Authentication


Before you can perform any activities in Tableau Cloud Manager (TCM), you need to authenticate to Tableau Cloud Manager REST API. Authenticating to Tableau Cloud Manager REST API has different requirements than authenticating directly to Tableau Cloud Manager.

About authenticating to Tableau Cloud Manager REST API

To authenticate, or sign in, to Tableau Cloud Manager REST API, you must be a cloud administrator, and use one of the following:

After signing in, you acquire a TCM credentials token. A TCM credentials token is required for any subsequent API requests that you make. You can use the Authentication Methods to sign in to the Tableau Cloud Manager REST API.

For more information, see Sign in to Tableau Cloud Manager REST API below.

About unified access tokens (UATs)

Beginning in December 2025, you can configure a unified access token (UAT) that enables you to pass a JSON Web Token (JWT) to acquire a TCM credentials token. Among its benefits, UATs enable unified JWT-based authentication across Tableau Cloud Manager REST API and Tableau REST API for tenant and site-level administrative and content tasks.

For more information, see Unified Access Tokens.

About authenticating to Tableau Cloud Manager

To authenticate, or sign in, to the TCM UI, you must be a cloud administrator and one of the following authentication types must be enabled for the tenant:

Notes:

For more information, see Set up TCM authentication for users below.

About configuring SAML authentication in Tableau Cloud Manager

Beginning in December 2025, the SAML configuration methods in the TCM REST API enable you, the cloud administrator, to programmatically configure both SAML authentication for Tableau Cloud Manager (tenant) and your Tableau Cloud sites. This includes creating, updating, deleting SAML configurations for both the tenant and specific sites.

For more information, see Single Sign-on Methods.

Table of Contents

Sign in to Tableau Cloud Manager REST API

To sign in to Tableau Cloud Manager REST API, you need to generate a personal access token (PAT) through the TCM UI first. After you create the PAT, you can use it in the Sign in with personal access token method request body.

About personal access tokens

PATs are long-lived access tokens. PATs validate that cloud administrators are allowed to sign in to Tableau Cloud Manager REST API. PATs offer the following advantages:

For more information about PATs, see the Personal Access Tokens for Tableau Cloud Manager topic in the Tableau Cloud Help.

Notes:

Step 1: Create a personal access token from TCM UI

Before you can sign in to the Tableau Cloud Manager REST API for the first time, you must generate a PAT from the TCM UI first.

  1. On the Tableau Cloud Manager sign-in page, enter your username (email address). Note: The username you enter depends on the authentication set up for TCM.

  2. Do one of the following depending on what is displayed:
    • Select the tenant name and click the Sign In button.
    • Enter the tenant name in the URI text box and click the Continue button. Note: If you don’t know the tenant name, see How to Find Tenant Name.

  3. Follow the prompts to enter your password and complete the sign-in process. Note: Your sign-in experience depends on the authentication set up for TCM.

  4. Navigate to your account drop-down in the upper-right corner of the page and select My Account Settings.
  5. In the Personal Access Tokens section, do the following:
    • 5.1. Click the Create Token button.
    • 5.2. Enter a token name.
    • 5.3. Optionally, set the token expiration.
    • 5.4. Click the Create button.
    • 5.5. Click the Copy Secret button to use in your Sign In request. Make sure you store the token secret in a safe location. The token secret is only shown once and won’t be accessible after the dialog box is closed.

Step 2: Make a sign in request with personal access token

The following section describes the different components required to sign in to the Tableau Cloud Manager REST API using the Sign in with personal access token method.

Example URI

To call the Tableau Cloud Manager REST API, first make a request using the Sign in with personal access token method to generate a TCM credentials token like in the example below.

POST https://cloudmanager.tableau.com/api/v1/pat/login

Example request body

The Sign in with personal access token request body must contain the PAT secret, token, like in the example below.

{
	 "token":  "JKGpaIjBQaS1vlXIIt9g+A==:-jeD0dkAWu-mwZQPgRf3NvgHQBUZ7atQsPxh911YmPU"
}

Example response body

The Sign in with personal access token request produces the following response body. The response includes the TCM credentials token, sessionToken, like in the example below.

{
	"sessionToken": "+iUzQx+s:E9T43sqund-xDGle-9trR7WPLkqCkT_7zks3_dVsV0By_Jji",
	"userId": "306982a2-4bb0-b858-b82eeI24b857",
	"tenantId": "56978815-59b6-4a61-b9e8-ede126e23bab",
	"sessionExpiration": "2024-0706T84:53:13.688541Z"
}

Step 3: Include the x-tableau-session-token header in subsequent requests

After generating the TCM credentials token, sessionToken, add it to the header, x-tableau-session-token, for all subsequent Tableau Cloud Manager REST API requests.

Example header

x-tableau-session-token:+iUzQx+s:E9T43sqund-xDGle-9trR7WPLkqCkT_7zks3_dVsV0By_Jji

The TCM credentials token is short-lived. It expires after 4 hours or when the session is idle for 30 continuous minutes with no requests. When the TCM credentials token expires, you need to sign in to Tableau Cloud Manager REST API again to get a new TCM credentials token.

Set up TCM authentication for users

Using the Tableau Cloud Manager REST API, you can configure authentication to Tableau Cloud Manager (TCM) and assign the authentication type to TCM users. You can set the following types of authentication to enable sign-in for TCM users:

Note: To use Tableau with MFA authentication, skip Step 1 and go directly to Step 2: Assign authentication to users below.

Step 1: Configure authentication

After you make the sign-in request, you can configure Google, OpenID Connect (OIDC), or Salesforce authentication using the Create or update OIDC configuration method. Alternatively, you can configure SAML authentication using Create SAML configuration method.

The example below sets up Salesforce authentication for the tenant, which has a resource value of 123e4567-e89b-12d3-a456-426614174000 that can be retrieved by using the Get Tenant method.

Example URI

PUT https://cloudmanager.tableau.com/api/v1/resources/123e4567-e89b-12d3-a456-426614174000/oidcconfiguration

Example request body

{
  "enabled": true,
  "knownProviderAlias": "Salesforce",
  "salesforceDomain": "login.salesforce.com"
}

Step 2: Assign authentication to user

After the authentication type has been configured for the tenant, assign TCM users to use that authentication.

To assign single sign-on (SSO) authentication to users

Using the Add tenant user method, set the idp value to OpenID. In this example, Salesforce authentication is assigned to the new TCM user because Salesforce is the authentication type configured for the tenant, which is specified by the knownProviderAlias attribute in Step 1: Configure authentication above.

Example URI

POST https://cloudmanager.tableau.com/api/v1/tenants/f97df110-f4de-492e-8849-4a6af68026b0/users

Example request body

{
  "linkRoles": [
   {
	"linkID": "ce9cad81-cd67-43fb-b952-2441d7b5a751",
	"linkRole": "LINK_ADMIN",
	"idp": "OpenID"
   }
  ]		
}

To assign Tableau with MFA authentication to users

Using the Add tenant user method, set the idp value to TabIDWithMFA.

Example URI

POST https://cloudmanager.tableau.com/api/v1/tenants/f97df110-f4de-492e-8849-4a6af68026b0/users

Example request body

{
  "linkRoles": [
   {
	"linkID": "ce9cad81-cd67-43fb-b952-2441d7b5a751",
	"linkRole": "LINK_ADMIN",
	"idp": "TabIDWithMFA"
   }
  ]		
}