Authentication
Cubewire supports two authentication paths depending on your use case:
| Method | Use case | Guide |
|---|---|---|
| Console Access | Human users managing vaults and policies | Console Access |
| Programmatic Access | Backend services calling the API | Programmatic Access |
Console access
For users signing into the dashboard at wallet.cubewire.com:
- Email/password — Standard authentication with email verification
- Google — Sign in with your Google account
- Enterprise SSO — SAML 2.0 or OIDC for organizations that require centralized identity
- MFA — Optional multi-factor authentication via authenticator app
Console Access
Dashboard authentication, MFA setup, and SSO configuration.
Programmatic access
For backend services integrating with the Cubewire API:
- OAuth 2.0 Client Credentials — Industry-standard server-to-server flow
- Short-lived tokens — Access tokens expire after 1 hour
- Role-based permissions — Credentials inherit access from assigned roles
Programmatic Access
API authentication using OAuth 2.0 client credentials.
Security fundamentals
Never expose secrets in client-side code. Store credentials in environment variables or a secrets manager. Rotate immediately if compromised.
| Practice | Why it matters |
|---|---|
| Use environment variables | Keep CLIENT_ID and CLIENT_SECRET out of source code |
| Refresh tokens proactively | Request new tokens before expiry to avoid failed requests |
| Apply least privilege | Assign only the permissions each credential needs |
| Monitor access logs | Detect unusual activity early |
| Rotate credentials regularly | Limit exposure window if credentials are compromised |
Next
- Console Access — Dashboard login, MFA, and SSO
- Programmatic Access — API authentication with OAuth 2.0
Authentication
Cubewire supports two authentication paths depending on your use case:
| Method | Use case | Guide |
|---|---|---|
| Console Access | Human users managing vaults and policies | Console Access |
| Programmatic Access | Backend services calling the API | Programmatic Access |
Console access
For users signing into the dashboard at wallet.cubewire.com:
- Email/password — Standard authentication with email verification
- Google — Sign in with your Google account
- Enterprise SSO — SAML 2.0 or OIDC for organizations that require centralized identity
- MFA — Optional multi-factor authentication via authenticator app
Console Access
Dashboard authentication, MFA setup, and SSO configuration.
Programmatic access
For backend services integrating with the Cubewire API:
- OAuth 2.0 Client Credentials — Industry-standard server-to-server flow
- Short-lived tokens — Access tokens expire after 1 hour
- Role-based permissions — Credentials inherit access from assigned roles
Programmatic Access
API authentication using OAuth 2.0 client credentials.
Security fundamentals
Never expose secrets in client-side code. Store credentials in environment variables or a secrets manager. Rotate immediately if compromised.
| Practice | Why it matters |
|---|---|
| Use environment variables | Keep CLIENT_ID and CLIENT_SECRET out of source code |
| Refresh tokens proactively | Request new tokens before expiry to avoid failed requests |
| Apply least privilege | Assign only the permissions each credential needs |
| Monitor access logs | Detect unusual activity early |
| Rotate credentials regularly | Limit exposure window if credentials are compromised |
Next
- Console Access — Dashboard login, MFA, and SSO
- Programmatic Access — API authentication with OAuth 2.0