The Apache Superset REST API lets you automate everything done in the UI: create dashboards, run queries, manage users, export charts. This guide details authentication, essential endpoints, and usage patterns in 2026.
1. Documentation and exploration
The API is documented via Swagger at /swagger/v1. Test directly from the browser, or download the OpenAPI spec.
If you want an instance with API pre-enabled, TVL Managed Superset enables the REST API by default on all instances.
2. Authentication
Three methods:
- Login + access token (the simplest);
- OAuth via SSO;
- Guest token for embedded.
Login example:
curl -X POST https://superset.example.com/api/v1/security/login \
-H "Content-Type: application/json" \
-d '{
"username": "admin",
"password": "XXX",
"provider": "db",
"refresh": true
}'
# Response:
# { "access_token": "eyJ...", "refresh_token": "eyJ..." }
3. Essential endpoints
| Endpoint | Method | Usage |
|---|---|---|
| /api/v1/dashboard/ | GET / POST | List / create dashboards |
| /api/v1/chart/ | GET / POST | List / create charts |
| /api/v1/dataset/ | GET / POST | List / create datasets |
| /api/v1/database/ | GET / POST | DB connections |
| /api/v1/security/users/ | GET / POST | User management |
| /api/v1/sqllab/execute/ | POST | Run a SQL Lab query |
| /api/v1/cache/invalidate/ | POST | Invalidate cache |
| /api/v1/dashboard/{id}/embedded/ | POST | Enable embedded |
4. Example — Create a dataset by script
import requests
# 1. Login
r = requests.post(f"{base}/api/v1/security/login", json={...})
token = r.json()["access_token"]
headers = {"Authorization": f"Bearer {token}"}
# 2. Create the dataset
r = requests.post(
f"{base}/api/v1/dataset/",
headers=headers,
json={
"database": 1,
"schema": "public",
"table_name": "orders",
},
)
print(r.json())
5. Example — Invalidate cache after ETL
# In a dbt post-hook job or Airflow
curl -X POST https://superset.example.com/api/v1/cache/invalidate \
-H "Authorization: Bearer $TOKEN" \
-d '{"datasource_uids": ["abc-123-def"]}'
6. Example — Export all dashboards
r = requests.get(
f"{base}/api/v1/dashboard/?q={quote_plus('(page:0,page_size:100)')}",
headers=headers,
)
for dashboard in r.json()["result"]:
export = requests.get(
f"{base}/api/v1/dashboard/{dashboard['id']}/export/",
headers=headers,
)
with open(f"dashboards/{dashboard['slug']}.zip", "wb") as f:
f.write(export.content)
7. Common patterns
- CI/CD: version dashboards in YAML/Git, deploy via API;
- Provisioning SaaS: automatically create users and permissions on each signup;
- Cache invalidation post-ETL for freshness;
- Custom reporting: Slack bot regularly posting charts.
This configuration is applied by default on TVL Managed Superset, which follows community best practices.
8. Best practices
- Dedicated service account with minimal necessary role;
- Refresh token handled client-side to avoid re-logins;
- Rate limit on ingress side to avoid abuse;
- Logging of API calls for audit;
- Versioning by pinning dashboards/datasets via Git.
9. Common pitfalls
- CSRF token missing on POSTs: add
X-CSRFTokenobtained via/api/v1/security/csrf_token/; - Expired token not refreshed: implement refresh;
- Pagination ignored: by default 25 results per page;
- Rison filtering: the query string uses Rison format, not classic JSON.
10. Conclusion
The Apache Superset REST API is complete and stable since version 2.x. It opens the door to a full automation logic: multi-tenant provisioning, continuous dashboard deployment, CI/CD integrations, and bots. Coupled with a well-secured service account, it's a powerful industrial lever.
Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).
For more: Superset CLI, embedded dashboards, Slack integration.