ABOUT THE ROLEAI agents are beginning to act on behalf of people and businesses against publishers, banks, payment networks, and APIs. Every counterparty today answers identity questions on its own - self-asserted API keys, third-party cookies, pixel trackers. That model breaks the moment the actor is an agent. We're building KYA (Know Your Agent) - a cryptographic identity substrate that replaces self-assertion with third-party-issued credentials, verifiable by any counterparty. We're hiring an engineer to own a meaningful surface of the substrate - issuer mint, edge verification, Passport, or Merkle audit log - and ship it to production.
WHAT YOU'LL DO- Build and maintain the runtime issuer/mint: OAuth Token Exchange (RFC 8693), JWS credentials (RFC 7515/7519, SD-JWT-VC), and Merkle audit log with real-time revocation.
- Own and evolve the wire format and claim registry: JWT profile, verification_level/verification_method enums, and eIDAS/NIST IAL/FATF CDD crosswalk.
- Implement sub-millisecond JWS verification and Web Bot Auth signature checks (RFC 9421) at the HTTP edge for counterparty CDNs, merchants, and publisher paywalls.
- Build and maintain Passport - the user's cloud-resident principal account with canonical handle, KYC/KYB record, authorized-operators list, audit feed, and authenticator binding.
- Develop operator integration: embedded KYB onboarding inside first OAuth 2.0 consent, per-operator opt-in, and webhook delivery via Svix.
- Work across a Python 3.13 monorepo (FastAPI, Cloud Tasks, Cloud Run, SQLModel/SQLAlchemy) and Go for performance-critical substrate components.
MINIMUM REQUIREMENTS- Shipped systems where cryptographic correctness was load-bearing: OAuth/OIDC IdP, token issuer, signing service, HSM-backed signer, passkey/WebAuthn flow, or similar.
- Fluent in Python and Go, or strong in one with a track record of learning the other quickly.
- Reads RFCs as primary sources and holds informed opinions on JWK thumbprint canonicalization, pairwise-sub derivation, and Signature-Input header serialization.
- Deep understanding of the distinction between identity and authorization, mandate and claim, snapshot and live state.
- Production experience with async Python on Postgres, including migration safety and observability.
WHAT SETS YOU APART- Verifiable credentials / SSI / DID work - especially SD-JWT-VC, OID4VC, or the W3C VC stack.
- Certificate Transparency, Trillian, or similar append-only-log experience.
- KYC/KYB pipeline experience: provider abstraction, evidence retention, eIDAS/FATF CDD level mapping, ownership-chain resolution.
- Edge/CDN engineering - Cloudflare Workers, Fastly Compute, Envoy filters, or mTLS at the edge.
- Familiarity with AP2, x402, MPP, UCP, or Mastercard VI specs and how identity rides alongside mandate.
WORK LOCATION- Based in SF; hybrid 4 days per week in office.
COMPENSATION- Salary Range: $230,000 - $340,000 + Equity
BENEFITS- Time off when you need it: Flexible PTO so you can recharge without red tape
- In-person energy: We're based in SF and meet in the office 4 days a week
- Competitive compensation: We pay well and back it with equity. We want you to think and act like an owner
- Career rocket fuel: You'll help build the foundation of a high-growth startup, working side by side with experienced founders and team members who've done it before
- Benefits on us: We cover 100% of your health, dental, and vision premiums. No surprise deductions from your paycheck
- 401(k) with company match: We match your contributions so your future self benefits too
- HSA contributions included: We contribute to your HSA on applicable plans, so your coverage works as hard as you do
- Stay healthy, stay sharp: A $250 monthly gym stipend to help you bring your best self to work, and everywhere else
- A seat at the table: We believe in transparency, radical candor, and giving every team member a voice