Senior Engineer, Agentic Identity

Baselayer

$230K — $340K *
Technical Services
Less than 5 years of experience
Job Overview by Ladders

Qualifications

  • 5-7 years of experience in systems design emphasizing cryptographic correctness.
  • Proficient in Python and Go, with a commitment to learning new languages as needed.
  • Familiar with RFC specifications such as JWT and OAuth.
  • Strong analytical skills regarding identity and authorization distinctions.
  • Experience with asynchronous programming in Python and Postgres.

Responsibilities

  • Build and maintain key cryptographic components like runtime issuer and mint.
  • Own the development of wire formats and claim registry specifications.
  • Implement high-speed verification and authentication checks at the edge.
  • Develop and manage user account systems, including KYC and audit feeds.
  • Integrate third-party operators with user onboarding and webhook systems.

Benefits

  • Flexible PTO allowing for personal time without formal procedures.
  • Hybrid work schedule with 4 days in-office for collaboration.
  • Equity options to promote ownership and financial engagement.
  • Comprehensive health, dental, and vision insurance covered at 100%.
  • 401(k) plan with company matching contributions for retirement savings.
  • Employer contributions to HSA for eligible plans.
  • Monthly gym stipend to encourage a healthy lifestyle.
  • Culture of transparency and openness that empowers all team members.
Full Job Description
ABOUT THE ROLE

AI agents are beginning to act on behalf of people and businesses against publishers, banks, payment networks, and APIs. Every counterparty today answers identity questions on its own - self-asserted API keys, third-party cookies, pixel trackers. That model breaks the moment the actor is an agent. We're building KYA (Know Your Agent) - a cryptographic identity substrate that replaces self-assertion with third-party-issued credentials, verifiable by any counterparty. We're hiring an engineer to own a meaningful surface of the substrate - issuer mint, edge verification, Passport, or Merkle audit log - and ship it to production.

WHAT YOU'LL DO
  • Build and maintain the runtime issuer/mint: OAuth Token Exchange (RFC 8693), JWS credentials (RFC 7515/7519, SD-JWT-VC), and Merkle audit log with real-time revocation.
  • Own and evolve the wire format and claim registry: JWT profile, verification_level/verification_method enums, and eIDAS/NIST IAL/FATF CDD crosswalk.
  • Implement sub-millisecond JWS verification and Web Bot Auth signature checks (RFC 9421) at the HTTP edge for counterparty CDNs, merchants, and publisher paywalls.
  • Build and maintain Passport - the user's cloud-resident principal account with canonical handle, KYC/KYB record, authorized-operators list, audit feed, and authenticator binding.
  • Develop operator integration: embedded KYB onboarding inside first OAuth 2.0 consent, per-operator opt-in, and webhook delivery via Svix.
  • Work across a Python 3.13 monorepo (FastAPI, Cloud Tasks, Cloud Run, SQLModel/SQLAlchemy) and Go for performance-critical substrate components.

MINIMUM REQUIREMENTS
  • Shipped systems where cryptographic correctness was load-bearing: OAuth/OIDC IdP, token issuer, signing service, HSM-backed signer, passkey/WebAuthn flow, or similar.
  • Fluent in Python and Go, or strong in one with a track record of learning the other quickly.
  • Reads RFCs as primary sources and holds informed opinions on JWK thumbprint canonicalization, pairwise-sub derivation, and Signature-Input header serialization.
  • Deep understanding of the distinction between identity and authorization, mandate and claim, snapshot and live state.
  • Production experience with async Python on Postgres, including migration safety and observability.

WHAT SETS YOU APART
  • Verifiable credentials / SSI / DID work - especially SD-JWT-VC, OID4VC, or the W3C VC stack.
  • Certificate Transparency, Trillian, or similar append-only-log experience.
  • KYC/KYB pipeline experience: provider abstraction, evidence retention, eIDAS/FATF CDD level mapping, ownership-chain resolution.
  • Edge/CDN engineering - Cloudflare Workers, Fastly Compute, Envoy filters, or mTLS at the edge.
  • Familiarity with AP2, x402, MPP, UCP, or Mastercard VI specs and how identity rides alongside mandate.

WORK LOCATION
  • Based in SF; hybrid 4 days per week in office.

COMPENSATION
  • Salary Range: $230,000 - $340,000 + Equity

BENEFITS
  • Time off when you need it: Flexible PTO so you can recharge without red tape
  • In-person energy: We're based in SF and meet in the office 4 days a week
  • Competitive compensation: We pay well and back it with equity. We want you to think and act like an owner
  • Career rocket fuel: You'll help build the foundation of a high-growth startup, working side by side with experienced founders and team members who've done it before
  • Benefits on us: We cover 100% of your health, dental, and vision premiums. No surprise deductions from your paycheck
  • 401(k) with company match: We match your contributions so your future self benefits too
  • HSA contributions included: We contribute to your HSA on applicable plans, so your coverage works as hard as you do
  • Stay healthy, stay sharp: A $250 monthly gym stipend to help you bring your best self to work, and everywhere else
  • A seat at the table: We believe in transparency, radical candor, and giving every team member a voice

Similar Jobs

More Jobs at Baselayer

  • Account Manager
    $120K — $170K *
    New York, NY 10025 (New York County)
    Finance & Insurance
    In-Person
  • Sr. Product Manager
    $210K — $290K *
    San Francisco, CA 94112 (San Francisco County)
    Enterprise Technology
    In-Person
  • Account Executive
    $120K — $170K *
    New York, NY 10025 (New York County)
    Enterprise Technology
    In-Person
  • Account Executive
    $120K — $170K *
    New York, NY 10025 (New York County)
    Enterprise Technology
    In-Person
  • Solutions Engineer
    $135K — $220K *
    New York, NY 10025 (New York County)
    Information Technology
    In-Person

More Technical Services Jobs

Find similar Senior Engineer, Agentic Identity jobs: