Superset 6.0 Embedded Dashboard: /api/v1/me/roles/ API returns 403 Forbidden

[arthurworkspace]

Bug description

1. Switch Superset code to branch 6.0
2. Run Superset using docker compose up --build, Superset works fine at this point
3. Open my project and use @superset-ui/embedded-sdk to embed a Dashboard
4. When running my project and opening the embedded dashboard, the Superset API endpoint /api/v1/me/roles/ returns 403 Forbidden.

Screenshots/recordings

Superset version

6.0

Python version

3.11

Node version

18 or greater

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

Hi @arthurworkspace! I'm Dosu and I’m helping the superset team.

The 403 Forbidden error on /api/v1/me/roles/ when embedding dashboards in Superset 6.0.0 is usually caused by stricter authentication and permission checks introduced in this version. The endpoint now requires a valid JWT guest token with the correct claims, and the embedding setup must be properly configured. Common causes include: missing or misconfigured guest token (wrong dashboard id/uuid, secret, audience, or expired token), dashboard not published or not enabled for embedding, missing allowed_domains for your embedding domain, or CORS/X-Frame-Options misconfiguration. Also, the dashboardId must be present in all form_data sent to the backend, and any row-level security rules should be reviewed for misconfiguration.

Recent fixes (see PR #31274 and PR #36410) ensure /api/v1/me/roles/ works with JWT tokens, but your token and embedding config must be correct for access to succeed. For a full checklist and troubleshooting steps, see this discussion and this issue.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[Vansh5632]

Hi, I attempted to reproduce this issue on the 6.0 branch but got different results.

I logged in as a user with the Gamma role and accessed /api/v1/me/roles/. In my environment, I received a 200 OK response with the expected role data, rather than a 403 Forbidden.

Could you please check your configuration, specifically the exact permissions assigned to your restricted user? It appears my local 'Gamma' role might inherently have can_read on User or Security by default, which is masking the issue on my end.

That said, looking at the code in superset/security/api.py, I do see the @permission_name("read") decorator, which implies that the endpoint is indeed enforcing a global read check. I agree that removing this decorator is likely the correct fix, but I wanted to confirm the permission set first.

[jkest]

We had a similar issue. Fix: rollback to 6.0.0

Our Superset instance is hosted on Elest.io and last night there was an update to 6.0.1 and all of a sudden our embedded dashboards did not work anymore (403 /api/v1/me/roles/). I tried everything:

• Gave Public, Gamma and my own custom role literally ALL permissions
• Tried using curl instead of our product
• Tried letting Superset provide tokens instead of creating it ourselves

Nothing worked. I did a rollback to 6.0.0 and everything works again. Either there is a bug in 6.0.1 or token management has changed drastically