cubejs-jwt-pattern-hs256-5min-exp-issuer-locked
Cube.js API authentication uses HS256 JWT with 5-minute expiry and issuer locking (CUBEJS_API_SECRET env var). The build_user_security_context function assembles roles + workspaces + claims from DB before signing. Short expiry is intentional to limit blast radius of token leakage in the widget-data hot path.