[D] Superset API: 404 Not Found when updating dashboard using access_token + csrf_token (but works with browser session) [superset]

[via GitHub]

GitHub user worker123-tech created a discussion: Superset API: 404 Not Found 
when updating dashboard using access_token + csrf_token (but works with browser 
session)

### Environment

* Superset version: 6.1.0rc1
* Deployment: Docker
* Authentication: REST API (`/api/v1/security/login`) + CSRF

---

### Problem Description

I am trying to update a dashboard via the API:

```http
PUT /api/v1/dashboard/{pk}
```

---

### ✅ Working Case (Browser / curl copied from DevTools)

When I copy the `curl` request directly from the browser DevTools and execute 
it, the update succeeds.

This request includes:

* session cookie
* csrf token
* proper headers

---

### ❌ Failing Case (Programmatic API flow)

I tried to reproduce the same behavior using API calls:

1. Login to get `access_token`:

```http
POST /api/v1/security/login
```

2. Get CSRF token:

```http
GET /api/v1/security/csrf_token/
```

3. Send request:

```http
PUT /api/v1/dashboard/{pk}
```

with headers:

```http
Authorization: Bearer <access_token>
X-CSRFToken: <csrf_token>
Cookie: <session cookie>
Content-Type: application/json
```

---

### ❗ Actual Result

```text
404 Not Found
```

---

### Expected Result

Dashboard should be updated successfully (same as browser behavior).

---

### Key Observation

* The same endpoint works when using browser session (copied curl)
* Fails when using access_token + csrf_token
* All requests are executed in the same session context (cookie preserved)

---

### Additional Notes

* If Authorization header is removed and only cookie is used → works
* If using Bearer token → returns 404 instead of 401/403

---

### Question

Is there a mismatch between:

* session-based authentication
* token-based authentication
* CSRF validation

in Superset 6.1.0rc1?

Or is mixing `access_token` and session cookie unsupported for write APIs?

---

### Request

Clarification on the correct way to:

* Authenticate API requests
* Use CSRF with Bearer token
* Update dashboard programmatically

---

Thanks!


GitHub link: https://github.com/apache/superset/discussions/38869

----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to: 
notifications-unsubscr...@superset.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org