Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi all,
I’m currently migrating a mashup from Qlik On-Premise to Qlik Cloud.
My mashup uses Enigma.js and Nebula.js for visualizations, but I’m running into issues while trying to obtain the CSRF token. I’ve tried two different approaches:
Here’s the scenario:
as parameter, and retrieves a web token via OAuth impersonation.In this scenario:
I suspect the issue might be that the /api/v1/csrf-token
endpoint isn’t designed to issue a CSRF token when a web token is used as an authorization bearer token. The documentation includes an example with an API key, but that solution isn’t feasible in my case because multiple users need access to the mashup.
Can anyone offer some guidance on this?
Thanks for the support!
Are you using in qlik/api configuration the same OAuth client id use in M2M impersonation token request?
What are the scopes set in OAuth client in Management Console? Can you share the config here?
I'm usign the same OAuth client:
I use the same client in a second mashup (Qlik-embed) and it's working fine
Which scope you are using when you are requesting M2M token? Which userid you are using? Did you check if that userId has access to the app you are trying to open?
Another thing, try to avoid mixed content, I see you have your webapp running on http but Qlik SaaS uses https. Please change your local websever to https.
I tested three different scopes: 'user_default,' 'admin_classic,' and 'apps,' but received the same error each time.
The token impersonates my Qlik user, which has full access to the space/app.
I also tried running the application on a test web server, but the same error occurs. The web server is whitelisted in the OAuth client configuration.
Please note that a different mashup, which uses the same service to obtain the token through the Qlik-embed framework, works fine on both my laptop and the test web server with the same token.
When you are setting qlik/api configuration, M2M OAuth token has to be defined as string. Are you using a function as you are doing with qlik-embed?
To be clear, in below code getAccessToken has to be the token and not the function for retrieving the token
const config = {
authType: "oauth2",
host: configParams.tenantHostname,
clientId: configParams.oAuthClientId,
getAccessToken: 'ejshajeid.......'
Correct. I do exactly that
This is my backend API. As you can see accessToken is returned from qlikAuth.getAccessToken and that's a string. As I said before I tried 3 different scopes: 'user_default,' 'admin_classic,' and 'apps,' but received the same error each time
// Get access token (M2M impersonation) for use in front-end by qlik-embed using qlik/api
app.post("/oauth/access-token", async (req, res) => {
console.log('Retrieving access token for', req.body.userId + ' ----------------------------');
const userId = req.body.userId;
if (userId != undefined && userId.length > 0) {
try {
const accessToken = await qlikAuth.getAccessToken({
hostConfig: {
scope: "apps",
console.log("Retrieved access token for: ", userId, 'token', accessToken);
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'POST');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
} catch (err) {
res.status(401).send("No access");
in the frontend I get the token and I use it to open a session:
async function getEnigmaSessionAndApp2(userInfo: any, http: HttpClient) {
const url = `${environment.JWT_PROVIDER}/oauth/access-token`;
const headers = new HttpHeaders({ 'Content-Type': 'application/json' });
const body = { 'userId': userInfo.QlikSUb };
const webToken: string = await firstValueFrom(http.post(url, body, { headers, responseType: 'text' }));
const hostConfig: any = {
authType: "oauth2",
host: environment.QLIK_PARAMETERS.QLIK_URL,
clientId: environment.QLIK_PARAMETERS.CLIENT_ID,
getAccessToken: webToken
const session = qix.openAppSession({ appId: environment.QLIK_PARAMETERS.QLIK_APPID });
const app = await session.getDoc();
return [session, null, app];
But when I try to open the session I get the error:
In the network section of Chrome I can't see any web socket...
Ok, your code is working on my end.
Looking better at the errors in console, those errors are refrring to your qlik-embed code. Are you using qlik-embed somewhere? You told me that you are trying to use qlik/api.
Seems that you are trying to use qlik-embed with M2M impersonation token and you are defining the function for evaluated data-get-access-token property in the wrong way. Could you please share your code for qlik-embed? Function for setting data-get-access-token has to be set in html head tag, before your script which will create qlik-embed configuration.
Sorry, I don't understand. I'm not using Qlik-embed in any module of my application. I used it in another mashup, but this is a new project where I use "Qlik/api" to open the document and Nebula.js to create the visualizations.
Just to be sure, I double-checked: none of the HTML components contain the Qlik-embed tag, and I haven't imported the framework either.
The error in the console appears when I execute the following:
the next step should be the the getDoc, but at this point, I get the error, even though all the parameters are set correctly:
As you can see I got the error and never reached the breakpoint at 273 line.
Here, network elements filtered by "qlik". I think qmfe-api are related to "Qlik_api" api
Which qlik/api version you are using?
Anyway. Can't help more than this here. For reproduce the error on my end I need to connect to your tenant and run the code on my end. For this I need tenant url, OAuth client id and client secret for generate token and userId. Alternatively, you could send me (with private message) a valid M2M OAuth token and then I can test it
Peace, @cristian_dalsanto . Ensure you do use a function for your getAccessToken in the setDefaultHostConfig. For example:
import { auth, qix } from "@qlik/api";
host: import.meta.env.VITE_SENSE_BASE_URI,
authType: "Oauth2",
clientId: import.meta.env.VITE_OAUTH_CLIENT_ID,
getAccessToken: async () => {
// console.log('Bearer token string sent from the backend', token);
return token;
const app = await qix
appId: appId,
For further details: https://lab.pendraco.com/-/snippets/43