Senior Backend Engineer (Authorization & User Management)

Requirements

• 5+ years of backend engineering experience with strong expertise in TypeScript, Node.js, and structured backend frameworks such as NestJS
• Strong domain experience in authorization, identity, or user management systems in production SaaS environments
• Excellent system design skills: you can model roles, permissions, policy propagation, and service boundaries in a way that stays understandable as the platform grows
• Experience with enterprise identity concepts such as SSO, RBAC, provisioning, deprovisioning, webhooks, SCIM, or IdP integrations
• Multi-tenant SaaS experience with strong awareness of tenant isolation, auditability, and security-sensitive change management
• Event-driven systems experience: comfortable with asynchronous workflows, retries, idempotency, and eventual consistency in backend services
• Testing discipline: you write tests for critical business and security logic, not just happy paths

What the job involves

• We're building an enterprise AI platform where secure access and user lifecycle management are core product capabilities. Every workspace, assistant, admin surface, and API depends on the platform correctly handling who a user is, what they can access, how roles are assigned, and how identity changes propagate across the system
• We're looking for a senior backend engineer to work on the services behind authorization and user management. This role sits at the intersection of product functionality, platform reliability, and enterprise security
• Authorization and policy systems: Design and evolve a NestJS/TypeScript gatekeeper service with Casbin-style policies, implementing roles/groups/resource-level permissions and clean enforcement flows exposed to both UI and service-to-service consumers
• User and group management: Build and extend user/group/role capabilities, maintain the node-scope-management service for lifecycle and inheritance, and ensure consistent, correct state across APIs, jobs, and downstream consumers
• Identity and provisioning integrations: Own external identity integrations (e.g., Zitadel), improve sync for user/role lifecycle and deprovisioning, and implement enterprise features like external groups, SCIM-style provisioning, and metadata sync
• Event-driven backend architecture: Design resilient async workflows (AMQP, background processing) to validate and propagate role/membership updates, with reliable retries and correct behavior under failures and partial reprocessing
• Platform ownership: Model GraphQL/Prisma/PostgreSQL APIs with strict tenancy, enhance observability (logs/metrics/traces/alerts) for auth/identity flows, and own production delivery via Docker/Kubernetes/Helm and GitOps
• Engineering culture: Write robust tests for security-sensitive logic, engage in design/code reviews on auth/identity boundaries, and mentor peers to raise quality, maintainability, and operational discipline