Back to jobs
B
Software Engineer — Agent Auth Platform
San Francisco, USAPosted 1 months ago
Full-timeremote
Job Description
About Better Auth
Better Auth is the most comprehensive authentication framework for TypeScript. We're the most upvoted YC Launch in history and are used by thousands of developers shipping everything from startup projects to enterprise products.
We’re a small team building foundational infrastructure that other developers depend on, so the bar is high: every decision we make affects security, correctness, and developer experience at scale. We’re also building an enterprise layer on top of the open-source framework for teams that need more operational, organizational, and compliance-oriented capabilities.
We’re now extending that work into agent auth: secure identity, approval, delegation, and capability grants for AI agents operating across runtimes, services, and organizations.
The Role
We’re looking for a strong engineer to help build the identity provider, approval systems, and control plane for agent auth.
This is a high-leverage role at the boundary of protocol design, security, and product implementation. You’ll work on the trust model behind agent authorization: signed grants, offline verification, request signing, approval flows, delegation, revocation, and least-privilege capability systems. You’ll help turn emerging protocol decisions into real issuer, approval, and platform systems.
This is a developer- and customer-facing platform role. The standards are still forming, the tradeoffs are real, and the ecosystem is still converging on the right primitives. You’ll build the APIs, issuer systems, approval flows, and control-plane surfaces that developers, admins, and organizations rely on in production, and engage with other implementers when interoperability questions arise.
Why You Should Join
Agent identity and authorization is still unsettled ground, and the platform that makes it real is still being built. The core primitives are still taking shape across issuers, runtimes, services, and approval surfaces, which means the implementation work matters unusually early.
That’s the opportunity here. You won’t be joining a mature category and optimizing around the edges. You’ll be building the identity provider, approval systems, and control-plane platform that turn emerging protocol ideas into secure production systems. Your implementation instincts will directly shape how those decisions land in practice. If you care about secure defaults, thoughtful platform design, and building real systems in a category that is still being defined, this is unusually direct leverage.
What You'll Work On
- Issuer systems — building signed grant issuance, JWKS publishing, key rotation, and verifier-facing trust primitives
- Approval infrastructure — designing device, backchannel, host-mediated, and service-mediated approval flows that preserve both user experience and security guarantees
- Runtime and operator controls — building the surfaces for runtime registration, operator trust, default budgets, delegated execution, and admin review
- Capability policy — defining least-privilege grants, constraints, bounded-use authorization, principal-on-grant semantics, and revocation behavior
- Verification model — shaping offline verification, request signing, replay protection, cache behavior, and the practical tradeoffs between verification and revocation
- Control plane and org policy — building tenant-level trust configuration, approval policy, auditability, runtime management, and enterprise admin controls
- Adoption bridge — building the platform that lets agents securely access real services before native agent auth support exists, while creating a clean path toward first-class protocol adoption
- New primitives in code — implementing issuer, verifier, SDK, and IDP primitives from scratch across the Better Auth plugin, client SDK, and platform surfaces
What We're Looking For
- Experience level — 7+ years building production systems in security-sensitive or protocol-heavy domains
- Security-sensitive systems — strong experience building systems where correctness, trust, and misuse resistance matter
- Protocol judgment — the ability to reason about hard tensions like offline verification versus revocation, delegation versus misuse resistance, approval UX versus security guarantees, and issuer/runtime/service boundaries
- Token and key systems — hands-on experience with signed token formats, key lifecycle, and binding tokens to specific requests in real systems
- Secure-by-default product judgment — strong instincts for making secure behavior the easy default, and for knowing when ergonomics and security are genuinely in tension versus when thoughtful design can deliver both
- Systems implementation — strong TypeScript and backend engineering ability, with comfort building production libraries, APIs, control planes, and developer-facing tooling
- Collaboration and ownership — low ego, high conviction, and the ability to work across protocol, product, and engineering details without waiting for perfect specs
Bonus Points
- Capability-based authorization — experience with delegated access, attenuation models, bounded-use grants, or related authorization systems
- Open source infrastructure — experience maintaining OSS libraries or developer-facing infrastructure with real external users
- Enterprise identity — familiarity with SSO, SCIM, org policy, auditability, compliance-oriented controls, or multi-tenant trust systems
- Standards and interoperability — experience contributing to protocol discussions, writing technical proposals, or working across ecosystem boundaries
Compensation & Benefits
- Competitive salary + meaningful equity with room to grow
- Health, dental, vision
- Unlimited PTO (that we actually encourage you to use)
- SF office access + daily catered lunches & snacks
Better Auth is an equal opportunity employer. We believe diverse teams build better security infrastructure.