Tableau REST API Reference
API docs by Redocly

Tableau Cloud Manager REST API Reference (current)

URL: https://{tenant}.cloudmanager.tableau.com

The REST API methods for Tableau Cloud Manager (TCM) allow cloud administrators to manage tenants, sites, and users. TCM REST API methods include administrative, authentication, single sign-on, site, tenant, and user methods.

TCM REST API OVERVIEW

Tableau Cloud Manager (TCM) REST API methods are available for Tableau Cloud October 2024. For an overview, see Tableau Cloud Manager REST API Overview.

Administrative Methods

TCM REST API Administrative methods allow cloud administrators to manage tenants, sites, and users in the following ways:

  • List the regions where tenants can be available.
  • Get the count of users categorized by role for each site in a tenant.
  • Get the count of users categorized by role for a specified site.
  • Get the count of users categorized by role for a tenant.
  • Get information about the current REST API session.
  • Get activity logs for the tenant.
  • Get activity logs for the site.

List regions

List the regions where a site can be created in a tenant, filtered by the provided criteria.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_regions:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
query Parameters
pageNumber
integer <int32> >= 0
Default: 0

The number of the page to return values for. A value of 0 means do not page results.

pageSize
integer <int32> >= 0
Default: 100

The number of items returned per page.

latitude
number <double>
Example: latitude=37.7749

The latitude of the region, an value between -90 and +90.

longitude
number <double>
Example: longitude=-122.4194

The longitude of the region, a value between -180 and +180.

visibility
string
Enum: "INTERNAL" "PUBLIC"

If INTERNAL, the region is not visible to users. If PUBLIC the region is visible to users. Default is INTERNAL.

countryCode
string
Example: countryCode=US

The country code in the region definition.

Responses

Response samples

Content type
application/json
{
  • "regions": [
    ],
  • "data": [
    ]
}

Accept tenant terms and conditions

Accepts the terms and conditions for the specified tenant.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, October 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_tenants:update. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier for the tenant.

Responses

Response samples

Content type
application/json
"string"

Get activity logs for tenant

Gets the download URLs for tenant activity logs in a comma-separated values (CSV) file.

Use List activity logs for tenant to find the log file paths you provide. Without an additional license, activity generally takes 2 hours to become available in logs. For more information see, Activity Log in the Tableau Cloud Help.

The response for each activity log URL includes: expiresAt which shows the length of time after the response that a returned URL will remain valid; and an eTag that is an MD5 hash of the activity log content that can be used for tamper proofing and other verification needs.

Version: Available in Tableau Cloud Manager v1, January 2025, and later.

Permissions: Only cloud administrators can call this method.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_tenants_logs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string
Example: 123e4567-e89b-12d3-a456-426614174000

The unique identifier of the tenant.

Request Body schema: application/json
required
files
required
Array of strings

Activity log file paths. You can get the activity log file paths for the tenant by calling the List activity logs for tenant method or for the site by calling the List activity logs for site method.

Responses

Request samples

Content type
application/json
{
  • "files": [
    ]
}

Response samples

Content type
application/json
{
  • "files": [
    ]
}

List activity logs for tenant

Gets a list of paths to the tenant's activity logs for the specified time period and event type.

Use the paths returned by this method in a request to the Get activity logs for tenant method to download the activity logs.

About activity log timestamps

Activity log timestamps generally show when the record for a particular event became available, which might be later than when the event occurred. To avoid missing any relevant activity logs data, consider expanding your query's time range to account for the potential differences.

Version: Available in Tableau Cloud Manager v1, January 2025, and later.

