Senior Engineer, Agentic Identity

ABOUT BASELAYER

---

Every day, financial institutions make consequential decisions about which businesses to onboard, extend credit to, and trust. Baselayer exists to make those decisions faster and more accurately. Our AI business identity platform is trusted by more than 2,200 financial institutions to verify any business, automate KYB, and monitor real-time risk. Our mission is to eliminate business fraud and lower the cost of trust across the financial system.

ABOUT THE TEAM

---

The team at Baselayer is built around people who care about getting things done right. We work closely with customers who have real compliance requirements and a limited tolerance for error, which means we move deliberately, communicate directly, and hold ourselves to a high standard. If you're someone who loves to take ownership and cares about the quality of what ships, let's chat!

ABOUT THE ROLE

---

AI agents are beginning to act on behalf of people and businesses against publishers, banks, payment networks, and APIs. Every counterparty today answers identity questions on its own - self-asserted API keys, third-party cookies, pixel trackers. That model breaks the moment the actor is an agent. We're building KYA (Know Your Agent) - a cryptographic identity substrate that replaces self-assertion with third-party-issued credentials, verifiable by any counterparty. We're hiring an engineer to own a meaningful surface of the substrate - issuer mint, edge verification, Passport, or Merkle audit log - and ship it to production.

WHAT YOU'LL DO

---

• Build and maintain the runtime issuer/mint: OAuth Token Exchange (RFC 8693), JWS credentials (RFC 7515/7519, SD-JWT-VC), and Merkle audit log with real-time revocation.
• Own and evolve the wire format and claim registry: JWT profile, verification_level/verification_method enums, and eIDAS/NIST IAL/FATF CDD crosswalk.
• Implement sub-millisecond JWS verification and Web Bot Auth signature checks (RFC 9421) at the HTTP edge for counterparty CDNs, merchants, and publisher paywalls.
• Build and maintain Passport - the user's cloud-resident principal account with canonical handle, KYC/KYB record, authorized-operators list, audit feed, and authenticator binding.
• Develop operator integration: embedded KYB onboarding inside first OAuth 2.0 consent, per-operator opt-in, and webhook delivery via Svix.
• Work across a Python 3.13 monorepo (FastAPI, Cloud Tasks, Cloud Run, SQLModel/SQLAlchemy) and Go for performance-critical substrate components.

MINIMUM REQUIREMENTS

---

• Shipped systems where cryptographic correctness was load-bearing: OAuth/OIDC IdP, token issuer, signing service, HSM-backed signer, passkey/WebAuthn flow, or similar.
• Fluent in Python and Go, or strong in one with a track record of learning the other quickly.
• Reads RFCs as primary sources and holds informed opinions on JWK thumbprint canonicalization, pairwise-sub derivation, and Signature-Input header serialization.
• Deep understanding of the distinction between identity and authorization, mandate and claim, snapshot and live state.
• Production experience with async Python on Postgres, including migration safety and observability.

WHAT SETS YOU APART

---

• Verifiable credentials / SSI / DID work - especially SD-JWT-VC, OID4VC, or the W3C VC stack.
• Certificate Transparency, Trillian, or similar append-only-log experience.
• KYC/KYB pipeline experience: provider abstraction, evidence retention, eIDAS/FATF CDD level mapping, ownership-chain resolution.
• Edge/CDN engineering - Cloudflare Workers, Fastly Compute, Envoy filters, or mTLS at the edge.
• Familiarity with AP2, x402, MPP, UCP, or Mastercard VI specs and how identity rides alongside mandate.

WORK LOCATION

---

• Based in SF; hybrid 4 days per week in office.

COMPENSATION

---

• Salary Range: $135k – $220k + Equity | 0.05% – 0.25%

BENEFITS

---

• Time off when you need it: Flexible PTO so you can recharge without red tape.
• Competitive compensation: We pay well and back it with equity. We want you to think and act like an owner.
• Career rocket fuel: You'll help build the foundation of a high-growth startup, working side by side with experienced founders and team members who've done it before.
• Benefits on us: We cover 100% of your health, dental, and vision premiums. No surprise deductions from your paycheck.
• HSA contributions included: We contribute to your HSA on applicable plans, so your coverage works as hard as you do
• Stay healthy, stay sharp: A $250 annual gym stipend to help you bring your best self to work, and everywhere else
• A seat at the table: We believe in transparency, radical candor, and giving every team member a voice 🔥