Software Engineer II - Identity & Access Management

Job Description

Job Description

At Klaviyo, we value the unique backgrounds, experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day. We believe everyone deserves a fair shot at success and appreciate the experiences each person brings beyond the traditional job requirements. If you're a close but not exact match with the description, we hope you'll still consider applying. Want to learn more about life at Klaviyo? Visit klaviyo.com/careers to see how we empower creators to own their own destiny.

Team overview

The Core Infrastructure – Identity & Organizations (Core IO) pillar owns the foundational substrate for identity, access, organizations, and platform integrity at Klaviyo. We manage the critical path of the user journey from login, to enforcing permissions, to operating within the correct organization and regional context so that the rest of the platform can move fast and stay secure.

Within Core IO, the Identity & Access Management (IAM) team builds and operates Klaviyo's centralized authentication and authorization platform for both humans and machines. We power login, SSO, MFA, SCIM, internal service auth, and external API auth, and we are in the middle of transforming Klaviyo's identity stack into a unified, enterprise-grade platform.

Why this role is exciting

• Shape Klaviyo's identity platform: You'll help design and build the services that every product team and customer relies on login, sessions, permissions, and secure service APIs are all on your roadmap.
• High-leverage, platform-level impact: Your work will directly affect engineering velocity (auth as a shared service), Enterprise deal wins (SSO/SCIM/RBAC/ReBAC), and Data Residency (region-aware auth flows).
• Deep systems and security learning: You'll work on distributed systems, modern IdP integration, machine auth, and secure-by-default patterns with strong mentorship and meaningful ownership.

What you'll do

As a Software Engineer II on the IAM team, you will:

• Own features end-to-end across design, implementation, rollout, and observability for core authN/Z capabilities such as login flows, MFA, SSO enhancements, SCIM, sessions, and role/permission enforcement.
• Contribute to auth platform extraction: Help move authentication and authorization paths out of the legacy monolith into dedicated micro services, including token verification, API key services, and internal service auth behind Kong and IdP platform.
• Build and maintain shared SDKs and contracts that let internal teams adopt IAM services quickly (OAuth, machine auth, org-scoped authZ), making "secure by default" the simplest option for new surfaces and agents.
• Collaborate with Organizations & Accounts to support org-scoped identity, multi-account SSO, and flexible org/account models that underpin enterprise experiences and cross-account analytics.
• Partner with Platform Integrity & Protection (PAA) , Security, and Compliance on secure patterns for account protection (MFA, recovery, device/session risk), ensuring IAM is a strong foundation for account security and anti-abuse controls.
• Improve reliability and performance of IAM services by instrumenting metrics and alerts, debugging production issues, and contributing to on-call rotations and incident reviews.
• Help define and refine standards for authentication and authorization across the platform APIs, error semantics, audit logging, and integration patterns so product teams don't reinvent them per-service.

Who you are

You are a mid-level software engineer who has shipped and supported production systems, and who wants to specialize in identity, security, and platform infrastructure.

• Experienced systems builder: You have 2-5+ years of professional software engineering experience, including building and operating backend or full-stack services in production.
• Strong fundamentals & debugging skills: You are comfortable reasoning about data models, API design, concurrency, and failure modes, and you can dig through logs, metrics, and traces to identify root causes and implement systemic fixes.
• Security & identity motivated: You're excited by authentication, authorization, and account security problems and want to deepen your expertise in areas like MFA, SSO, SCIM, OAuth, and roles/permissions.
• Platform/infra mindset: You like building reusable services and tools that other engineers rely on, including libraries, SDKs, and patterns that raise the floor for quality and security across the org.
• Ownership & collaboration: You take responsibility for outcomes, not just code. You're comfortable driving a small project or component, coordinating with partner teams, and communicating trade-offs clearly in design docs and PRs.
• You've already experimented with AI in work or personal projects, and you're excited to dive in and learn fast. You're hungry to responsibly explore new AI tools and workflows, finding ways to make your work smarter and more efficient.

Minimum qualifications

• 2-5+ years of professional software engineering experience.
• Proficiency in at least one of Python, Go, or TypeScript/JavaScript , and comfort working on backend and/or service-oriented systems.
• Experience building or operating web services or APIs backed by relational databases and/or caches (e.g., MySQL, Postgres, Redis).
• Familiarity with authentication or authorization concepts (sessions, tokens, OAuth, SSO, MFA, RBAC) and an interest in going much deeper.
• Exposure to CI/CD pipelines and modern development workflows (code review, testing, deployments, on-call participation or support).

