Re: [D] Embed Dashboard Without Superset UI [superset]

via GitHub Mon, 08 Dec 2025 08:34:30 -0800


GitHub user dosubot[bot] added a comment to the discussion: Embed Dashboard 
Without Superset UI


<!-- Greeting -->
Hi @wacree06! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the 
superset team.

<!-- Answer -->
Yes, you can embed a Superset dashboard in your frontend without manually 
enabling embedding via the Superset UI. You need to configure Superset to 
support embedding and then programmatically enable embedding for each dashboard 
using the API.

**Key steps:**

1. **superset_config.py settings:**  
   - Set feature flags:  
     ```python
     FEATURE_FLAGS = {
         'DASHBOARD_CROSS_FILTERS': True,
         'EMBEDDABLE_CHARTS': True,
         'EMBEDDED_SUPERSET': True,
     }
     ```
   - Enable guest tokens:  
     ```python
     ENABLE_GUEST_TOKEN = True
     GUEST_ROLE_NAME = 'Gamma'  # or your custom read-only role
     ```
   - Enable CORS and configure allowed origins:  
     ```python
     ENABLE_CORS = True
     CORS_OPTIONS = {
         'supports_credentials': True,
         'allow_headers': ['*'],
         'resources': {r'/*': {'origins': ['http://localhost:3000']}},
         'origins': ['*', 'http://localhost:8089', 'http://localhost:3000'],
     }
     ```
   - Set allowed embedding domains:  
     ```python
     ALLOWED_DOMAINS = ['localhost:3000']
     ALLOWED_EMBEDDING_DOMAINS = ['localhost:3000']
     ```
   - (Optional) Disable CSRF for embedding:  
     ```python
     WTF_CSRF_ENABLED = False
     ```
   - Configure Content Security Policy for iframe embedding:  
     ```python
     TALISMAN_ENABLED = True
     TALISMAN_CONFIG = {
         "content_security_policy": {
             "frame-ancestors": ["http://localhost:3000";],
         }
     }
     ```
   [Reference](https://github.com/apache/superset/issues/33702)

2. **Programmatically enable embedding for a dashboard:**  
   After your LLM/MCP creates a dashboard, call the Superset API:
   ```
   POST /api/v1/dashboard/<id_or_slug>/embedded
   {
     "allowed_domains": ["localhost:3000"]
   }
   ```
   This sets up the dashboard for embedding without UI steps.  
   
[Reference](https://github.com/apache/superset/blob/master/superset/dashboards/api.py)

3. **Guest token authentication:**  
   Generate a guest token in your backend (using the same secret as Superset) 
and pass it to your frontend. The frontend uses the Embedded SDK 
(`@superset-ui/embedded-sdk`) to render the dashboard in an iframe, 
authenticating with the guest token.  
   [Reference](https://github.com/apache/superset-embedded-sdk/README.md)

4. **Workflow:**  
   - LLM/MCP creates dashboard via Superset API.
   - Your backend enables embedding for the dashboard via the `/embedded` API.
   - Backend generates a guest token for the dashboard.
   - Frontend receives the dashboard ID and guest token, then uses the Embedded 
SDK to render the dashboard.

**Security notes:**  
- Only allow trusted domains in your embedding config.
- Guest tokens should use a read-only role.
- Making dashboards public (no authentication) is possible but not recommended 
for sensitive data.

Let me know if you want example code for any of these steps!


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/4b7e9776-3854-4a5d-82de-c5e7dcb75f53?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/4b7e9776-3854-4a5d-82de-c5e7dcb75f53?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/4b7e9776-3854-4a5d-82de-c5e7dcb75f53?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/4b7e9776-3854-4a5d-82de-c5e7dcb75f53?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/4b7e9776-3854-4a5d-82de-c5e7dcb75f53?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/4b7e9776-3854-4a5d-82de-c5e7dcb75f53?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/4b7e9776-3854-4a5d-82de-c5e7dcb75f53?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=Yes%2C%20you%20can%20embed%20a%20Superset%20dashboard%20in%20your%20frontend%20without%20manually%20enabling%20embedding%20via%20the%20Superset%20UI.%20You%20need%20to%20configure%20Superset%20to%20support%20embedding%20and%20then%20programmatically%20enable%20embedding%20for%20each%20dashboard%20using%20the%20API.%0A%0A%2A%2AKey%20steps%3A%2A%2A%0A%0A1.%20%2A%2Asuperset_config.py%20settings%3A%2A%2A%20%20%0A%20%20%20-%20Set%20feature%20flags%3A%20%20%0A%20%20%20%20%20%60%60%60python%0A%20%20%20%20%20FEATURE_FLAGS%20%3D%20%7B%0A%20%20%20%20%20%20%20%20%20%27DASHBOARD_CROSS_FILTERS%27%3A%20True%2C%0A%20%20%20%20%20%20%20%20%20%27EMBEDDABLE_CHARTS%27%3A%20True%2C%0A%20%20%20%20%20%20%20%20%20%27EMBEDDED_SUPERSET%27%3A%20True%2C%0A%20%20%20%20%20%7D%0A%2
 
