Bug description
Current Superset version: 4.0.2
Our platform is set up to embed Superset charts, but we frequently encounter timeout errors in the platform when viewing Superset dashboards.
What we have found is the Superset integration uses a library (@superset-ui/embedded-sdk) to display dashboards. This library creates temporary guest tokens each time a dashboard is viewed — even if the user hasn’t directly logged into Superset. After a timeout (e.g., 15 minutes), the library automatically tries to refresh these tokens. If the user has logged out or their session has ended, these refresh attempts fail, triggering "Insufficient Permissions" errors. The problem worsens if multiple dashboards are viewed, as more tokens are created and retried in parallel.
Can you please get assistance on a proper resolution for this issue?
Screenshots/recordings
Attached is an example of the error message displayed upon being logged out while viewing charts
Superset version
master / latest-dev
Python version
I don't know
Node version
I don't know
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Hi @natasha-tc! I'm Dosu and I’m helping the superset team.
This is a known issue with the @superset-ui/embedded-sdk: after a dashboard is unmounted, the SDK continues to call fetchGuestToken every few minutes because the unmount() method does not cancel the internal timers for token refresh. This leads to repeated token refresh attempts and "Insufficient Permissions" errors if the user is logged out or their session has ended. There is currently no built-in way to stop these calls after unmounting, which can cause multiple parallel errors if several dashboards are embedded at once [source].
Guest tokens are short-lived JWTs (default 5 minutes, configurable via GUEST_TOKEN_JWT_EXP_SECONDS), and Superset enforces permissions on every request. If a token expires or the session is invalid, refresh attempts will fail and trigger permission errors [source].
To mitigate this until the SDK is fixed: - Make sure to call unmount() on the dashboard when the embedding component is destroyed, but be aware this does not stop token refresh timers. - Consider implementing additional logic in your integration to track user session/logout state and prevent further embed attempts or suppress repeated error popups after logout. - Review your backend and dashboard configuration to ensure guest tokens are correctly scoped and have appropriate expiration settings [source].
If you need to reduce the frequency of these errors, you can lower the guest token expiration time (GUEST_TOKEN_JWT_EXP_SECONDS) so tokens expire and refresh less often, but this is a tradeoff with user experience.
There is currently no official workaround in the SDK for this cleanup issue, so monitoring for SDK updates or contributing a fix may be necessary.
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
Comment From: sadpandajoe
@natasha-tc superset 4.0 isn't currently supported for bug fixes. I would try 5.0 to see if you are still seeing the same issues.
Comment From: rusackas
We'll likely close this in time since it's regarding an unsupported version, but if you can validate if this is still happening in supported releases, we'll keep it open.