Software Engineer, Identiy & Access

TLDR; You'll own the identity layer that powers every Lovable app — from auth flows and session management to RBAC, API keys, and multi-tenancy isolation. This is a high-trust, high-impact role at the intersection of security, product, and platform engineering, shaping how millions of end users authenticate into AI-generated applications. About Lovable & the Apps Platform Lovable is an AI-powered software creation platform. Millions of users use Lovable to go from idea to working application, generating hundreds of thousands of apps every day. The Lovable Apps Platform is what makes those generated apps actually run in production. The moment a user hits deploy, the Apps Platform takes over — provisioning the database, handling user auth, storing files, serving the app over a custom domain, capturing logs, and metering usage. It's the full backend and hosting layer for every app built on Lovable, designed so creators never have to think about infrastructure to ship something real. The Apps Platform is growing fast, and we're investing heavily in each layer of the stack — building deeper ownership over the services that power our users' apps so we can move faster, scale better, and shape the product experience us and our users actually want. THE ROLE We're looking for an identity and access specialist to own authentication, authorization, and user management across the Lovable Apps Platform. You'll build the identity layer that both Lovable's own platform and every user-generated app depend on — from auth flows and session management to RBAC, API keys, and multi-tenancy isolation. Identity is the front door to every Lovable app. As we move from a bundled auth stack to our own composable identity layer, we need someone who can build a system that's both developer-friendly and security-hardened. You'll shape how millions of end users authenticate into AI-generated applications — and how Lovable's own platform manages access, secrets, and trust. This is a high-trust, high-impact role at the intersection of security, product, and platform engineering. WHAT YOU'LL DO - Design and build the Apps Platform's identity and access management system, covering both platform-level auth (Lovable users) and app-level auth (end users of Lovable-generated apps) - Implement authentication flows: OAuth 2.0/OIDC, magic links, social login providers, MFA, and session management - Build a robust authorization model: RBAC, row-level security, API key management, and fine-grained permissions - Own multi-tenancy isolation — ensuring that user apps, data, and credentials are securely separated - Manage secrets infrastructure: secure storage, rotation, and access control for database credentials, API keys, and service tokens - Migrate identity services from the current bundled setup to a fully owned, composable identity layer without breaking user sessions - Operate auth as a production service: monitoring, alerting, incident response, and capacity planning for a system on the critical path of every request - Collaborate with the AI and product teams to ensure that generated apps get secure-by-default auth without requiring user expertise WHAT WE'RE LOOKING FOR - Deep expertise in identity and access management: OAuth 2.0, OIDC, SAML, JWT, session management, and token lifecycle - Experience building or operating auth systems at scale — ideally in a multi-tenant SaaS or PaaS context - Strong security mindset: you treat credential leakage, privilege escalation, token theft, and tenant isolation as first-class concerns - Experience with RBAC/ABAC models and row-level security in Postgres - Familiarity with identity providers and auth services (Auth0, Supabase Auth, Clerk, Firebase Auth, Keycloak, etc.) - Comfortable with TypeScript across backend services and API layers - You've migrated auth systems or transitioned between identity providers in production without breaking user sessions - Operational instincts: you think in uptime, latency percentiles, and blast radius — auth outages take down everything downstream NICE TO HAVE - Experience with secrets management tools (Vault, AWS Secrets Manager, or similar) - Background in compliance-relevant auth work (SOC 2, GDPR, HIPAA) - Familiarity with Supabase Auth internals (GoTrue) or similar open-source auth servers - Experience designing auth for AI-generated or low-code applications - Familiarity with managed cloud services (AWS, GCP) and the tradeoffs of buy-vs-build for identity infrastructure Our tech stack We're building with tools that both humans and AI love. Lovable software engineers are capable of working across the whole stack. Examples of tech in our stack include: - Frontend: React and Typescript. - Backend: Golang and Rust. - Cloud: Cloudflare, GCP, AWS, Modal. - Data: Clickhouse, Firestore, Spanner, BigQuery. - DevOps & Tooling: CI/CD pipelines, OTEL, Kubernetes, Terraform. And always on t