Bug CSRF session token is missing

[joegom22]

Bug description

Bug summary

CSRF Session token is missing when calling the create dataset endpoint via the Python API after apparently successful login and csrf token retrieval. /api/v1/me/ returns 401 error but other endpoints such as copy dashboard or create role work just fine with the same requests.Session object.

Expected behavior

• GET /api/v1/me/ should return the authenticated user information.
• POST /api/v1/dataset/ should create the requested dataset successfully.

Actual behavior

• GET /api/v1/me/ returns 401 {"message":"Not authorized"}.
• POST /api/v1/dataset/ returns:

400, {"errors": [{"message": "400 Bad Request: The CSRF session token is missing.", "error_type": "GENERIC_BACKEND_ERROR", "level": "error", "extra": {"issue_codes": [{"code": 1011, "message": "Issue 1011 - Superset encountered an unexpected error."}]}}]}

Steps to reproduce

1. Login via the login endpoint
2. Update the access token header
3. Obtain the csrf token
4. Update the csrf token header
5. Make a get request to /api/v1/me/
6. Make a post request to /api/v1/dataset/

Python code / request example

r_session = requests.Session()
r_session.headers.update({
      'Accept': 'application/json',
     'Content-Type': 'application/json',
     'Referer': base_url
})
r = r_session.post(f"{base_url}/api/v1/security/login", json=login_data)
if r.status_code != 200:
      raise Exception(f"Failed to login: {r.status_code} {r.text}")
access_token = r.json()["access_token"]

r_session.headers.update({'Authorization': f"Bearer {access_token}"})
r = r_session.get(f"{base_url}/api/v1/security/csrf_token/")
if r.status_code != 200:
      raise Exception(f"Failed to get CSRF token: {r.status_code} {r.text}")
csrf_token = r.json()["result"]
r_session.headers.update({'X-CSRFToken': csrf_token})
r = r_session.get(base_url + f"/api/v1/me/", headers=r_session.headers)
print(f"Status: {r.status_code}")
print(f"Response: {r.text}")

r = r_session.post(
        base_url + f"/api/v1/dataset/"
        , json={
            "database": database,
            "table_name": table_name,
            "schema": schema
      }
)

if r.status_code == 201:
    logging.info(f"Dataset '{table_name}' has been created successfully in database '{database}' and schema '{schema}'")
    return r.json()["id"]
else:
    raise ValueError(f"Error creating dataset '{table_name}' in database '{database}' and schema '{schema}': {r.status_code}, {r.text}")

Tracebacks and returns

The Python tracebacks observed in the logs show:
10.31.232.26 - - [17/Apr/2026:11:25:57 +0000] "POST /api/v1/security/login HTTP/1.1" 200 487 URL "python-requests/2.33.1"
10.31.232.26 - - [17/Apr/2026:11:25:57 +0000] "GET /api/v1/security/csrf_token/ HTTP/1.1" 200 105 URL "python-requests/2.33.1"
10.31.232.26 - - [17/Apr/2026:11:25:57 +0000] "GET /api/v1/me/ HTTP/1.1" 401 29 URL "python-requests/2.33.1"

The POST request to the dataset seems to fail before it is even really made and so it does not show in the logs, however, the ValueError raised shows:
400, {"errors": [{"message": "400 Bad Request: The CSRF session token is missing.", "error_type": "GENERIC_BACKEND_ERROR", "level": "error", "extra": {"issue_codes": [{"code": 1011, "message": "Issue 1011 - Superset encountered an unexpected error."}]}}]}

Screenshots/recordings

No response

Superset version

6.0.0

Python version

3.11

Node version

I don't know

Browser

Chrome

Additional context

I have tried completely deleting the Public role to avoid possible known conflicts with this role and the Admin Role in api requests but it made no difference.

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

Hi @joegom22! I'm Dosu and I’m helping the superset team.

This is a frequently reported issue. The root causes are:

1. "CSRF session token is missing" on POST requests — This happens because the session cookie isn't being properly sent with your POST request. Even though requests.Session() should handle cookies automatically, in some cases you need to explicitly set the cookie header. A user in a similar issue resolved it by adding this line after retrieving the CSRF token [1]:

r_session.headers.update({"Cookie": f"session={r_session.cookies.get('session')}"})

2. /api/v1/me/ returning 401 — This is typically a permissions issue, not an authentication failure. Your user's role likely lacks the can_read permission on the CurrentUserRestApi resource. To fix it, go to Settings → List Roles, select your user's role, and add can_read on CurrentUserRestApi. If the permission doesn't appear, try running superset init to sync permissions.

