docs: document Cube token authentication for the Chat API#11231
Conversation
Chat API requests can now be authenticated with the deployment's own Cube token (JWT) passed in the X-Cube-Auth-Token header, as an alternative to API keys. The token must be valid for the agent's deployment and carry the chat scope; the external user and security context are resolved from the token claims, and the same token is used as query credentials so row-level security applies unchanged. The feature is opt-in per deployment. Adds a Cube token authentication section to the Chat API reference page and registers the alternative security scheme in the Chat API OpenAPI spec. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BfzMYkSrtEBV9ViFCyrePL
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Claude finished @paveltiunov's task in 44s —— View job Code reviewDocs-only change; content is clear and consistent with the rest of Nits (non-blocking)
PR description flags for verification before merge (author already called these out):
Positive
No blocking issues from a docs correctness standpoint. |
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BfzMYkSrtEBV9ViFCyrePL
|
Claude finished @paveltiunov's task in 34s —— View job Code review (updated)Re-reviewed after commit Full review — 0 blocking, 3 nits (unchanged from prior pass)Nits (non-blocking)
Verification flags still open (called out in PR description)
Positive
No blocking issues from a docs correctness standpoint. |
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BfzMYkSrtEBV9ViFCyrePL
|
Claude finished @paveltiunov's task in 42s —— View job Code review (updated after
|
Corrects the scope claim to scope (array), documents the sub claim fallback and optional email claim, notes Authorization header precedence, adds the exact deployment settings path, qualifies sessionSettings as API-key-only, and fixes auth error reporting (JSON-RPC error in HTTP 200). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BfzMYkSrtEBV9ViFCyrePL
|
Claude finished @paveltiunov's task in 1m 23s —— View job Code review (updated after
|
Check List
Description of Changes Made (if issue reference is not provided)
Documents the recently added ability to authenticate Chat API requests with the deployment's own Cube token (JWT), as an alternative to API keys (implemented in cubedevinc/cubejs-enterprise#12808). Details verified against the enterprise implementation.
docs-mintlify/reference/embed-apis/chat-api.mdx: splits the Authentication section into API key authentication (existing content) and a new Cube token authentication subsection — the deployment's Cube JWT (validated via the API secret, JWKS, or customcheck_auth) passed in theX-Cube-Auth-Tokenheader, with a requiredexternalIdclaim (falling back tosub), ascopeclaim includingchat, and an optionalemailclaim. CoversAuthorizationheader precedence, how thechatscope is asserted on the resolved security context with customcheck_auth, that the caller's token is used as query credentials (so row-level security applies unchanged), how to enable the feature in deployment settings, and thatsessionSettingsis ignored with Cube token authentication. Also updates the abort endpoint's authentication note and the error-handling section (auth failures are returned as a JSON-RPC error object in an HTTP 200 response).docs-mintlify/api-reference/chat.yaml: registers acubeTokensecurity scheme (X-Cube-Auth-Tokenheader) as an alternative toapiKeyin the Chat API OpenAPI spec.🤖 Generated with Claude Code
https://claude.ai/code/session_01BfzMYkSrtEBV9ViFCyrePL