Staff Platform Security Engineer (IAM)

About the Company

Gemini is a global crypto and Web3 platform founded by Cameron and Tyler Winklevoss in 2014, offering a wide range of simple, reliable, and secure crypto products and services to individuals and institutions in over 70 countries. Our mission is to unlock the next era of financial, creative, and personal freedom by providing trusted access to the decentralized future. We envision a world where crypto reshapes the global financial system, internet, and money to create greater choice, independence, and opportunity for all — bridging traditional finance with the emerging cryptoeconomy in a way that is more open, fair, and secure.

The Department: Platform Security

The Platform Security team secures Gemini’s infrastructure through service hardening and by developing and supporting a suite of foundational tools. We provide secure-by-default infrastructure, consumable security services, and expert consultation to engineering teams for secure cloud and non-cloud infrastructure.

The Role: Staff Platform Security Engineer (IAM)

The Platform Security team builds zero-trust identity and access management foundations so every Gemini team can authenticate and authorize securely. As a Staff IAM Security Engineer, you will build IAM services, authentication systems, and identity infrastructure that protect both our workforce and workloads. This is a hands-on engineering role where you'll write production code daily, not just configuration.

You'll own the full lifecycle of IAM solutions from design through production operations. This role requires strong software development skills, deep understanding of authentication protocols, and practical experience with PKI and secrets management. You'll partner with engineering teams to enable secure access patterns while maintaining usability.

This role is required to be in person twice a week at either our San Francisco, CA or New York City, NY office.

Responsibilities:

• Build and maintain IAM services and authentication systems using Python or Go
• Design and implement workforce identity solutions with Okta and multi-IdP architectures
• Develop PKI infrastructure and certificate lifecycle management for service authentication
• Create secrets management platforms with automated rotation and zero-knowledge patterns
• Build authorization services, access control systems, and policy engines
• Partner with engineering teams on identity architecture and secure authentication patterns
• Participate in on-call rotation for platform security incidents

Minimum Qualifications:

• Strong software development skills in Python or Go with experience building production services
• Deep knowledge of identity protocols and standards including OAuth2, SAML, OpenID Connect, and WebAuthn
• Experience with PKI systems, certificate management, and applied cryptography
• Experience with HashiCorp Vault or similar secrets management platforms
• Proven expertise with AWS IAM, STS, and cloud identity services
• Proficiency in Terraform for infrastructure-as-code
• Experience building and operating high-availability authentication services

Preferred Qualifications:

• Experience with Okta, Auth0, or similar enterprise IdP platforms
• Knowledge of SPIFFE/SPIRE and workload identity systems
• Background in zero-trust architecture and BeyondCorp principles
• Experience with hardware security modules (HSM) and key management systems
• Contributions to identity or cryptography open source projects

• Competitive starting salary
• A discretionary annual bonus
• Long-term incentive in the form of a new hire equity grant
• Comprehensive health plans
• 401K with company matching
• Paid Parental Leave
• Flexible time off

Salary Range: The base salary range for this role is between $168,000 - $240,000 in the State of New York, the State of California and the State of Washington. This range is not inclusive of our discretionary bonus or equity package. When determining a candidate’s compensation, we consider a number of factors including skillset, experience, job scope, and current market data.

In the United States, employees within the New York, Seattle, San Francisco, and Miami metropolitan areas are expected to work from the designated office on a hybrid cadence, unless there is a job-specific requirement to be in the office every work day. We believe our hybrid approach for those near our NYC, Seattle, San Francisco, and Miami offices increases productivity through more in-person collaboration where possible. Employees outside of these areas are considered part of our remote-first workforce.

At Gemini, we strive to build diverse teams that reflect the people we want to empower through our products, and we are committed to equal employment opportunity regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity, or Veteran status. Equal Opportunity is the Law, and Gemini is proud to be an equal opportunity workplace. If you have a specific need that requires accommodation, please let a member of the People Team know.

#LI-ES1