3. Important: Authorization header must be present when fetching the CSRF token. Calling /api/v1/security/csrf_token/ without the Authorization header means the session cookie won't be associated with your authenticated user. In your code this looks correct, but double-check the request order.

Here's a corrected version of the key parts:

r_session = requests.Session()
r_session.headers.update({
    'Accept': 'application/json',
    'Content-Type': 'application/json',
    'Referer': base_url
})

# Login
r = r_session.post(f"{base_url}/api/v1/security/login", json=login_data)
access_token = r.json()["access_token"]
r_session.headers.update({'Authorization': f"Bearer {access_token}"})

# Get CSRF token (Authorization header is already set — this is critical)
r = r_session.get(f"{base_url}/api/v1/security/csrf_token/")
csrf_token = r.json()["result"]
r_session.headers.update({'X-CSRFToken': csrf_token})

# Explicitly set the session cookie header
r_session.headers.update({"Cookie": f"session={r_session.cookies.get('session')}"})

# Now POST requests should work
r = r_session.post(f"{base_url}/api/v1/dataset/", json={...})

Alternatively, since you're on Superset 6.0.0, you may want to use API keys instead of JWT tokens — they provide a cleaner authentication flow without the CSRF complexity. You can generate one in the Superset UI and use it as Authorization: Bearer sst_<YOUR_KEY>.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}
   

[joegom22]

Thank you for the suggestion! After adding r_session.headers.update({"Cookie": f"session={self.r_session.cookies.get('session')}"}) before making any requests, I’m still encountering the same errors:

• GET /api/v1/me/ returns 401 Unauthorized
• POST /api/v1/dataset/ returns the CSRF token error: 400 Bad Request: The CSRF session token is missing.

For context, I’m using login credentials from an admin user assigned the "Admin" role, and I’ve manually granted every available permission to this user.

Additionally, I’ve been unable to find any useful information regarding API keys and how to implement them, other than some closed GitHub issues.

Any further suggestions would be greatly appreciated!

[dosubot]

A few things to investigate since the explicit cookie header didn't resolve it:

The "session token is missing" error is server-side — it means the server can't find the CSRF token in its own session storage, not that your client failed to send one. This points to the session cookie either not being received by the server, or mapping to an empty/different session.

Debugging steps:

1. Verify a session cookie actually exists. Print r_session.cookies.get_dict() right after the /api/v1/security/csrf_token/ call. If there's no session key, the server never issued one — which would explain both errors.

2. Are you behind a reverse proxy (NGINX, ALB, etc.)? If so, make sure ENABLE_PROXY_FIX = True is set in your superset_config.py along with proper proxy headers. Missing proxy configuration is a common cause of cookies being silently dropped [1]:

   ENABLE_PROXY_FIX = True
   PROXY_FIX_CONFIG = {"x_for": 1, "x_proto": 1, "x_host": 1, "x_port": 1, "x_prefix": 1}

3. Try bypassing requests.Session headers entirely and pass cookies directly per-request to rule out header conflicts:

   # After login and CSRF token retrieval:
   cookies = r_session.cookies.get_dict()
   headers = {
       "Authorization": f"Bearer {access_token}",
       "X-CSRFToken": csrf_token,
       "Content-Type": "application/json",
       "Referer": base_url
   }
   
   r = requests.post(
       f"{base_url}/api/v1/dataset/",
       headers=headers,
       cookies=cookies,
       json={"database": database, "table_name": table_name, "schema": schema}
   )

   This avoids any potential conflict between r_session.headers["Cookie"] and r_session.cookies.

4. Check if SESSION_COOKIE_SECURE = True is set in your config. If it is but you're accessing Superset over HTTP (not HTTPS), the browser/client will silently refuse to send the cookie back (cite:thread:f90c300d).

As a quick test, you can temporarily disable CSRF protection to confirm the cookie/session is the issue and not something else:

# In superset_config.py (development only!)
WTF_CSRF_ENABLED = False

If requests work with CSRF disabled, the problem is definitively in session cookie delivery. If they still fail, there's a broader authentication issue.

Regarding API keys — I wasn't able to find mature documentation for a standalone API key feature in Superset 6.0. The guest token system exists (/api/v1/security/guest_token/) but it's designed for embedded dashboard scenarios, not general API access. The JWT login + CSRF flow remains the primary method for programmatic API usage.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}