This is a revisit of this old bug - 
The VisitSummary and VisitFrequency widgets don't work when using a token_auth string for authentication. The above bug allowed the Widgetize pluging to authenticate with token_auth, however some widgets make direct api calls to plugins bypassing the widgetize plugin. For example the Visit Overview widget (i.e. - [http://demo.piwik.org/index.php?module=Widgetize&action=iframe&moduleToWidgetize=VisitsSummary&actionToWidgetize=index&idSite=7&period=day&date=yesterday&disableLink=1&widget=1]), doesn't authenticate correctly for the little spark line graphs at the bottom if authenticating via token_auth. Each of these are generated via separate calls direct to the VisitsSummary module, which doesn't authenticate via the token_auth string. Also, if you add any other sparklines via the 'Metrics to Plot' box in the widget, this also makes direct calls to the module and doesn't authenticate correctly. The same can be seen with the VisitFrequency widget, when you add extra sparklines.
To fix this I added a call to "Piwik_API_Request::reloadAuthUsingTokenAuth();" as the first line of the getEvolutionGraph() function in both VisitsSummary and VisitFrequency Controller.php files. I'm not going to do a patch for this as I'm not sure if this is a recommended approach as it seems the getEvolutionGraph() function is called internally by other things - so this may introduce other problems.
Attachment: Actually - here's a patch - just in case it helps...
I guess it would make sense to auth the graphs as well, but let's double check this patch.
it's working now!