GitHub user dosubot[bot] added a comment to the discussion: How to manage user accounts using API
<!-- Answer --> To manage users via the Superset API, you need to be on Superset 5.0.0 or later and set `FAB_ADD_SECURITY_API = True` in your config. The correct endpoint for creating users is `POST /api/v1/security/users/`, and you must authenticate as an admin using a JWT bearer token. Disabling CSRF protection can help, but the API still expects a valid `Authorization` header, a CSRF token (`X-CSRFToken`), and session cookies managed by your HTTP client—just setting config flags is not enough to bypass these checks [[docs](https://github.com/apache/superset/discussions/35855)]. A "Forbidden" error usually means your API request is missing authentication, the admin role lacks the right permissions, or your Superset version doesn't support the endpoint [[docs](https://github.com/apache/superset/issues/34467)]. After updating your config, run `superset init` to sync roles and permissions. Here’s a working example using Python requests: ```python import requests session = requests.Session() # 1. Login to get access token login_resp = session.post( "https://your-superset/api/v1/security/login";, json={"username": "admin", "password": "your_password", "provider": "db"} ) access_token = login_resp.json()["access_token"] session.headers.update({"Authorization": f"Bearer {access_token}"}) # 2. Get CSRF token csrf_resp = session.get("https://your-superset/api/v1/security/csrf_token/";) csrf_token = csrf_resp.json()["result"] session.headers.update({"X-CSRFToken": csrf_token}) # 3. Create user payload = { "username": "newuser", "email": "[email protected]", "first_name": "New", "last_name": "User", "password": "securepassword", "roles": [1] # Use the correct role ID(s) for your setup } resp = session.post("https://your-superset/api/v1/security/users/";, json=payload) print(resp.status_code, resp.json()) ``` If you still get "Forbidden", double-check your Superset version, ensure your admin user is properly authenticated, and confirm the admin role has all necessary permissions [[docs](https://github.com/apache/superset/discussions/32299)]. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/5d0805ec-31c9-405e-800f-b08825b1c9b5?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/5d0805ec-31c9-405e-800f-b08825b1c9b5?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/5d0805ec-31c9-405e-800f-b08825b1c9b5?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/5d0805ec-31c9-405e-800f-b08825b1c9b5?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/5d0805ec-31c9-405e-800f-b08825b1c9b5?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/5d0805ec-31c9-405e-800f-b08825b1c9b5?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/5d0805ec-31c9-405e-800f-b08825b1c9b5?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35887) GitHub link: https://github.com/apache/superset/discussions/35887#discussioncomment-14815743 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
