in potential, giving you the space to stretch your capabilities and turn good ideas into reality while providing the safety net of a supportive, values-driven culture. Our approach combines meaningful work with meaningful lives, offering competitive benefits, professional development, and the flexibility to thrive both in and outside the office.

What sets us apart isn't just what we do, but how we do it: with openness, integrity, and a shared commitment to doing the right thing. Join us in creating HR software that makes work better for everyone, while we make work better for you.

BambooHR is committed to the full inclusion of all qualified individuals and will ensure that persons with disabilities are provided reasonable accommodations throughout the hiring process. If you would like to request accommodations, please let your recruiter know.

BambooHR is An Equal Opportunity Employer--M/F/D/V
Because our team members are trusted to handle sensitive information, we require all candidates that receive and accept employment offers to complete a background check before being hired.

For information on California Privacy Policy, click here.

Our process utilizes AI as an assistant to efficiently process and analyze candidate data. Recruiters and hiring managers maintain full oversight and accountability, ensuring that all final selection and rejection decisions are human-made and based solely on objective job qualifications. Please see our General Privacy Notice and California Privacy Notice for more details.

See our AI Guidelines for Candidates for details on how BambooHR uses AI in recruiting, how we expect candidates to use AI, and what is not allowed.