cube-js-widget-data-jwt-signing-pattern
Cube.js queries are authenticated via 5-minute HS256 JWT signed with CUBEJS_API_SECRET. build_user_security_context assembles roles + workspaces + claims from DB and embeds them in the JWT payload as securityContext. POST goes to /cubejs-api/v1/load. Contract is tested with mocked httpx but not yet verified against a live Cube.js + Snowflake instance.