Principal Software Engineer

Job Title:

• Principal Engineer Location: Denver, CO preferred (Hybrid) | Open to remote with quarterly travel About FusionAuth FusionAuth is a fast-growing startup and leading provider of customer identity and access management (CIAM) software headquartered in Denver, Colorado.
• Our mission is to make authentication and authorization simple and secure for every developer.
• Our product helps businesses securely manage customer identities and access, ensuring a seamless and safe user experience for some of the largest brands in the world.
• We are committed to delivering exceptional value and satisfaction to our clients through top-notch service and support.
• With a great team and strong investors, we are expanding our team to help accelerate our growth and take FusionAuth to the next level.
• Job Summary FusionAuth is hiring a Principal Engineer to serve as a senior technical authority on customer identity.
• This person will be a key contributor to the architectural direction of the FusionAuth platform, carry deep protocol expertise (OAuth 2.x, OpenID Connect, SCIM, SAML), and guide enterprise customers on how FusionAuth fits into their identity architectures.
• The role reports directly to the SVP of Engineering & Technology.
• This is a hands-on position.
• You will write production code, review technical designs, and contribute to critical architectural decisions on a Java-based platform trusted by thousands of organizations and downloaded over 10 million times.

You will be the person enterprise customers turn to when the questions get hard:

• protocol edge cases, security tradeoffs, migration architectures, and integration patterns that don’t fit neatly into documentation.
• The timing matters.

FusionAuth is at an inflection point:

• expanding the engineering team, shaping the product roadmap for the next several years, and building into a problem space that is accelerating.
• AI agents need their own authentication and authorization.
• Passkeys are replacing passwords.
• New protocol extensions are rewriting token security.
• The decisions you make here will directly shape a product that developers and end users worldwide depend on.
• FusionAuth runs in self-hosted, on-premise, and dedicated cloud environments across thousands of customer-managed deployments.
• Every architectural decision carries backward compatibility weight.
• Every protocol implementation must be correct across versions.
• These are hard, consequential problems, and you will have real influence over how we solve them.
• You will work closely with Product Management to evaluate industry trends and translate them into product roadmap decisions.
• You will track not just protocol evolution but broader technology shifts (frameworks, languages, infrastructure patterns) that should influence the platform’s direction.
• We need someone who holds strong technical convictions to uphold the integrity of the architecture and platform, but who also listens well and adapts when presented with better evidence.
• If you want to be the definitive CIAM expert at a company whose entire product is CIAM, this is the role.

Responsibilities Development:

• Write, review, and own high-quality, secure production code on the FusionAuth core application.
• This is a hands-on technical leadership role, not a design-only position.

Architecture:

• Provide leadership for the platform’s architectural evolution.
• Draft and review Technical Design Documents (TDDs) , ensuring designs meet FusionAuth’s standards for scalability, security, and quality before implementation begins.

CIAM Protocol Expertise:

• Serve as a go-to expert on OAuth 2.x, OIDC, SCIM, and SAML .
• Guide protocol-correct implementation across the product.
• Answer hard protocol questions from engineering, Support, Solutions Engineering, and customers.

Customer Engagement:

• Engage directly with enterprise prospects and customers on architectural and integration design decisions.
• Translate complex CIAM concepts clearly for both technical and semi-technical audiences.

Industry & Technology Leadership:

• Track where the identity industry is heading: passkeys/FIDO2, device authorization, DPoP, token binding , emerging OAuth and OIDC drafts, and the rapidly evolving intersection of AI and identity (agent authentication, scoped credential issuance, authorization for AI-driven workflows).
• Monitor broader technology trends and bring well-reasoned perspectives on what FusionAuth should build, adopt, or avoid.
• Partner with Product Management to translate these insights into roadmap decisions.

Industry Representation:

• Represent FusionAuth at industry conferences, working groups, and community events .
• Build FusionAuth’s technical credibility in the identity and security ecosystem.

Deployment & Compatibility:

• Factor FusionAuth’s diverse deployment targets into every architectural and feature decision.
• Ensure backward compatibility , API versioning integrity, upgrade paths, and sound schema migration strategy for a product running across thousands of customer-managed environments.

Team Development:

• Mentor engineers across the team.
• Raise CIAM knowledge through code reviews, design discussions, architectural sessions, and informal knowledge sharing.

Cross-Functional Collaboration:

• Work closely with Product Management, Solutions Engineering, and Customer Success on complex customer situations, roadmap decisions, and new feature design.

Qualifications Required Education:

• Bachelor’s degree in Computer Science or equivalent demonstrable technical depth.

CIAM Protocol Depth:

• Production-grade expertise in OAuth 2.x, OIDC, SCIM, and SAML .
• The ability to identify subtle misimplementations, guide protocol-correct designs, and explain nuanced tradeoffs.

Experience:

• 12+ years of professional software engineering, including 5+ years focused on identity, authentication, or security , with meaningful time at the principal, staff, or architect level.

Hands-On Development:

• Proven track record of shipping code alongside architectural responsibilities .
• Not an architect who stopped coding.

Distributed Systems:

• Experience with enterprise-grade, highly available, high-performance distributed systems.

Deployment Architecture:

• Experience designing or supporting software deployed across self-hosted, on-premise, or dedicated cloud environments .
• Understanding of backward compatibility, upgrade paths, and performance tuning across customer-managed infrastructure.

