Principal Identity and API Architect
ExternalPrepare for this interview
EliteAI-generated questions, company research, and talking points tailored to this role
About the role
The Senior/Principal Identity and API Architect plays a critical role in driving TripleLift's identity infrastructure and API security strategy within the Exchange team, directly influencing how we authenticate and authorize publishers, buyers, and platform partners across our programmatic marketplace. In this position, you will partner closely with Engineering, Product, and Services teams to design and own the end-to-end identity architecture that underpins our Exchange's security, scalability, and interoperability. This is an exciting opportunity for someone who wants to build a best-in-class identity platform from the ground up, shaping how TripleLift authenticates billions of programmatic transactions while serving as a strategic thought partner to Exchange leadership on API governance and access control.
Responsibilities
- Architect and own TripleLift's end-to-end identity platform, including tenant models, SSO integrations, machine-to-machine authentication, and delegated administration for publishers and demand partners.
- Design and implement Auth0 tenant architecture, including custom domains, enterprise connections, Actions/Rules, and token lifecycle management (refresh rotation, session policies, JWKS).
- Define and enforce OAuth 2.0 and OIDC flows across the Exchange - including PKCE, M2M client credentials, and device authorization - ensuring secure and consistent authentication for all platform participants.
- Build and operate multi-tenant authorization models using OpenFGA or comparable ReBAC systems (e.g., SpiceDB, Ory Keto), enabling fine-grained access control across publisher hierarchies (networks, properties, seats, users).
- Own the API gateway layer, designing rate limiting, scoped token validation, mTLS enforcement, and consistent error semantics across Traefik, Kong, AWS API Gateway, or equivalent infrastructure.
- Lead publisher-side identity integrations, including federated SSO (SAML 2.0, OIDC) for enterprise onboarding, delegated self-service administration, and integration of first-party data and authenticated traffic signals into programmatic decisioning.
- Lead demand-side identity integrations, including DSP and agency API authentication (OAuth 2.0 M2M, API key management), partner onboarding flows, and identity traceability across bid request/response flows for audit, fraud detection, and deal enforcement.
- Manage AWS identity and API infrastructure, including IAM roles and cross-account trust, Cognito integration patterns, Secrets Manager and KMS for credential lifecycle, and STS-based service-to-service auth in multi-account environments.
- Establish and maintain identity and API security standards, conducting threat modeling, reviewing integrations for compliance with RBAC/ABAC/ReBAC policies, and responding to security incidents.
- Serve as the internal subject-matter expert on identity and API architecture, partnering with Engineering, Legal, and Partnerships to advise on protocol selection, vendor evaluation, and regulatory considerations (e.g., GDPR, CCPA as they relate to identity signals).
- Mentor engineers across the Exchange team on identity best practices, OAuth/OIDC protocol nuances, and secure API design patterns.
- Education & Requirements
- 8+ years of software engineering or platform architecture experience, with at least 4 years focused on identity, IAM, or API security
- 2+ years of hands-on production experience with Okta's Auth0, including:
- Tenant architecture, custom domains, and enterprise connections
- Actions/Rules/Hooks and the Auth0 Management API
- OIDC/OAuth 2.0 flows including PKCE, M2M client credentials, and device authorization
- Token customization, refresh token rotation, and session management
- Production experience with OpenFGA or a comparable relationship-based access control (ReBAC) system (e.g., Zanzibar-derived implementations, Ory Keto, SpiceDB)
- Deep fluency in OAuth 2.0, OpenID Connect, SAML 2.0, JWT, and JWKS
- Demonstrated AWS identity and API infrastructure experience, including:
- IAM roles, policies, and cross-account trust relationships
- API Gateway (REST and HTTP APIs), Lambda authorizers, and Cognito integration patterns
Benefits
Additional Information
About TripleLift We're TripleLift, an advertising platform on a mission to elevate digital advertising through beautiful creative, quality publishers, actionable data and smart targeting. Through over 1 trillion monthly ad transactions, we help publishers and platforms monetize their businesses. Our technology is where the world's leading brands find audiences across online video, connected television, display and native ads. Brand and enterprise customers choose us because of our innovative solutions, premium formats, and supportive experts dedicated to maximizing their performance. As part of the Vista Equity Partners portfolio, we are NMSDC certified, qualify for diverse spending goals and are committed to economic inclusion. Find out how TripleLift raises up the programmatic ecosystem at triplelift.com .
Your Match
How well this role fits your profile.
Company Intel
What employees say
Worked at triplelift? Share your experience