Permissions: Only cloud administrators can call this method.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_tenants_logs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string
Example: 123e4567-e89b-12d3-a456-426614174000

The unique identifier of the tenant.

query Parameters
startTime
string <date-time>
Example: startTime=2024-01-01T00:00:00

The start time in UTC of the returned activity log records. Default is 24 hours prior to the time of the request.

endTime
string <date-time>
Example: endTime=2024-01-01T00:00:00

The end time in UTC of the returned activity log records. Default is the time of the request. 7 days is the maximum time span you can specify between start and end times. The request will fail if your end time exceeds that.

eventType
string
Enum: "batch_revoke_personal_access_token" "batch_revoke_session" "create_or_update_oidc_config" "create_or_update_saml_config" "create_personal_access_token" "create_private_connection" "create_site" "create_tenant" "create_user" "delete_oidc_config" "delete_private_connection" "delete_saml_config" "delete_site" "delete_tenant" "delete_user" "get_sites" "get_users" "list_personal_access_tokens" "merge_tenant" "migrate_site" "personal_access_token_login" "reactivate_site" "revoke_personal_access_token" "revoke_session" "site_limits_change" "suspend_site" "tcm_activity_log_access" "update_personal_access_token" "update_private_connection" "update_session" "update_tenant" "update_user" "update_user_site_role" "update_user_tenant_role" "user_login_create_session"
Example: eventType=update_user_site_role

The type of event to filter returned activity logs by. If not provided, all types are returned. For more information about event types and their attributes, see Activity Log Tenant Event Type Reference in the Tableau Cloud Help.

pageSize
integer <int32>
Example: pageSize=100

The number of log file paths to return in a response. Default is 100.

pageToken
string
Example: pageToken=fDIwMjQtMDktMDlUMDU6MDA=

The token to provide in order to request the next page of file paths.

Responses

Response samples

Content type
application/json
{
  • "files": [
    ],
  • "pageToken": "string"
}

List tenant locations

Lists the Tableau pod locations or regions where a site for the specified tenant can be created.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_tenants:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier for the tenant.

Responses

Response samples

Content type
application/json
{
  • "podsData": {
    },
  • "regionsData": {
    }
}

List user data for tenant sites

For each site in the tenant, returns counts of users licensed for different roles.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

Responses

Response samples

Content type
application/json
{
  • "allSites": [
    ]
}

Get user data for site

For the specified site, returns counts of users licensed for different roles.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

siteId
required
string <uuid>

The unique identifier of the site.

Responses

Response samples

Content type
application/json
{
  • "siteId": "60189e9c-7d12-438c-b9ca-6998d9c364b1",
  • "userCount": 0,
  • "siteAdminCount": 0,
  • "creators": 0,
  • "explorers": 0,
  • "viewers": 0,
  • "unlicensed": 0
}

Get user data for tenant

For the specified tenant, returns counts of users licensed for different roles.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_tenants:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

Responses

Response samples

Content type
application/json
{
  • "creators": 0,
  • "explorers": 0,
  • "viewers": 0,
  • "unlicensed": 0
}

Get session information

Returns the user ID and tenant ID associated with the session.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager V2, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: Not required. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token

Responses

Response samples

Content type
application/json
{
  • "sessionId": "123e4567-e89b-12d3-a456-426614174000",
  • "userId": "123e4567-e89b-12d3-a456-426614174000",
  • "tenantId": "123e4567-e89b-12d3-a456-426614174000",
  • "sessionType": "USER"
}

Get activity logs for site

Gets activity log files for the site.

The response returns file paths. File paths include: expiresAt which shows the length of time after the response that the returned URL will remain valid; and an eTag that is an MD5 hash of the log content that can be used for tamper proofing and other verification needs.

For more information about site activity captured by activity logs, see Activity Log Site Events in the Tableau Cloud Help.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, October 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites_logs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string
Example: 123e4567-e89b-12d3-a456-426614174000

The unique identifier of the tenant.

siteId
required
string
Example: 567f1234-e89b-71e5-a456-428814174111

The unique identifier of the site.

Request Body schema: application/json
required
files
required
Array of strings

Activity log file paths. You can get the activity log file paths for the tenant by calling the List activity logs for tenant method or for the site by calling the List activity logs for site method.

Responses

Request samples

Content type
application/json
{
  • "files": [
    ]
}

Response samples

Content type
application/json
{
  • "files": [
    ]
}

List activity logs for site

Gets a list of activity log files for the site.

The response returns a list of file paths to activity log files for the specified time period and event type. Use the paths returned in a request with the Get activity logs for site method to download the activity logs.

About activity log timestamps

Activity log timestamps generally show when the record for a particular event became available, which might be later than when the event occurred. To avoid missing any relevant activity logs data, consider expanding your query's time range to account for the potential differences.