0%20%20%20%20%60%60%60%0A%20%20%20-%20Enable%20guest%20tokens%3A%20%20%0A%20%20%20%20%20%60%60%60python%0A%20%20%20%20%20ENABLE_GUEST_TOKEN%20%3D%20True%0A%20%20%20%20%20GUEST_ROLE_NAME%20%3D%20%27Gamma%27%20%20%23%20or%20your%20custom%20read-only%20role%0A%20%20%20%20%20%60%60%60%0A%20%20%20-%20Enable%20CORS%20and%20configure%20allowed%20origins%3A%20%20%0A%20%20%20%20%20%60%60%60python%0A%20%20%20%20%20ENABLE_CORS%20%3D%20True%0A%20%20%20%20%20CORS_OPTIONS%20%3D%20%7B%0A%20%20%20%20%20%20%20%20%20%27supports_credentials%27%3A%20True%2C%0A%20%20%20%20%20%20%20%20%20%27allow_headers%27%3A%20%5B%27%2A%27%5D%2C%0A%20%20%20%20%20%20%20%20%20%27resources%27%3A%20%7Br%27/%2A%27%3A%20%7B%27origins%27%3A%20%5B%27http%3A//localhost%3A3000%27%5D%7D%7D%2C%0A%20%20%20%20%20%20%20%20%20%27origins%27%3A%20%5B%27%2A%27%2C%20%27http%3A//localhost%3A8089%27%2C%20%27http%3A//localhost%3A3000%27%5D%2C%0A%20%20%20%20%20%7D%0A%20%20%20%20%20%60%60%60%0A%20%20%20-%20Set%20allowed%20embedding%20domains%3
 
A%20%20%0A%20%20%20%20%20%60%60%60python%0A%20%20%20%20%20ALLOWED_DOMAINS%20%3D%20%5B%27localhost%3A3000%27%5D%0A%20%20%20%20%20ALLOWED_EMBEDDING_DOMAINS%20%3D%20%5B%27localhost%3A3000%27%5D%0A%20%20%20%20%20%60%60%60%0A%20%20%20-%20%28Optional%29%20Disable%20CSRF%20for%20embedding%3A%20%20%0A%20%20%20%20%20%60%60%60python%0A%20%20%20%20%20WTF_CSRF_ENABLED%20%3D%20False%0A%20%20%20%20%20%60%60%60%0A%20%20%20-%20Configure%20Content%20Security%20Policy%20for%20iframe%20embedding%3A%20%20%0A%20%20%20%20%20%60%60%60python%0A%20%20%20%20%20TALISMAN_ENABLED%20%3D%20True%0A%20%20%20%20%20TALISMAN_CONFIG%20%3D%20%7B%0A%20%20%20%20%20%20%20%20%20%22content_security_policy%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%22frame-ancestors%22%3A%20%5B%22http%3A//localhost%3A3000%22%5D%2C%0A%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%7D%0A%20%20%20%20%20%60%60%60%0A%20%20%20%5BReference%5D%28https%3A//github.com/apache/superset/issues/33702%29%0A%0A2.%20%2A%2AProgrammatically%20enable
 
%20embedding%20for%20a%20dashboard%3A%2A%2A%20%20%0A%20%20%20After%20your%20LLM/MCP%20creates%20a%20dashboard%2C%20call%20the%20Superset%20API%3A%0A%20%20%20%60%60%60%0A%20%20%20POST%20/api/v1/dashboard/%3Cid_or_slug%3E/embedded%0A%20%20%20%7B%0A%20%20%20%20%20%22allowed_domains%22%3A%20%5B%22localhost%3A3000%22%5D%0A%20%20%20%7D%0A%20%20%20%60%60%60%0A%20%20%20This%20sets%20up%20the%20dashboard%20for%20embedding%20without%20UI%20steps.%20%20%0A%20%20%20%5BReference%5D%28https%3A//github.com/apache/superset/blob/master/superset/dashboards/api.py%29%0A%0A3.%20%2A%2AGuest%20token%20authentication%3A%2A%2A%20%20%0A%20%20%20Generate%20a%20guest%20token%20in%20your%20backend%20%28using%20the%20same%20secret%20as%20Superset%29%20and%20pass%20it%20to%20your%20frontend.%20The%20frontend%20uses%20the%20Embedded%20SDK%20%28%60%40superset-ui/embedded-sdk%60%29%20to%20render%20the%20dashboard%20in%20an%20iframe%2C%20authenticating%20with%20the%20guest%20token.%20%20%0A%20%20%20%5BReference%5D%2
 
8https%3A//github.com/apache/superset-embedded-sdk/README.md%29%0A%0A4.%20%2A%2AWorkflow%3A%2A%2A%20%20%0A%20%20%20-%20LLM/MCP%20creates%20dashboard%20via%20Superset%20API.%0A%20%20%20-%20Your%20backend%20enables%20embedding%20for%20the%20dashboard%20via%20the%20%60/embedded%60%20API.%0A%20%20%20-%20Backend%20generates%20a%20guest%20token%20for%20the%20dashboard.%0A%20%20%20-%20Frontend%20receives%20the%20dashboard%20ID%20and%20guest%20token%2C%20then%20uses%20the%20Embedded%20SDK%20to%20render%20the%20dashboard.%0A%0A%2A%2ASecurity%20notes%3A%2A%2A%20%20%0A-%20Only%20allow%20trusted%20domains%20in%20your%20embedding%20config.%0A-%20Guest%20tokens%20should%20use%20a%20read-only%20role.%0A-%20Making%20dashboards%20public%20%28no%20authentication%29%20is%20possible%20but%20not%20recommended%20for%20sensitive%20data.%0A%0ALet%20me%20know%20if%20you%20want%20example%20code%20for%20any%20of%20these%20steps%21)&nbsp;[![Join
 Discord](https://img.shields.io/badge/join-5865F2?logo=discord&lo
 goColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36455)

GitHub link: 
https://github.com/apache/superset/discussions/36455#discussioncomment-15199784

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [D] Embed Dashboard Without Superset UI [superset]

Reply via email to