Customer-Facing Experience:

• Demonstrated ability to engage directly with enterprise customers and prospects on technical design and architecture.

Design Review:

• Experience reviewing and approving technical designs in a formal or informal architecture review capacity.

Emerging Standards:

• Familiarity with emerging identity protocols and standards ( FIDO2/passkeys, DPoP, token binding, OAuth 2.x drafts , etc.).

AI Tooling:

• Willingness to adopt and use AI-assisted development tools (e.g., Claude Code, GitHub Copilot) as part of everyday workflow.

Pragmatism:

• Appreciates first-principles thinking, but knows when to stop theorizing and start building.

Work Location:

• FusionAuth is headquartered in Denver, Colorado, and we value the creative energy and collaboration that comes from working together in person.
• We strongly prefer candidates based in the Denver metro area and have a hybrid working arrangement for local employees.
• We are open to candidates in other locations who are willing to travel to our Denver headquarters approximately once per quarter.

Preferred CIAM Product Experience:

• Direct experience building or working within a CIAM product or identity platform .

Open Source & Thought Leadership:

• History of contributing to open-source identity or security projects, or publishing technical writing on identity topics.

AI-Native Development Practices:

• Experience leading or supporting an engineering team’s transition to AI-native development workflows .
• FusionAuth is actively standardizing on AI-native tooling across the SDLC, and this role will help shape that adoption.

Security & Compliance:

• Familiarity with compliance frameworks ( SOC 2, FedRAMP, GDPR ) and their impact on architectural decisions around data residency, encryption, and audit logging.

Database Expertise:

• Experience with PostgreSQL or MySQL at scale , including schema evolution strategy, query performance tuning, and data migration planning for a self-hosted product.

Java Proficiency:

• Strong Java skills.
• FusionAuth’s core application is Java-based.

Communication Style:

• Strong communicator who holds strong technical opinions while remaining open to other perspectives.
• Compensation $225k–$270k expected base salary range* *Pursuant to various state laws, we must display the pay range for this job.
• Since we are willing to hire within a broad spectrum of qualifications, this range is broad.
• The expected base salary may be adjusted based on individual qualifications, role, level and location.

Onsite Perks & Campus Benefits When you join FusionAuth’s Denver team, you’ll enjoy a modern campus experience designed for productivity, wellness, and community:

• Newly upgraded amenity spaces including a sleek tenant lounge and café with booth seating and collaborative workspaces.
• Access to a fitness studio, showers, lockers, and secure bike storage.
• Regularly stocked in-suite kitchen with a variety of snacks and beverages to keep you fueled throughout the day.
• Onsite café offering chef-driven menus with fresh, locally sourced, organic, and non-GMO options to suit diverse dietary needs.
• Easy ordering via app. 3-acres of green space, including communal parks and picnic areas, connected to miles of jogging, biking, and recreation trails.
• Yoga in the circle and wellness programs to enhance work-life balance.
• Dedicated outdoor workspaces and patio gathering areas.
• Ample on-site parking, easy freeway access, and high-speed fiber internet.
• Sustainability-minded campus and community initiatives, including support for regenerative agriculture programs.
• Enjoy a high-tech business environment that inspires creativity and energizes your workday—all just minutes from the heart of Denver and Boulder.

Benefits For full-time team members, we offer:

• Comprehensive health insurance including medical, dental, and vision coverage, with the company covering the majority of your medical premiums to keep your costs low Fully employer-paid High Deductible Health Plan (HDHP) option paired with a Health Savings Account (HSA), including employer contributions Basic life insurance and short- and long-term disability coverage fully paid by the company for essential financial protection Voluntary life insurance options to provide additional financial protection for you and your loved ones Healthcare and Dependent Care Flexible Spending Accounts (FSAs) to save pre-tax dollars on eligible expenses 401(k) plan with company match to help you save for retirement Generous paid time off (PTO) plus paid company holidays to support work-life balance Employee Assistance Program (EAP) offering confidential counseling and support services Professional growth and development opportunities to boost your career journey Eligibility for performance-based bonuses or variable compensation tied to individual, team, or company results Important Details Application Submission: We value authentic, thoughtful responses.
• Copy/pasted or AI-generated answers to application questions that don’t reflect your own experience may disqualify your application.

In-Person Interview:

• Please be aware that participating in an in-person interview is encouraged so we can get to know each other.
• FusionAuth reimburses reasonable travel and lodging expenses associated with onsite interviews.

Work Authorization:

• Applicants must be authorized to work for any employer in the U.S.
• We are unable to sponsor or assume sponsorship of an employment Visa at this time.
• If you are passionate about technology that solves real-world customer problems, and want to join a company that is moving the industry forward, FusionAuth is a perfect fit for you!
• Equal Employment Opportunity FusionAuth provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.
• This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.
• E-Verify | Right to Work Recruiters FusionAuth does not accept unsolicited resumes from recruiters or employment agencies.
• In the absence of a signed agreement, we reserve the right to pursue and hire candidates without any financial obligation to the recruiter or agency.
• Any unsolicited resumes, including those submitted directly to hiring managers, are deemed to be the property of FusionAuth.
• Powered by JazzHR