Known issues

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, October 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites_logs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string
Example: 123e4567-e89b-12d3-a456-426614174000

The unique identifier of the tenant.

siteId
required
string
Example: 567f1234-e89b-71e5-a456-428814174111

The unique identifier of the site.

query Parameters
startTime
string <date-time>
Example: startTime=2025-01-01T00:00:00

The start time in UTC of the returned activity log records. Default value is 24 hours prior to the time of the request.

endTime
string <date-time>
Example: endTime=2025-01-01T00:00:00

The end time in UTC of the returned activity log records. Default value is the time of the request.

eventType
string
Enum: "activity_log_settings_change" "add_delete_group_to_group_set" "add_delete_user_to_group" "archive_content" "background_job" "bridge_client_register" "content_owner_change" "create_datasource_connection" "create_delete_group" "create_delete_group_set" "create_permissions" "delete_all_permissions" "delete_datasource_connection" "delete_permissions" "delete_permissions_grantee" "display_sheet_tabs" "hist_access_authoring_view" "hist_access_datasource" "hist_access_datasource_remotely" "hist_access_metric" "hist_access_summary_data" "hist_access_underlying_data" "hist_access_view" "hist_activate_site" "hist_add_user_to_group" "hist_append_to_datasource_extract" "hist_bulk_delete_columns" "hist_change_collection_ownership" "hist_change_data_role_ownership" "hist_change_database_contact" "hist_change_datasource_ownership" "hist_change_flow_ownership" "hist_change_metric_ownership" "hist_change_project_ownership" "hist_change_published_connection_ownership" "hist_change_site_extract_encryption_mode" "hist_change_table_contact" "hist_change_workbook_ownership" "hist_create_collection" "hist_create_column" "hist_create_data_quality_indicator" "hist_create_database" "hist_create_datasource_extracts" "hist_create_datasource_task" "hist_create_datasource_trigger" "hist_create_flow_task" "hist_create_flow_trigger" "hist_create_group" "hist_create_linked_task" "hist_create_materialized_views" "hist_create_metric" "hist_create_project" "hist_create_schedule" "hist_create_site" "hist_create_subscription_task" "hist_create_system_user" "hist_create_table" "hist_create_user" "hist_create_workbook_extracts" "hist_create_workbook_task" "hist_decrypt_datasource_extracts" "hist_decrypt_datasource_extracts_request" "hist_decrypt_flow_draft_extracts" "hist_decrypt_flow_draft_extracts_request" "hist_decrypt_flow_extracts" "hist_decrypt_flow_extracts_request" "hist_decrypt_materialized_views" "hist_decrypt_site_extracts_request" "hist_decrypt_workbook_extracts" "hist_decrypt_workbook_extracts_request" "hist_delete_access_token" "hist_delete_collection" "hist_delete_column" "hist_delete_data_quality_indicator" "hist_delete_data_role" "hist_delete_database" "hist_delete_datasource" "hist_delete_datasource_task" "hist_delete_datasource_trigger" "hist_delete_expired_refresh_token" "hist_delete_flow" "hist_delete_flow_draft" "hist_delete_flow_task" "hist_delete_flow_trigger" "hist_delete_group" "hist_delete_linked_task" "hist_delete_materialized_views" "hist_delete_metric" "hist_delete_project" "hist_delete_refresh_token_session" "hist_delete_schedule" "hist_delete_site" "hist_delete_system_user" "hist_delete_table" "hist_delete_user" "hist_delete_user_from_group" "hist_delete_view" "hist_delete_workbook" "hist_delete_workbook_task" "hist_disable