GitHub user dosubot[bot] added a comment to the discussion: 404 Not Found When Calling `/api/v1/dashboard/:id/embedded` Despite Valid Login + CSRF
<!-- Answer --> Yes, there are a couple of ways to programmatically get a valid Superset session cookie for API use: 1. The standard method is to call `/api/v1/security/csrf_token/` with your `Authorization` header after login. The response will include a new session cookie in the `Set-Cookie` header—extract and persist this cookie for all subsequent requests. This is how Superset expects API clients to manage sessions and CSRF protection, especially for embedded endpoints. You can automate this flow in Python, curl, or Postman by capturing the cookie from the response headers and reusing it in your requests ([example code](https://github.com/apache/superset/blob/master/superset/tasks/utils.py#L13-L44)). 2. If you need to generate cookies outside the browser (for automation, testing, or browser automation), Superset provides backend utilities like `MachineAuthProvider`. This class can log in a user programmatically and return the session cookie as a dictionary, which you can then use in your API client or automation script ([see implementation](https://github.com/apache/superset/blob/master/superset/utils/machine_auth.py#L13-L94)). This is mainly used for automated testing or headless browser scenarios. For most API automation, stick to the CSRF token endpoint flow. If you need to authenticate a browser or automation context, use the machine auth provider to set cookies directly. Make sure the session cookie and CSRF token always match the authenticated user—otherwise, Superset will silently return 404 on embedded endpoints. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/2442e377-02bb-4d05-b394-6dcff7869de9?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/2442e377-02bb-4d05-b394-6dcff7869de9?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/2442e377-02bb-4d05-b394-6dcff7869de9?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/2442e377-02bb-4d05-b394-6dcff7869de9?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/2442e377-02bb-4d05-b394-6dcff7869de9?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/2442e377-02bb-4d05-b394-6dcff7869de9?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/2442e377-02bb-4d05-b394-6dcff7869de9?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35997) GitHub link: https://github.com/apache/superset/discussions/35997#discussioncomment-14887916 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
