With Cookieless Embed, after 10-30 minutes of the embedded page being loaded, the embedded dashboard is replaced with this screen:

It looks like some calls around that time are made that return 401 Permission Denied, even though similar calls were made earlier to the same endpoint successfully. Mainly /api/internal/session/heartbeat and /embed/dashboards.

For our implementation, we are initializing the cookieless embed sdk like this so that we can include the authorization header in the call to get the session/tokens:

LookerEmbedSDK.initCookieless(
  LookerHost,
  {
    headers: {
      Authorization: `Bearer ${sessionId}`,
    },
    url: 'https://<our backend>/looker/acquire-embed-session',
    credentials: 'include',
  },
  {
    headers: {
      Authorization: `Bearer ${sessionId}`,
    },
    url: 'https://<our backend>/looker/generate-embed-tokens',
    credentials: 'include',
  },
);

and then creating the dashboard

LookerEmbedSDK.createDashboardWithId(config.dashboardId)
  .withClassName('looker-embed')
  .appendTo(config.elementRef.nativeElement)
  .build()
  .connect()
  .catch((error: Error) => {
    console.error('An unexpected error occurred', error);
  });

The acquire and generate calls are being made successfully, and even though I need to manage/cache the tokens on the backend because of this issue I opened in github, the generate call returns new tokens each time.

However, I did notice that the initial navigation token from the acquire call is being used on the failing embed/dashboards call and is in the referrer for the failing heartbeat call, but I am uncertain about the origin of those calls and haven't been able to see if/how to make changes to the sdk to adjust them.