Lead Engineer Identity and Access Management (m/w/d) 80-100%

Help us make Swiss small businesses even more successful! Sounds like a big vision? That's exactly what drives us every day.

At bexio, we live by the philosophy that top-tier, efficient, and smart software solutions must be accessible and affordable for every SME. With this mission, we are now the leading provider of cloud-based business software in Switzerland.

Our expansion is moving fast: over 100,000 satisfied customers, more than 7,000 fiduciary partners, and a strong team of over 150 motivated employees speak for themselves. To continue writing this success story, we are looking for great people to join us. And that’s is where you come in!

Your impact with us

• You take technical responsibility for our IAM services with a focus on Keycloak, the User Profile Service, and the integration of connected applications.

• You further develop and stabilize existing authentication and authorization flows in a mature system landscape containing PHP legacy parts and JVM-based services.

• Designing and implementing Keycloak setups, clients, realms, role, group, claim, and token mappings for productive SaaS use cases is part of your role.

• You develop and maintain Keycloak extensions, custom providers, and deeper service integrations within the JVM environment.

• You gradually replace legacy auth logic in existing applications without unnecessarily jeopardizing stability, user experience, or ongoing product development.

• Technical leadership of a small, hands-on development team with a PHP and JVM focus through code reviews, pair programming, architectural sparring, and clear technical guidelines is a key part of your work.

• You ensure a stable and highly observable operation of the IAM services through monitoring, alerting, incident analysis, bug fixing, performance optimization, and the continuous reduction of technical debt.

What you bring to the table

• You bring sound practical experience with Java/JVM and Keycloak in productive, ideally multi-tenant SaaS environments.

• Deep technical understanding of OpenID Connect (OIDC), OAuth 2.0, and common web security standards (JWT, CORS, state handling) is required.

• You have sound knowledge of, or the willingness to dive deeply into, existing PHP code to understand and gradually replace legacy auth logic.

• You possess a strong awareness of clean code, automated deployment pipelines, scalability, and system performance.

• Clear and professional communication at eye level with Product Owners, developers, and various stakeholders enables you to soundly justify technical decisions.

• High personal responsibility, strong organizational skills, and clear technical communication are essential for you to effectively structure, prioritize, and lead yourself and your team across multiple topics, systems, and stakeholders.

What you can look forward to

• Hybrid model and working hours that fit your life.

• 5 weeks of holiday plus optional unpaid leave.

• Yoga, bootcamps, massages and legendary BBQs.

• 16 weeks of maternity and 3 weeks of paternity leave.

• bexio covers 63% of your pension contributions – for a higher net salary.