Overview

The Senior/Principal Identity and API Architect plays a critical role in driving TripleLift’s identity infrastructure and API security strategy within the Exchange team, directly influencing how we authenticate and authorize publishers, buyers, and platform partners across our programmatic marketplace. In this position, you will partner closely with Engineering, Product, and Services teams to design and own the end-to-end identity architecture that underpins our Exchange’s security, scalability, and interoperability. This is an exciting opportunity for someone who wants to build a best-in-class identity platform from the ground up, shaping how TripleLift authenticates billions of programmatic transactions while serving as a strategic thought partner to Exchange leadership on API governance and access control.

Responsibilities

• Architect and own TripleLift’s end-to-end identity platform, including tenant models, SSO integrations, machine-to-machine authentication, and delegated administration for publishers and demand partners.
• Design and implement Auth0 tenant architecture, including custom domains, enterprise connections, Actions/Rules, and token lifecycle management (refresh rotation, session policies, JWKS).
• Define and enforce OAuth 2.0 and OIDC flows across the Exchange — including PKCE, M2M client credentials, and device authorization — ensuring secure and consistent authentication for all platform participants.
• Build and operate multi-tenant authorization models using OpenFGA or comparable ReBAC systems (e.g., SpiceDB, Ory Keto), enabling fine-grained access control across publisher hierarchies (networks, properties, seats, users).
• Own the API gateway layer, designing rate limiting, scoped token validation, mTLS enforcement, and consistent error semantics across Traefik, Kong, AWS API Gateway, or equivalent infrastructure.
• Lead publisher-side identity integrations, including federated SSO (SAML 2.0, OIDC) for enterprise onboarding, delegated self-service administration, and integration of first-party data and authenticated traffic signals into programmatic decisioning.
• Lead demand-side identity integrations, including DSP and agency API authentication (OAuth 2.0 M2M, API key management), partner onboarding flows, and identity traceability across bid request/response flows for audit, fraud detection, and deal enforcement.
• Manage AWS identity and API infrastructure, including IAM roles and cross-account trust, Cognito integration patterns, Secrets Manager and KMS for credential lifecycle, and STS-based service-to-service auth in multi-account environments.
• Establish and maintain identity and API security standards, conducting threat modeling, reviewing integrations for compliance with RBAC/ABAC/ReBAC policies, and responding to security incidents.
• Serve as the internal subject-matter expert on identity and API architecture, partnering with Engineering, Legal, and Partnerships to advise on protocol selection, vendor evaluation, and regulatory considerations (e.g., GDPR, CCPA as they relate to identity signals).
• Mentor engineers across the Exchange team on identity best practices, OAuth/OIDC protocol nuances, and secure API design patterns.

Education & Requirements

• 8+ years of software engineering or platform architecture experience, with at least 4 years focused on identity, IAM, or API security
• 2+ years of hands-on production experience with Okta's Auth0, including:
• Tenant architecture, custom domains, and enterprise connections
• Actions/Rules/Hooks and the Auth0 Management API
• OIDC/OAuth 2.0 flows including PKCE, M2M client credentials, and device authorization
• Token customization, refresh token rotation, and session management
• Production experience with OpenFGA or a comparable relationship-based access control (ReBAC) system (e.g., Zanzibar-derived implementations, Ory Keto, SpiceDB)
• Deep fluency in OAuth 2.0, OpenID Connect, SAML 2.0, JWT, and JWKS
• Demonstrated AWS identity and API infrastructure experience, including:
• IAM roles, policies, and cross-account trust relationships
• API Gateway (REST and HTTP APIs), Lambda authorizers, and Cognito integration patterns
• Secrets Manager and KMS for credential and key lifecycle management
• STS and service-to-service authentication in distributed, multi-account environments
• Experience designing and operating API gateway layers at scale, including hands-on work with one or more of: Traefik, Kong, AWS API Gateway, or equivalent — encompassing rate limiting, scoped token validation, mTLS, and consistent error semantics
• Experience with publisher-side identity integrations:
• Federated SSO (SAML 2.0, OIDC) for publisher onboarding and enterprise identity provider connections
• Multi-tenant identity models supporting publisher hierarchies: networks, properties, seats, and users
• Delegated administration patterns enabling publishers to self-manage sub-accounts and user roles
• Integration with publisher identity signals for decisioning (authenticated traffic, first-party data tokens)
• Experience with demand-side identity integrations:
• DSP and agency API authentication: OAuth 2.0 M2M, API key management, and scoped access models
• Partner onboarding flows supporting both self-serve and managed programmatic demand
• Identity traceability across bid request/response flows for audit, fraud detection, and deal enforcement
• Integration with buyer identity infrastructure including agency trading desk and DSP seat management
• Demonstrated ability to model complex, multi-tenant authorization hierarchies using RBAC, ABAC, or ReBAC
• Proficiency in at least one backend language (Go, Java, or Python preferred)