_linked_task_schedule" "hist_disable_schedule" "hist_download_datasource" "hist_download_flow" "hist_download_flow_draft" "hist_download_workbook" "hist_enable_linked_task_schedule" "hist_enable_schedule" "hist_encrypt_datasource_extracts" "hist_encrypt_datasource_extracts_request" "hist_encrypt_flow_draft_extracts" "hist_encrypt_flow_draft_extracts_request" "hist_encrypt_flow_extracts" "hist_encrypt_flow_extracts_request" "hist_encrypt_materialized_views" "hist_encrypt_site_extracts_request" "hist_encrypt_workbook_extracts" "hist_encrypt_workbook_extracts_request" "hist_export_summary_data" "hist_export_underlying_data" "hist_hyper_data_update_job" "hist_impersonate_user" "hist_increment_datasource_extract" "hist_increment_workbook_extracts" "hist_issue_refresh_token" "hist_lock_site" "hist_login" "hist_login_with_pat" "hist_logout" "hist_move_data_role" "hist_move_database" "hist_move_datasource" "hist_move_flow" "hist_move_flow_draft" "hist_move_metric" "hist_move_project" "hist_move_published_connection" "hist_move_table" "hist_move_workbook" "hist_pause_datasource_extract_refresh" "hist_pause_workbook_extract_refresh" "hist_publish_data_role" "hist_publish_datasource" "hist_publish_flow" "hist_publish_view" "hist_publish_workbook" "hist_redeem_refresh_token" "hist_refresh_datasource_extract" "hist_refresh_workbook_extracts" "hist_rekey_datasource_extracts" "hist_rekey_flow_draft_extracts" "hist_rekey_flow_extracts" "hist_rekey_materialized_views" "hist_rekey_site_extracts_request" "hist_rekey_workbook_extracts" "hist_rename_collection" "hist_rename_data_role" "hist_rename_datasource" "hist_rename_flow" "hist_rename_flow_draft" "hist_rename_group" "hist_rename_metric" "hist_rename_published_connection" "hist_rename_workbook" "hist_replace_datasource_extract" "hist_revoke_refresh_token" "hist_run_flow" "hist_run_flow_scheduled" "hist_save_flow" "hist_save_flow_draft" "hist_send_data_driven_alert_email" "hist_send_failing_data_alert_email" "hist_send_refresh_pre_pause_email_for_content" "hist_send_subscription_email_for_view" "hist_send_subscription_email_for_workbook" "hist_send_suspended_data_alert_email" "hist_suspend_site" "hist_update_collection" "hist_update_column" "hist_update_data_quality_indicator" "hist_update_data_role" "hist_update_database" "hist_update_datasource" "hist_update_datasource_task" "hist_update_datasource_trigger" "hist_update_flow" "hist_update_flow_draft" "hist_update_flow_task" "hist_update_flow_trigger" "hist_update_linked_task" "hist_update_metric" "hist_update_project" "hist_update_schedule" "hist_update_site" "hist_update_system_user_email" "hist_update_system_user_force_password_update" "hist_update_system_user_image" "hist_update_system_user_name" "hist_update_system_user_password" "hist_update_system_user_reset_login_rate_limiting" "hist_update_table" "hist_update_task_state" "hist_update_user_site_role" "hist_update_workbook" "hist_update_workbook_task" "hist_upgrade_datasource_extract_storage" "hist_upgrade_datasource_tde_extract" "hist_upgrade_workbook_extract_storage" "hist_upgrade_workbook_tde_extract" "login_authentication" "login_verification" "metric_subscription_change" "move_content" "oauth_settings_change" "platform_configuration_change" "platform_settings_change" "prep_flowruns" "project_lock_unlock" "restore_content" "set_permissions" "site_storage_usage" "tabgpt_registration_event" "update_permissions" "update_permissions_template" "usage_event" "user_create_delete" "vizql_http_request"
Example: eventType=eventType=hist_access_view

