Principal Identity and API Architect

1plusX AG$175K — $250K *
Enterprise Technology
8 - 10 years of experience
Job Overview by Ladders

Qualifications

  • 8+ years of software engineering or platform architecture experience, with at least 4 years focused on identity, IAM, or API security
  • 2+ years of hands-on production experience with Okta's Auth0
  • Deep fluency in OAuth 2.0, OpenID Connect, SAML 2.0, JWT, and JWKS
  • Demonstrated AWS identity and API infrastructure experience
  • Experience designing and operating API gateway layers at scale
  • Proficiency in at least one backend language (Go, Java, or Python preferred)

Responsibilities

  • Architect and own TripleLift's end-to-end identity platform
  • Design and implement Auth0 tenant architecture
  • Define and enforce OAuth 2.0 and OIDC flows across the Exchange
  • Build and operate multi-tenant authorization models
  • Own the API gateway layer, designing rate limiting and token validation
  • Lead publisher-side and demand-side identity integrations
  • Establish and maintain identity and API security standards

Benefits

  • Medical, Dental & Vision Plans
  • Flexible PTO
  • 401k with employer match
Full Job Description
Overview

The Senior/Principal Identity and API Architect plays a critical role in driving TripleLift's identity infrastructure and API security strategy within the Exchange team, directly influencing how we authenticate and authorize publishers, buyers, and platform partners across our programmatic marketplace. In this position, you will partner closely with Engineering, Product, and Services teams to design and own the end-to-end identity architecture that underpins our Exchange's security, scalability, and interoperability. This is an exciting opportunity for someone who wants to build a best-in-class identity platform from the ground up, shaping how TripleLift authenticates billions of programmatic transactions while serving as a strategic thought partner to Exchange leadership on API governance and access control.
Responsibilities
  • Architect and own TripleLift's end-to-end identity platform, including tenant models, SSO integrations, machine-to-machine authentication, and delegated administration for publishers and demand partners.
  • Design and implement Auth0 tenant architecture, including custom domains, enterprise connections, Actions/Rules, and token lifecycle management (refresh rotation, session policies, JWKS).
  • Define and enforce OAuth 2.0 and OIDC flows across the Exchange - including PKCE, M2M client credentials, and device authorization - ensuring secure and consistent authentication for all platform participants.
  • Build and operate multi-tenant authorization models using OpenFGA or comparable ReBAC systems (e.g., SpiceDB, Ory Keto), enabling fine-grained access control across publisher hierarchies (networks, properties, seats, users).
  • Own the API gateway layer, designing rate limiting, scoped token validation, mTLS enforcement, and consistent error semantics across Traefik, Kong, AWS API Gateway, or equivalent infrastructure.
  • Lead publisher-side identity integrations, including federated SSO (SAML 2.0, OIDC) for enterprise onboarding, delegated self-service administration, and integration of first-party data and authenticated traffic signals into programmatic decisioning.
  • Lead demand-side identity integrations, including DSP and agency API authentication (OAuth 2.0 M2M, API key management), partner onboarding flows, and identity traceability across bid request/response flows for audit, fraud detection, and deal enforcement.
  • Manage AWS identity and API infrastructure, including IAM roles and cross-account trust, Cognito integration patterns, Secrets Manager and KMS for credential lifecycle, and STS-based service-to-service auth in multi-account environments.
  • Establish and maintain identity and API security standards, conducting threat modeling, reviewing integrations for compliance with RBAC/ABAC/ReBAC policies, and responding to security incidents.
  • Serve as the internal subject-matter expert on identity and API architecture, partnering with Engineering, Legal, and Partnerships to advise on protocol selection, vendor evaluation, and regulatory considerations (e.g., GDPR, CCPA as they relate to identity signals).
  • Mentor engineers across the Exchange team on identity best practices, OAuth/OIDC protocol nuances, and secure API design patterns.
Education & Requirements
  • 8+ years of software engineering or platform architecture experience, with at least 4 years focused on identity, IAM, or API security
  • 2+ years of hands-on production experience with Okta's Auth0, including:
    • Tenant architecture, custom domains, and enterprise connections
    • Actions/Rules/Hooks and the Auth0 Management API
    • OIDC/OAuth 2.0 flows including PKCE, M2M client credentials, and device authorization
    • Token customization, refresh token rotation, and session management
    • Production experience with OpenFGA or a comparable relationship-based access control (ReBAC) system (e.g., Zanzibar-derived implementations, Ory Keto, SpiceDB)
  • Deep fluency in OAuth 2.0, OpenID Connect, SAML 2.0, JWT, and JWKS
  • Demonstrated AWS identity and API infrastructure experience, including:
    • IAM roles, policies, and cross-account trust relationships
    • API Gateway (REST and HTTP APIs), Lambda authorizers, and Cognito integration patterns
    • Secrets Manager and KMS for credential and key lifecycle management
    • STS and service-to-service authentication in distributed, multi-account environments
  • Experience designing and operating API gateway layers at scale, including hands-on work with one or more of: Traefik, Kong, AWS API Gateway, or equivalent - encompassing rate limiting, scoped token validation, mTLS, and consistent error semantics
  • Experience with publisher-side identity integrations:
    • Federated SSO (SAML 2.0, OIDC) for publisher onboarding and enterprise identity provider connections
    • Multi-tenant identity models supporting publisher hierarchies: networks, properties, seats, and users
    • Delegated administration patterns enabling publishers to self-manage sub-accounts and user roles
    • Integration with publisher identity signals for decisioning (authenticated traffic, first-party data tokens)
  • Experience with demand-side identity integrations:
    • DSP and agency API authentication: OAuth 2.0 M2M, API key management, and scoped access models
    • Partner onboarding flows supporting both self-serve and managed programmatic demand
    • Identity traceability across bid request/response flows for audit, fraud detection, and deal enforcement
    • Integration with buyer identity infrastructure including agency trading desk and DSP seat management
  • Demonstrated ability to model complex, multi-tenant authorization hierarchies using RBAC, ABAC, or ReBAC
  • Proficiency in at least one backend language (Go, Java, or Python preferred)


US Jobs: The base salary range represents the low and high end of the TripleLift US salary range for this position. Actual salaries will vary depending on factors including but not limited to experience and performance. The range listed is just one component of TripleLift's total compensation package for employees. Other rewards may include bonuses, an open Paid Time Off policy, and many region-specific benefits.

Pay is based on various non-discriminatory factors including but not limited to experience, education, and skills.

Benefits Available to Eligible Employees Include the following*:
  • Medical, Dental & Vision Plans
  • Flexible PTO
  • 401k w/ employer match

*Full-time employees are eligible for comprehensive benefits (subject to the terms of applicable plans/policies/agreements, which will be made available to you after commencing employment).

Salary range transparency

$175,000-$250,000 USD

About 1plusX AG

1plusX AG is a data management platform that provides audience targeting and analytics for digital advertising. The company's platform uses machine learning and artificial intelligence to analyze user behavior and provide insights into audience segments and ad performance. 1plusX's clients include publishers, advertisers, and advertising agencies.
Learn more about 1plusX AG
Size
50 employees
Industry
Founded
2014

Similar Jobs

More Jobs at 1plusX AG

More Enterprise Technology Jobs

Find similar Principal Identity and API Architect jobs: