GitHub user dosubot[bot] added a comment to the discussion: 404 Not Found When Calling `/api/v1/dashboard/:id/embedded` Despite Valid Login + CSRF
<!-- Answer --> Superset’s embedded endpoints are very strict about session and CSRF validity—if the session cookie and CSRF token don’t match or aren’t set with the right attributes, you’ll get a silent 404, even if everything else is correct. Playwright works because it uses the browser’s session cookie, which is set with all required flags (SameSite, Secure, domain, HttpOnly) and is tightly linked to the browser’s authentication flow. Manual API scripts often miss these details, especially if you don’t extract just the session cookie value or if you pass the full Set-Cookie string or array instead of a single key=value pair in the Cookie header [see discussion](https://github.com/apache/superset/discussions/34738). To avoid this, always: - Call `/api/v1/security/csrf_token/` with the Authorization header after login. - Extract the session cookie from the Set-Cookie header (just `session=...`, not the whole string). - Persist and reuse both the session cookie and CSRF token for all requests. - Pass the Cookie header as a single string: `session=...` (or join multiple cookies with `; `). - Make sure your script sets the same cookie attributes as the browser (SameSite, Secure, domain, HttpOnly) if possible [see code](https://github.com/apache/superset/blob/master/superset/utils/machine_auth.py). If you still see 404s, compare the cookie attributes in your script vs. Playwright using browser dev tools. Any mismatch can cause Superset to silently reject the session. This is why browser automation works, but manual scripts often fail for embedded endpoints [see more](https://github.com/apache/superset/discussions/33585). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/dd9bdb69-b00e-4187-aae7-816c28d34e97?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/dd9bdb69-b00e-4187-aae7-816c28d34e97?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/dd9bdb69-b00e-4187-aae7-816c28d34e97?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/dd9bdb69-b00e-4187-aae7-816c28d34e97?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/dd9bdb69-b00e-4187-aae7-816c28d34e97?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/dd9bdb69-b00e-4187-aae7-816c28d34e97?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/dd9bdb69-b00e-4187-aae7-816c28d34e97?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35997) GitHub link: https://github.com/apache/superset/discussions/35997#discussioncomment-14888093 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