The type of event to filter returned logs by. Default value is all types. For more information about site events, see Activity Log Site Event Types in the Tableau Cloud Help.

pageSize
integer <int32>
Example: pageSize=pageSize=100

The number of activity log files to return in the response. Default value is 100.

pageToken
string
Example: pageToken=pageToken=fDIwMjQtMDktMDlUMDU6MDA=

The token to provide in order to request the next page of activity log files.

Responses

Response samples

Content type
application/json
{
  • "files": [
    ],
  • "pageToken": "string"
}

Authentication Methods

Tableau Cloud Manager REST API Authentication methods allow cloud administrators to sign in to Tableau Cloud Manager REST API and manage personal access tokens (PATs) or unified access tokens (UATs) in the following ways:

  • Create a personal access token (PAT). Creating a PAT generates a PAT secret that you use in the request body of your sign-in request.
    • List all valid PATs.
    • Revoke a PAT.
    • Sign in to TCM REST API using a PAT and get a session access token, x-tableau-session-token, to use in the header of all subsequent REST API calls.
  • Configure a unified access token (UAT) for JSON Web Token (JWT)-based authentication.
    • Get a UAT configuration.
    • List all UAT configurations.
    • Delete a UAT configuration.
    • Sign in to TCM REST API using a UAT and get a session access token, x-tableau-session-token, to use in the header of all subsequent REST API calls.
    • Revoke a UAT JWT.
    • List all revoked UAT JWTs.
    • Delete a revoked UAT JWT.

For more information, see TCM REST API Authentication.

Create personal access token

Generates a personal access token (PAT) to enable REST API authentication for Tableau Cloud Manager (TCM).

A PAT is required to sign in to Tableau Cloud Manager (TCM).

Notes:

  • This PAT cannot be used to sign in to Tableau Cloud.
  • When signing in to Tableau Cloud Manager REST API for the first time, you must use the TCM UI to generate a PAT. For more information, see TCM REST API Authentication.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: Not available. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
Request Body schema: application/json
required
tokenName
required
string

Name of the personal access token (PAT). PAT name must be unique.

absoluteExpiryInDays
integer <int32>

Number of days the PAT is valid for. Default value is 180 days; maximum value is 365 days. For security purposes, we recommend setting a value that is no more than 180 days.

Responses

Request samples

Content type
application/json
{
  • "tokenName": "MyTokenName",
  • "absoluteExpiryInDays": 180
}

Response samples

Content type
application/json
{
  • "tokenUUID": "123e4567-e89b-12d3-a456-426614174000",
  • "tokenName": "MyTokenName",
  • "userId": "123e4567-e89b-12d3-a456-426614174000",
  • "tenantId": "123e4567-e89b-12d3-a456-426614174000",
  • "issueInUtc": "2024-07-01T00:00:00Z",
  • "expirationInUtc": "2024-07-31T00:00:00Z",
  • "secret": "string"
}

List personal access tokens

Gets a list of all valid personal access tokens (PATs) you have generated for Tableau Cloud Manager (TCM).

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_pats:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Revoke personal access token

Revokes a personal access token (PAT).

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_pats:delete. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
header Parameters
tokenUUID
required
string

The token ID of the PAT.

Responses

Response samples

Content type
application/json
{
  • "message": "string",
  • "reason": "string",
  • "errorCode": "string"
}

Sign in with personal access token

Signs in to Tableau Cloud Manager (TCM) REST API using a personal access token (PAT).

You must use a PAT to sign in to theTCM REST API using this method. To generate a PAT, go to your TCM My Account Settings or call the Create Personal Access Token method.

Note: When signing in to TCM REST API for the first time, you must use the TCM UI to generate a PAT. For more information, see TCM REST API Authentication.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: Not required. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
Request Body schema: application/json
required
token
required
string

Token secret that is generated when you create a personal access token (PAT).

Responses

Request samples

Content type
application/json
{
  • "token": "bSG+6ttrRgqMLzonp5j89w==:SUOF-rjwMZZKXg-T3GcpDVFrIKAO6VIbTyZyq39bWR0"
}

Response samples

Content type
application/json
{
  • "sessionToken": "bSG+6ttrRgqMLzonp5j89w==:SUOF-rjwMZZKXg-T3GcpDVFrIKAO6VIbTyZyq39bWR0",
  • "userId": "123e4567-e89b-12d3-a456-426614174000",
  • "tenantId": "123e4567-e89b-12d3-a456-426614174000",
  • "sessionExpiration": "2019-08-24T14:15:22Z"
}

Create unified access token configuration

Creates a unified access token (UAT) configuration to enable Tableau Cloud Manager REST API authentication using a JSON Web Token (JWT).

A UAT configuration must be associated with the JWT, through its public key or JWKS URI, used to sign in to Tableau Cloud Manager (TCM) REST API using the Sign in with JSON Web Token method.

