Second Brain

❯

❯

cleanup 2026 04 17 conversation flush bulk

❯

❯

❯

cube query uses 5min hs256 jwt with security context

cube-query-uses-5min-hs256-jwt-with-security-context

Apr 17, 20261 min read

domain/snowflake
ops/security
infra/database

cube-query-uses-5min-hs256-jwt-with-security-context

Live Cube wiring authenticates via a 5-minute HS256 JWT signed per-request in execute_cube_query. The security context is assembled from DB roles + workspaces + claims by build_user_security_context. Short TTL is intentional — role revocation propagates within 5 minutes.

Related

vantage-rbac-rls-non-negotiable-v1-gate
r-dash-wave-2-code-complete-closeout
rbac-rls-at-query-execution-layer-is-non-negotiable-enterpri
rls-at-query-execution-layer-enterprise-bi-non-negotiable
rbac-rls-must-enforce-at-query-execution-not-ui
column-masks-reapplied-on-cached-results-defense-in-depth
cube-js-widget-data-jwt-signing-pattern
column-mask-reapply-on-cached-results
cubejs-jwt-hs256-5min-exp-issuer-locked-security-context
cube-query-cache-column-masks-reapplied-on-cache-hit
cubejs-jwt-pattern-hs256-5min-exp-issuer-locked
cubejs-jwt-hs256-5min-exp-with-security-context
cube-js-jwt-dev-fallback-key-is-publicly-known

Graph View

cube-query-uses-5min-hs256-jwt-with-security-context
Related

Backlinks

column-mask-reapply-on-cached-results
column-masks-reapplied-on-cached-results-defense-in-depth
cube-js-jwt-dev-fallback-key-is-publicly-known
cube-query-cache-column-masks-reapplied-on-cache-hit
rbac-rls-at-query-execution-layer-is-non-negotiable-enterpri
rbac-rls-must-enforce-at-query-execution-not-ui
rls-at-query-execution-layer-enterprise-bi-non-negotiable
vantage-rbac-rls-non-negotiable-v1-gate
cube-js-widget-data-jwt-signing-pattern
cubejs-jwt-hs256-5min-exp-issuer-locked-security-context
cubejs-jwt-hs256-5min-exp-with-security-context
cubejs-jwt-pattern-hs256-5min-exp-issuer-locked

Created with Quartz v4.5.2 © 2026

CIOS
Mission Control