From 59e3645c17655e6c5225710b9aaf27b6c7171a03 Mon Sep 17 00:00:00 2001
From: Zack <zack.scholl@gmail.com>
Date: Tue, 10 Jun 2025 20:41:54 -0700
Subject: [PATCH] fix: clarify GUEST_TOKEN_JWT_AUDIENCE usage in the SDK
 (#33673)

---
 superset-embedded-sdk/README.md | 14 ++++++++++++--
 superset/config.py              |  5 ++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/superset-embedded-sdk/README.md b/superset-embedded-sdk/README.md
index 63d8e706183..f9250fd1920 100644
--- a/superset-embedded-sdk/README.md
+++ b/superset-embedded-sdk/README.md
@@ -116,8 +116,11 @@ Example `POST /security/guest_token` payload:
 }
 ```
 
-Alternatively, a guest token can be created directly in your app with a json like the following, and then signed
-with the secret set in configuration variable `GUEST_TOKEN_JWT_SECRET` (see configuration file config.py)
+Alternatively, a guest token can be created directly in your app without interacting with the Superset API.
+To do this, you should update the `GUEST_TOKEN_JWT_SECRET`
+in the Superset [config.py](https://github.com/apache/superset/blob/master/superset/config.py). Also set the
+`GUEST_TOKEN_JWT_AUDIENCE` variable that matches what is set for the `aud` in the JSON payload:
+
 ```
 {
   "user": {
@@ -139,6 +142,13 @@ with the secret set in configuration variable `GUEST_TOKEN_JWT_SECRET` (see conf
 }
 ```
 
+In this example, the configuration file includes the following setting:
+
+```python
+GUEST_TOKEN_JWT_AUDIENCE="superset"
+```
+
+
 ### Sandbox iframe
 
 The Embedded SDK creates an iframe with [sandbox](https://developer.mozilla.org/es/docs/Web/HTML/Element/iframe#sandbox) mode by default
diff --git a/superset/config.py b/superset/config.py
index 0711717ab17..b5dcee20065 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1806,7 +1806,10 @@ GUEST_TOKEN_JWT_SECRET = "test-guest-secret-change-me"  # noqa: S105
 GUEST_TOKEN_JWT_ALGO = "HS256"  # noqa: S105
 GUEST_TOKEN_HEADER_NAME = "X-GuestToken"  # noqa: S105
 GUEST_TOKEN_JWT_EXP_SECONDS = 300  # 5 minutes
-# Guest token audience for the embedded superset, either string or callable
+# Audience for the Superset guest token used in embedded mode.
+# Can be a string or a callable. Defaults to WEBDRIVER_BASEURL.
+# When generating the guest token, ensure the
+# payload's `aud` matches GUEST_TOKEN_JWT_AUDIENCE.
 GUEST_TOKEN_JWT_AUDIENCE: Callable[[], str] | str | None = None
 
 # A callable that can be supplied to do extra validation of guest token configuration