New

Principal Identity and API Architect

London, England, United Kingdom

About TripleLift

We're TripleLift, an advertising platform on a mission to elevate digital advertising through beautiful creative, quality publishers, actionable data and smart targeting. Through over 1 trillion monthly ad transactions, we help publishers and platforms monetize their businesses. Our technology is where the world's leading brands find audiences across online video, connected television, display and native ads. Brand and enterprise customers choose us because of our innovative solutions, premium formats, and supportive experts dedicated to maximizing their performance.

As part of the Vista Equity Partners portfolio, we are NMSDC certified, qualify for diverse spending goals and are committed to economic inclusion. Find out how TripleLift raises up the programmatic ecosystem at triplelift.com.

Overview

 

The Senior/Principal Identity and API Architect plays a critical role in driving TripleLift’s identity infrastructure and API security strategy within the Exchange team, directly influencing how we authenticate and authorize publishers, buyers, and platform partners across our programmatic marketplace. In this position, you will partner closely with Engineering, Product, and Services teams to design and own the end-to-end identity architecture that underpins our Exchange’s security, scalability, and interoperability. This is an exciting opportunity for someone who wants to build a best-in-class identity platform from the ground up, shaping how TripleLift authenticates billions of programmatic transactions while serving as a strategic thought partner to Exchange leadership on API governance and access control.

 

Responsibilities

 

  • Architect and own TripleLift’s end-to-end identity platform, including tenant models, SSO integrations, machine-to-machine authentication, and delegated administration for publishers and demand partners.
  • Design and implement Auth0 tenant architecture, including custom domains, enterprise connections, Actions/Rules, and token lifecycle management (refresh rotation, session policies, JWKS).
  • Define and enforce OAuth 2.0 and OIDC flows across the Exchange — including PKCE, M2M client credentials, and device authorization — ensuring secure and consistent authentication for all platform participants.
  • Build and operate multi-tenant authorization models using OpenFGA or comparable ReBAC systems (e.g., SpiceDB, Ory Keto), enabling fine-grained access control across publisher hierarchies (networks, properties, seats, users).
  • Own the API gateway layer, designing rate limiting, scoped token validation, mTLS enforcement, and consistent error semantics across Traefik, Kong, AWS API Gateway, or equivalent infrastructure.
  • Lead publisher-side identity integrations, including federated SSO (SAML 2.0, OIDC) for enterprise onboarding, delegated self-service administration, and integration of first-party data and authenticated traffic signals into programmatic decisioning.
  • Lead demand-side identity integrations, including DSP and agency API authentication (OAuth 2.0 M2M, API key management), partner onboarding flows, and identity traceability across bid request/response flows for audit, fraud detection, and deal enforcement.
  • Manage AWS identity and API infrastructure, including IAM roles and cross-account trust, Cognito integration patterns, Secrets Manager and KMS for credential lifecycle, and STS-based service-to-service auth in multi-account environments.
  • Establish and maintain identity and API security standards, conducting threat modeling, reviewing integrations for compliance with RBAC/ABAC/ReBAC policies, and responding to security incidents.
  • Serve as the internal subject-matter expert on identity and API architecture, partnering with Engineering, Legal, and Partnerships to advise on protocol selection, vendor evaluation, and regulatory considerations (e.g., GDPR, CCPA as they relate to identity signals).
  • Mentor engineers across the Exchange team on identity best practices, OAuth/OIDC protocol nuances, and secure API design patterns.

 

Education & Requirements

 