Nice to have

You don't need all of these, but experience in any of the following is a bonus:

• Building or integrating with IdPs and identity protocols (SAML/OIDC, enterprise SSO, SCIM, OAuth, API key management).
• Working with cloud-native infrastructure (AWS, Kubernetes, Terraform, Kong, or similar API gateways and service meshes).
• Experience with high-scale distributed systems or performance-sensitive services where availability and latency targets matter (e.g., auth endpoints, org lookups, internal service auth).
• Familiarity with observability stacks (Grafana, Datadog/Splunk, internal metrics/logging frameworks) and using them to drive reliability improvements.
• Interest or experience in adjacent Core IO domains like Organizations & Accounts or Platform Anti-Abuse (PAA), especially where they intersect with auth and account security.

Technologies we use (not exhaustive)

You'll work with some of these on day one and have opportunities to learn the rest:

• Languages & frameworks: Python, Django, Go, TypeScript/React.
• Identity & access: OAuth, API keys, SSO, SCIM, MFA, roles & permissions, internal service auth SDKs.
• Infrastructure & platform: AWS, Kubernetes, Terraform, Kong, microservice platform for auth and organizations.
• Data & observability: MySQL, Redis, Kafka/queues, Grafana, Splunk, internal logging/metrics pipelines.

We use Covey as part of our hiring and / or promotional process. For jobs or candidates in NYC, certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on April 3, 2025.

Please see the independent bias audit report covering our use of Covey here

Massachusetts Applicants:
It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.

Our salary range reflects the cost of labor across various U.S. geographic markets. The range displayed below reflects the minimum and maximum target salaries for the position across all our US locations. The base salary offered for this position is determined by several factors, including the applicant's job-related skills, relevant experience, education or training, and work location.

In addition to base salary, our total compensation package may include participation in the company's annual cash bonus plan, variable compensation (OTE) for sales and customer success roles, equity, sign-on payments, and a comprehensive range of health, welfare, and wellbeing benefits based on eligibility.

Your recruiter can provide more details about the specific salary/OTE range for your preferred location during the hiring process.

Base Pay Range For US Locations:

$116,000—$174,000 USD

This role may require up to 10% travel for purposes such as new hire onboarding, client or partner work if applicable, team meetings, and industry events. Travel is coordinated in advance.

Get to Know Klaviyo

We're Klaviyo (pronounced clay-vee-oh). We empower creators to own their destiny by making first-party data accessible and actionable like never before. We see limitless potential for the technology we're developing to nurture personalized experiences in ecommerce and beyond. To reach our goals, we need our own crew of remarkable creators—ambitious and collaborative teammates who stay focused on our north star: delighting our customers. If you're ready to do the best work of your career, where you'll be welcomed as your whole self from day one and supported with generous benefits, we hope you'll join us.

AI fluency at Klaviyo includes responsible use of AI (including privacy, security, bias awareness, and human-in-the-loop). We provide accommodations as needed.

By participating in Klaviyo's interview process, you acknowledge that you have read, understood, and will adhere to our Guidelines for using AI in the Klaviyo interview Process. For more information about how we process your personal data, see our Job Applicant Privacy Notice.

Klaviyo is committed to a policy of equal opportunity and non-discrimination. We do not discriminate on the basis of race, ethnicity, citizenship, national origin, color, religion or religious creed, age, sex (including pregnancy), gender identity, sexual orientation, physical or mental disability, veteran or active military status, marital status, criminal record, genetics, retaliation, sexual harassment or any other characteristic protected by applicable law.

IMPORTANT NOTICE: Our company takes the security and privacy of job applicants very seriously. We will never ask for payment, bank details, or personal financial information as part of the application process. All our legitimate job postings can be found on our official career site. Please be cautious of job offers that come from non-company email addresses (@klaviyo.com), instant messaging platforms, or unsolicited calls.

By clicking "Submit Application" you consent to Klaviyo processing your Personal Data in accordance with our Job Applicant Privacy Notice. If you do not wish for Klaviyo to process your Personal Data, please do not submit an application. You can find our Job Applicant Privacy Notice here and here (FR).