Re: [D] API returns empty dashboards/charts (count:0) after successful login on Superset 4.1.2 [superset]

via GitHub Mon, 23 Mar 2026 21:02:18 -0700


GitHub user dosubot[bot] added a comment to the discussion: API returns empty 
dashboards/charts (count:0) after successful login on Superset 4.1.2


<!-- Greeting -->
Hi @xokok! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset 
team.

<!-- Answer -->
This is a **known issue** in Superset 4.1.x. The `/api/v1/security/login` 
endpoint returns a JWT token but does **not** set the session cookies that many 
API endpoints require. Without the session cookie, the API silently returns 
empty results instead of a proper 401/403 error.

**The fix**: After login, you need to fetch a CSRF token, which will 
automatically set the necessary session cookies:

```python
def login(self):
    url = self.base_url + '/security/login'
    data = {
        "password": "password",
        "provider": "db",
        "refresh": True,
        "username": "apiuser"
    }
    headers = {"Content-Type": "application/json"}
    resp = self.session.post(url, data=json.dumps(data), headers=headers, 
verify=False)
    if resp.status_code == 200:
        self.token = resp.json()['access_token']
        print("login successful")
        
        # IMPORTANT: Fetch CSRF token to establish session cookies
        csrf_url = self.base_url + '/security/csrf_token/'
        csrf_headers = {
            "Authorization": "Bearer " + self.token,
            "Content-Type": "application/json"
        }
        csrf_resp = self.session.get(csrf_url, headers=csrf_headers, 
verify=False)
        if csrf_resp.status_code == 200:
            self.csrf_token = csrf_resp.json()['result']
            print("CSRF token obtained, session established")

def get_all_dashboards(self):
    if not self.token:
        self.login()

    url = self.base_url + '/dashboard/'
    headers = {
        "Authorization": "Bearer " + self.token,
        "Content-Type": "application/json",
        "X-CSRFToken": self.csrf_token  # Include CSRF token
    }

    resp = self.session.get(url, headers=headers, verify=False)
    print("response status:", resp.status_code)
    print("response data:", resp.text)
```

Key points:
1. Use `requests.Session()` (which you already do) to let it manage cookies 
automatically
2. Call `/api/v1/security/csrf_token/` after login to establish the session
3. Include the `X-CSRFToken` header in subsequent requests

This is documented in [this 
discussion](https://github.com/apache/superset/discussions/35855) where others 
have experienced the same behavior.


<!-- Dosu Comment Footer -->
*To reply, just mention 
[@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=brand-link).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/f995b4ac-d16b-41fc-a306-a5f9923260a5?feedback_type=great_response&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/f995b4ac-d16b-41fc-a306-a5f9923260a5?feedback_type=irrelevant_answer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/f995b4ac-d16b-41fc-a306-a5f9923260a5?feedback_type=incorrect_sources&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/f995b4ac-d16b-41fc-a306-a5f9923260a5?feedback_type=too_verbose&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-too_verbose)
 | [Hallucination](https://app.dosu.dev/response-feedback/f995b4ac-d16b-41
 
fc-a306-a5f9923260a5?feedback_type=hallucination&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/f995b4ac-d16b-41fc-a306-a5f9923260a5?feedback_type=bug_report&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/f995b4ac-d16b-41fc-a306-a5f9923260a5?feedback_type=other&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=chat-badge)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20is%20a%20%2A%2Aknown%20issue%2A%2A%20in%20Superset%204.1.x.%20The%20%60/api/v1/security/login%60%20endpoint%20returns%20a%20JWT%20token%20but%20does%20%2A%2Anot%2A%2A%20set%20the%20session%20cookies%20that%20many%20API%20endpoints%20require.%20Without%20the%20session%20cookie%2C%20the%20API%20silently%20returns%20empty%20results%20instead%20of%20a%20proper%20401/403%20error.%0A%0A%2A%2AThe%20fix%2A%2A%3A%20After%20login%2C%20you%20need%20to%20fetch%20a%20CSRF%20token%2C%20which%20will%20automatically%20set%20the%20necessary%20session%20cookies%3A%0A%0A%60%60%60python%0Adef%20login%28self%29%3A%0A%20%20%20%20url%20%3D%20self.base_url%20%2B%20%27/security/login%27%0A%20%2
 
