docs: Superset 6.1 documentation catch-up (security, alerts/reports, theming, config) (#39440)

Co-authored-by: Superset Dev <dev@superset.apache.org> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-10 10:25:51 +00:00 · 2026-05-08 10:11:09 -07:00
parent 2f82236b29
commit b899556130
4 changed files with 180 additions and 1 deletions
--- a/docs/admin_docs/security/security.mdx
+++ b/docs/admin_docs/security/security.mdx
@@ -205,6 +205,57 @@ FAB_ADD_SECURITY_API = True

 Once configured, the documentation for additional "Security" endpoints will be visible in Swagger for you to explore.

+### API Key Authentication
+
+Superset supports long-lived API keys for service accounts, CI/CD pipelines, and programmatic integrations (including MCP clients).
+
+#### Enabling API Key Authentication
+
+API key authentication is **disabled by default**. To turn it on, set the Flask-AppBuilder config value in `superset_config.py` and also enable the matching feature flag so the management UI is exposed:
+
+```python
+FAB_API_KEY_ENABLED = True
+
+FEATURE_FLAGS = {
+    "FAB_API_KEY_ENABLED": True,
+}
+```
+
+The config value registers the `ApiKeyApi` blueprint on the backend; the feature flag controls whether the UI for managing keys appears for the user. See the [Feature Flags](/admin-docs/configuration/feature-flags) documentation for more on feature flag configuration.
+
+#### Creating an API Key
+
+Once enabled, each user manages their own keys from their profile page:
+
+1. Open the user menu (top-right) and click **Info** to navigate to the User Info page
+2. Expand the **API Keys** section
+3. Click **+ API Key**
+4. Enter a name and (optionally) an expiration date
+5. Copy the generated token — it is shown only once
+
+Only users with the `can_read` and `can_write` permissions on `ApiKey` (granted by default to Admins) can manage API keys.
+
+#### Using an API Key
+
+Pass the key as a Bearer token in the `Authorization` header:
+
+```
+Authorization: Bearer <your-api-key>
+```
+
+This works for all REST API endpoints and the MCP server. The request is executed with the permissions of the user who created the key.
+
+#### Use Cases
+
+- **CI/CD pipelines** — automated chart/dashboard exports and imports
+- **MCP integrations** — connect AI assistants without interactive login
+- **External services** — dashboards embedded in other applications
+- **Service accounts** — long-lived credentials that don't expire with session cookies
+
+:::caution
+Store API keys securely. Anyone with a valid key can make requests on behalf of the creating user. Revoke keys promptly if they are compromised by deleting them from the **API Keys** section of your User Info page.
+:::
+
 ### Customizing Permissions

 The permissions exposed by FAB are very granular and allow for a great level of