  • 8+ years of software engineering or platform architecture experience, with at least 4 years focused on identity, IAM, or API security
  • 2+ years of hands-on production experience with Okta's Auth0, including:
    • Tenant architecture, custom domains, and enterprise connections
    • Actions/Rules/Hooks and the Auth0 Management API
    • OIDC/OAuth 2.0 flows including PKCE, M2M client credentials, and device authorization
    • Token customization, refresh token rotation, and session management
    • Production experience with OpenFGA or a comparable relationship-based access control (ReBAC) system (e.g., Zanzibar-derived implementations, Ory Keto, SpiceDB)
  • Deep fluency in OAuth 2.0, OpenID Connect, SAML 2.0, JWT, and JWKS
  • Demonstrated AWS identity and API infrastructure experience, including:
    • IAM roles, policies, and cross-account trust relationships
    • API Gateway (REST and HTTP APIs), Lambda authorizers, and Cognito integration patterns
    • Secrets Manager and KMS for credential and key lifecycle management
    • STS and service-to-service authentication in distributed, multi-account environments
  • Experience designing and operating API gateway layers at scale, including hands-on work with one or more of: Traefik, Kong, AWS API Gateway, or equivalent — encompassing rate limiting, scoped token validation, mTLS, and consistent error semantics
  • Experience with publisher-side identity integrations:
    • Federated SSO (SAML 2.0, OIDC) for publisher onboarding and enterprise identity provider connections
    • Multi-tenant identity models supporting publisher hierarchies: networks, properties, seats, and users
    • Delegated administration patterns enabling publishers to self-manage sub-accounts and user roles
    • Integration with publisher identity signals for decisioning (authenticated traffic, first-party data tokens)
  • Experience with demand-side identity integrations:
    • DSP and agency API authentication: OAuth 2.0 M2M, API key management, and scoped access models
    • Partner onboarding flows supporting both self-serve and managed programmatic demand
    • Identity traceability across bid request/response flows for audit, fraud detection, and deal enforcement
    • Integration with buyer identity infrastructure including agency trading desk and DSP seat management
  • Demonstrated ability to model complex, multi-tenant authorization hierarchies using RBAC, ABAC, or ReBAC
  • Proficiency in at least one backend language (Go, Java, or Python preferred)
US Jobs: The base salary range represents the low and high end of the TripleLift US salary range for this position. Actual salaries will vary depending on factors including but not limited to experience and performance. The range listed is just one component of TripleLift’s total compensation package for employees. Other rewards may include bonuses, an open Paid Time Off policy, and many region-specific benefits.

Pay is based on various non-discriminatory factors including but not limited to experience, education, and skills.

Benefits Available to Eligible Employees Include the following*:
  • Medical, Dental & Vision Plans
  • Flexible PTO
  • 401k w/ employer match

*Full-time employees are eligible for comprehensive benefits (subject to the terms of applicable plans/policies/agreements, which will be made available to you after commencing employment).

Salary range transparency

€90.000 - €130.000 EUR

Life at TripleLift

At TripleLift, we’re a team of great people who like who they work with and want to make everyone around them better. This means being positive, collaborative, and compassionate. We hustle harder than the competition and are continuously innovating.

Learn more about TripleLift and our culture by visiting our LinkedIn Life page.

Establishing People, Culture and Community Initiatives

At TripleLift, we are committed to building a culture where people feel connected, supported, and empowered to do their best work. We invest in our people and foster a workplace that encourages curiosity, celebrates shared values, and promotes meaningful connections across teams and communities. We want to ensure the best talent of every background, viewpoint, and experience has an opportunity to be hired, belong, and develop at TripleLift. Through our People, Culture, and Community initiatives, we aim to create an environment where everyone can thrive and feel a true sense of belonging.

Privacy Policy

Please see our Privacy Policies on our TripleLift and 1plusX websites.

TripleLift does not accept unsolicited resumes from any type of recruitment search firm. Any resume submitted in the absence of a signed agreement will become the property of TripleLift and no fee shall be due.

Create a Job Alert

Interested in building your career at TripleLift ? Get future opportunities sent straight to your email.

Apply for this job

*

indicates a required field

Phone
Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

Cover Letter

Accepted file types: pdf, doc, docx, txt, rtf


Select...
Select...
Select...
Select...
Which of the following Auth0 features have you implemented in production? (Select all that apply.) *
Which authentication and authorization protocols have you designed or implemented in production? (Select all that apply.) *
Which AWS identity and security services have you worked with in production? (Select all that apply.) *
Select...

TripleLift Demographic Questions

TripleLift is dedicated to promoting and supporting diverse representation in our workplace. In order to best support you, please answer the following questions.

Attention to candidates located in Europe: Please answer "I don't wish to answer" if required to make a selection. This question set appears by default and is not applicable to you.

Select...
Select...
Select...
Select...

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in TripleLift ’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Select...
Select...
Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Select...

Voluntary Self-Identification of Disability

Form CC-305
Page 1 of 1
OMB Control Number 1250-0005
Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Select...

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.