Re: [D] Problem in guest-token [superset]

via GitHub Thu, 05 Mar 2026 04:07:53 -0800


GitHub user dosubot[bot] added a comment to the discussion: Problem in 
guest-token


<!-- Answer -->
The **405 Method Not Allowed** error when generating guest tokens typically 
occurs due to one of these issues:

1. **Wrong HTTP method** - The `/api/v1/security/guest_token/` endpoint 
requires a **POST** request, not GET.

2. **Missing CSRF token** - You need to [fetch a CSRF token first and include 
it in your request](https://github.com/apache/superset/discussions/35670):

```python
# First, get CSRF token
csrf_response = requests.get(
    f"{SUPERSET_URL}/api/v1/security/csrf_token/",
    headers={"Authorization": f"Bearer {access_token}"}
)
csrf_token = csrf_response.json()["result"]

# Then use it in the guest token POST request
guest_token_response = requests.post(
    f"{SUPERSET_URL}/api/v1/security/guest_token/",
    headers={
        "Authorization": f"Bearer {access_token}",
        "X-CSRFToken": csrf_token,
        "Content-Type": "application/json"
    },
    json={
        "user": {"username": "guest", "first_name": "Guest", "last_name": 
"User"},
        "resources": [{"type": "dashboard", "id": "YOUR_DASHBOARD_UUID"}],
        "rls_rules": []
    }
)
```

3. **Permissions** - Ensure the user making the request has the 
[`can_grant_guest_token` permission on 
`SecurityRestApi`](https://github.com/apache/superset/discussions/33674).

For development only, you can disable CSRF protection for this endpoint by 
adding to `superset_config.py`:
```python
WTF_CSRF_EXEMPT_LIST = ['superset.security.api.guest_token']
```

Can you share how you're making the request (HTTP method, headers, and endpoint 
URL)?


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/c991379f-540a-4abd-9396-089eb83f5225?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/c991379f-540a-4abd-9396-089eb83f5225?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/c991379f-540a-4abd-9396-089eb83f5225?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/c991379f-540a-4abd-9396-089eb83f5225?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/c991379f-540a-4abd-9396-089eb83f5225?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/c991379f-540a-4abd-9396-089eb83f5225?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/c991379f-540a-4abd-9396-089eb83f5225?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=The%20%2A%2A405%20Method%20Not%20Allowed%2A%2A%20error%20when%20generating%20guest%20tokens%20typically%20occurs%20due%20to%20one%20of%20these%20issues%3A%0A%0A1.%20%2A%2AWrong%20HTTP%20method%2A%2A%20-%20The%20%60/api/v1/security/guest_token/%60%20endpoint%20requires%20a%20%2A%2APOST%2A%2A%20request%2C%20not%20GET.%0A%0A2.%20%2A%2AMissing%20CSRF%20token%2A%2A%20-%20You%20need%20to%20%5Bfetch%20a%20CSRF%20token%20first%20and%20include%20it%20in%20your%20request%5D%28https%3A//github.com/apache/superset/discussions/35670%29%3A%0A%0A%60%60%60python%0A%23%20First%2C%20get%20CSRF%20token%0Acsrf_response%20%3D%20requests.get%28%0A%20%20%20%20f%22%7BSUPERSET_URL%7D/api/v1/security/csrf_token/%22%2C%0A%20%20%20%20headers%3D%7B%22Authorization%22%3A%20f%22Bea
 
rer%20%7Baccess_token%7D%22%7D%0A%29%0Acsrf_token%20%3D%20csrf_response.json%28%29%5B%22result%22%5D%0A%0A%23%20Then%20use%20it%20in%20the%20guest%20token%20POST%20request%0Aguest_token_response%20%3D%20requests.post%28%0A%20%20%20%20f%22%7BSUPERSET_URL%7D/api/v1/security/guest_token/%22%2C%0A%20%20%20%20headers%3D%7B%0A%20%20%20%20%20%20%20%20%22Authorization%22%3A%20f%22Bearer%20%7Baccess_token%7D%22%2C%0A%20%20%20%20%20%20%20%20%22X-CSRFToken%22%3A%20csrf_token%2C%0A%20%20%20%20%20%20%20%20%22Content-Type%22%3A%20%22application/json%22%0A%20%20%20%20%7D%2C%0A%20%20%20%20json%3D%7B%0A%20%20%20%20%20%20%20%20%22user%22%3A%20%7B%22username%22%3A%20%22guest%22%2C%20%22first_name%22%3A%20%22Guest%22%2C%20%22last_name%22%3A%20%22User%22%7D%2C%0A%20%20%20%20%20%20%20%20%22resources%22%3A%20%5B%7B%22type%22%3A%20%22dashboard%22%2C%20%22id%22%3A%20%22YOUR_DASHBOARD_UUID%22%7D%5D%2C%0A%20%20%20%20%20%20%20%20%22rls_rules%22%3A%20%5B%5D%0A%20%20%20%20%7D%0A%29%0A%60%60%60%0A%0A3.%20%2A%2APe
 
rmissions%2A%2A%20-%20Ensure%20the%20user%20making%20the%20request%20has%20the%20%5B%60can_grant_guest_token%60%20permission%20on%20%60SecurityRestApi%60%5D%28https%3A//github.com/apache/superset/discussions/33674%29.%0A%0AFor%20development%20only%2C%20you%20can%20disable%20CSRF%20protection%20for%20this%20endpoint%20by%20adding%20to%20%60superset_config.py%60%3A%0A%60%60%60python%0AWTF_CSRF_EXEMPT_LIST%20%3D%20%5B%27superset.security.api.guest_token%27%5D%0A%60%60%60%0A%0ACan%20you%20share%20how%20you%27re%20making%20the%20request%20%28HTTP%20method%2C%20headers%2C%20and%20endpoint%20URL%29%3F)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/38444)

GitHub link: 
https://github.com/apache/superset/discussions/38444#discussioncomment-16009841

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [D] Problem in guest-token [superset]

Reply via email to