0%20%20data%20%3D%20%7B%0A%20%20%20%20%20%20%20%20%22password%22%3A%20%22password%22%2C%0A%20%20%20%20%20%20%20%20%22provider%22%3A%20%22db%22%2C%0A%20%20%20%20%20%20%20%20%22refresh%22%3A%20True%2C%0A%20%20%20%20%20%20%20%20%22username%22%3A%20%22apiuser%22%0A%20%20%20%20%7D%0A%20%20%20%20headers%20%3D%20%7B%22Content-Type%22%3A%20%22application/json%22%7D%0A%20%20%20%20resp%20%3D%20self.session.post%28url%2C%20data%3Djson.dumps%28data%29%2C%20headers%3Dheaders%2C%20verify%3DFalse%29%0A%20%20%20%20if%20resp.status_code%20%3D%3D%20200%3A%0A%20%20%20%20%20%20%20%20self.token%20%3D%20resp.json%28%29%5B%27access_token%27%5D%0A%20%20%20%20%20%20%20%20print%28%22login%20successful%22%29%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%20%20%20%20%23%20IMPORTANT%3A%20Fetch%20CSRF%20token%20to%20establish%20session%20cookies%0A%20%20%20%20%20%20%20%20csrf_url%20%3D%20self.base_url%20%2B%20%27/security/csrf_token/%27%0A%20%20%20%20%20%20%20%20csrf_headers%20%3D%20%7B%0A%20%20%20%20%20%20%20%20%20%
 
20%20%20%22Authorization%22%3A%20%22Bearer%20%22%20%2B%20self.token%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Content-Type%22%3A%20%22application/json%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20csrf_resp%20%3D%20self.session.get%28csrf_url%2C%20headers%3Dcsrf_headers%2C%20verify%3DFalse%29%0A%20%20%20%20%20%20%20%20if%20csrf_resp.status_code%20%3D%3D%20200%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20self.csrf_token%20%3D%20csrf_resp.json%28%29%5B%27result%27%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20print%28%22CSRF%20token%20obtained%2C%20session%20established%22%29%0A%0Adef%20get_all_dashboards%28self%29%3A%0A%20%20%20%20if%20not%20self.token%3A%0A%20%20%20%20%20%20%20%20self.login%28%29%0A%0A%20%20%20%20url%20%3D%20self.base_url%20%2B%20%27/dashboard/%27%0A%20%20%20%20headers%20%3D%20%7B%0A%20%20%20%20%20%20%20%20%22Authorization%22%3A%20%22Bearer%20%22%20%2B%20self.token%2C%0A%20%20%20%20%20%20%20%20%22Content-Type%22%3A%20%22application/json%22%2C%0A%20%20%20%20%20
 
%20%20%20%22X-CSRFToken%22%3A%20self.csrf_token%20%20%23%20Include%20CSRF%20token%0A%20%20%20%20%7D%0A%0A%20%20%20%20resp%20%3D%20self.session.get%28url%2C%20headers%3Dheaders%2C%20verify%3DFalse%29%0A%20%20%20%20print%28%22response%20status%3A%22%2C%20resp.status_code%29%0A%20%20%20%20print%28%22response%20data%3A%22%2C%20resp.text%29%0A%60%60%60%0A%0AKey%20points%3A%0A1.%20Use%20%60requests.Session%28%29%60%20%28which%20you%20already%20do%29%20to%20let%20it%20manage%20cookies%20automatically%0A2.%20Call%20%60/api/v1/security/csrf_token/%60%20after%20login%20to%20establish%20the%20session%0A3.%20Include%20the%20%60X-CSRFToken%60%20header%20in%20subsequent%20requests%0A%0AThis%20is%20documented%20in%20%5Bthis%20discussion%5D%28https%3A//github.com/apache/superset/discussions/35855%29%20where%20others%20have%20experienced%20the%20same%20behavior.)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot?utm_s
 
ource=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=join-discord)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/38814)

GitHub link: 
https://github.com/apache/superset/discussions/38814#discussioncomment-16286730

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [D] API returns empty dashboards/charts (count:0) after successful login on Superset 4.1.2 [superset]

Reply via email to