Authentication and Authorization

Cube can be configured with dynamic username & password verification system by setting a checkSqlAuth() function in the cube.js configuration file. This function should verify username and return object with password and security context.

If password returned from this function matches provided in connection string user will be authenticated with provided security context.

module.exports = {
  checkSqlAuth: async (req, username) => {
    if (username === 'fooUser') {
      return {
        password: 'mypassword',
        securityContext: {},

    throw new Error('Incorrect user name or password');

Cube's SQL API can also use the Security Context for Dynamic Schema Creation or queryRewrite property in your cube.js configuration file.

By default, the SQL API uses the current user's Security Context, but this behaviour can be modified so that certain users are allowed to switch. To do this, we must first define which user is allowed to change Security Context:

First, you need to define what user is allowed to change security context:


If it's not enough for your case, you define your logic for check with canSwitchSqlUser property in your cube.js configuration file.

You can change security context for specific query via virtual filter on:

SELECT * FROM Orders WHERE __user = 'anotheruser';

Did you find this page useful?