How to can service-accounts use the Superset API when OAuth is enabled?

[bastiaanb]

In an Superset installation with OAuth enabled how would one let a script interact with the API?
Is there a way for the script to request a Superset-native HS256 token?
If I understand correctly /api/v1/security/login cannot be used when OAuth is enabled?
(Is that event intended to get an access token? I tried it with local db auth, then Superset rejected the token with "unsupported algorithm" error.)

Thanks!

Bastiaan Bakker

[dosubot[bot]]

Superset’s API only accepts HS256-signed JWTs issued by Superset itself, and the /api/v1/security/login endpoint only works with db or ldap providers—not with OAuth. When OAuth is enabled, tokens from external providers (like Zitadel) are usually RS256-signed and will be rejected by the API with an “unsupported algorithm” error. This is hardcoded and not configurable discussion.

There’s currently no supported way for a script or service account to request a Superset-native HS256 token when OAuth is enabled. API automation requires using DB/LDAP users to obtain tokens via the login endpoint. If you need to use OAuth tokens for API access, you’d have to implement a custom SecurityManager and middleware to validate those tokens, which is an advanced, non-standard setup details.

Guest tokens (/api/v1/security/guest_token/) are available, but they’re intended for embedded dashboard scenarios, not general API access.

In short: with OAuth enabled, scripts and service accounts cannot use the Superset API unless you fall back to DB/LDAP authentication or build a custom authentication integration. The “unsupported algorithm” error means the API is rejecting non-HS256 tokens as designed details.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}