Senior CIAM Software Engineer

Affirm is building the next generation of customer identity and authentication. This role is a hands-on engineering position inside Information Security, focused on designing and shipping core CIAM capabilities that protect customers and support growth.

You will build and operate backend services that power registration, login, authorization, and account lifecycle flows across B2C and B2B experiences. You will work closely with partner engineering teams and ensure identity features are delivered with strong security fundamentals, reliability, and operational rigor.

What you’ll do

• Design, build, and operate core CIAM backend services that support customer registration, authentication, authorization, account lifecycle, and profile management for B2C and B2B platforms.
• Implement and extend identity standards such as OAuth 2.0, OIDC, SAML, and SCIM in code, ensuring correctness, scalability, and clean integration patterns.
• Develop backend APIs and services in Python and Kotlin that expose identity capabilities to web, mobile, and partner applications.
• Integrate CIAM platforms with internal systems, including user data stores, messaging, fraud signals, and downstream customer platforms.
• Own secure authentication and account flows end to end, including MFA, step-up authentication, device binding, consent, and adaptive authentication logic.
• Automate CIAM infrastructure and deployments using Infrastructure as Code and CI/CD pipelines, treating identity as a core platform service.
• Monitor, debug, and optimize CIAM services for performance, resilience, and abuse detection in high-scale environments.

What we look for

• Strong experience designing and implementing CIAM systems, with deep, hands-on knowledge of OAuth 2.0, OIDC, SAML, and SCIM beyond basic configuration.
• 5+ years of professional backend software engineering experience
• Strong production experience in Python or a similar backend language
• Experience designing APIs, automation frameworks, and distributed systems
• Hands-on experience building and maintaining CI/CD pipelines
• Experience with GitHub-based development workflows and Buildkite or similar build systems
• Experience with cloud-native development, preferably AWS
• Hands-on experience extending and integrating CIAM platforms such as Okta, Auth0, Ping Identity, ForgeRock, or Azure AD B2C using custom code, hooks, and APIs.
• Solid understanding of backend and distributed systems fundamentals, including API design, data modeling, latency, error handling, and observability.
• Experience with Infrastructure as Code and automation tools such as Terraform, plus CI/CD pipelines for deploying backend services.
• Strong security fundamentals applied through engineering, including access control models, token handling, encryption, MFA, and privacy by design.
• Clear communication skills and the ability to work closely with product, frontend, mobile, and security teams while owning backend identity services.
• Familiarity with tools such as Cursor and other AI-augmented development environments

 

Base Pay Grade - N

Equity Grade - Canada 6

Employees new to Affirm typically come in at the start of the pay range. Affirm focuses on providing a simple and transparent pay structure which is based on a variety of factors, including location, experience and job-related skills. 

Base pay is part of a total compensation package that may include monthly stipends for health, wellness and tech spending, and benefits (including 100% subsidized medical