Tableau Cloud Manager REST API authentication with a JWT enables users to perform administrative and content tasks both on the tenant and Tableau Cloud sites on the tenant.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_uat_configs:create. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
Request Body schema: application/json
required
name
required
string

The name of the unified access token (UAT) configuration. UAT configuration name must be unique.

issuer
required
string

The issuer of the JSON Web Token (JWT).

publicKey
string

The public key used to verify the JSON Web Token (JWT). Use this value or jwksUri, but not both.

jwksUri
string

The URI of the JWKS endpoint. Use this value or publicKey, but not both.

usernameClaim
string

The username claim that maps to the Tableau username. Default value is email.

resourceIds
required
Array of strings <uuid> unique [ items <uuid > ]

The tenant ID, the tenant ID and site IDs associated with the tenant, or site IDs associated with the same tenant. You can get the resourceId by calling the Get Tenant or List Tenant Sites method.

scopes
Array of strings <scope> unique [ items <scope > ]

The access scopes defined in the JSON Web Token (JWT) associated with the unified access token (UAT) configuration. Scopes in the UAT are optional and allow you to further restrict the operations available to the JWT.

enabled
boolean

If true, the unified access token (UAT) configuration is enabled. Default value is true.

Responses

Request samples

Content type
application/json
{
  • "name": "JWT - Employees",
  • "issuer": "https://myidp.okta.com/app1",
  • "publicKey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...",
  • "jwksUri": "https://myidp.okta.com/oauth2/default/v1/keys",
  • "usernameClaim": "string",
  • "resourceIds": [
    ],
  • "scopes": [
    ],
  • "enabled": true
}

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "configId": "46ff6d11-d8b2-40d8-9197-dfa33c61cd6c",
  • "name": "string",
  • "issuer": "string",
  • "publicKeyActive": "string",
  • "publicKey": "string",
  • "jwksUri": "string",
  • "usernameClaim": "string",
  • "resourceIds": [
    ],
  • "scopes": [
    ],
  • "enabled": true
}

List unified access token configurations

Gets a list of all unified access token (UAT) configurations.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_uat_configs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token

Responses

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "configId": "46ff6d11-d8b2-40d8-9197-dfa33c61cd6c",
  • "name": "string",
  • "issuer": "string",
  • "publicKeyActive": "string",
  • "publicKey": "string",
  • "jwksUri": "string",
  • "usernameClaim": "string",
  • "resourceIds": [
    ],
  • "scopes": [
    ],
  • "enabled": true
}

Delete unified access token configuration

Deletes the specified unified access token (UAT) configuration.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_uat_configs:delete. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
configId
required
string <uuid>
Example: lafb0f7e-2962-40d5-bfc9-e95141bcb68f

The unique identifier of the unified access token (UAT) configuration. You can get the configId by calling the List unified access token configurations method.

Responses

Response samples

Content type
application/json
{ }

Get unified access token configuration

Gets the specified unified access token (UAT) configuration.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_uat_configs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
configId
required
string <uuid>
Example: lafb0f7e-2962-40d5-bfc9-e95141bcb68f

The unique identifier of the unified access token (UAT) configuration. You can get the configId by calling the List unified access token configurations method.

Responses

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "configId": "46ff6d11-d8b2-40d8-9197-dfa33c61cd6c",
  • "name": "string",
  • "issuer": "string",
  • "publicKeyActive": "string",
  • "publicKey": "string",
  • "jwksUri": "string",
  • "usernameClaim": "string",
  • "resourceIds": [
    ],
  • "scopes": [
    ],
  • "enabled": true
}

Update unified access token configuration

Updates the specified unified access token (UAT) configuration.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_uat_configs:update. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
configId
required
string <uuid>
Example: lafb0f7e-2962-40d5-bfc9-e95141bcb68f

The unique identifier of the unified access token (UAT) configuration. You can get the configId by calling the List unified access token configurations method.

Request Body schema: application/json
required
name
required
string

The name of the unified access token (UAT) configuration. UAT configuration name must be unique.

issuer
required
string

The issuer of the JSON Web Token (JWT).

publicKey
string

The public key used to verify the JSON Web Token (JWT). Use this value or jwksUri, but not both.

jwksUri
string

The URI of the JWKS endpoint. Use this value or publicKey, but not both.

usernameClaim
string

The username claim that maps to the Tableau username. Default value is email.

resourceIds
required
Array of strings <uuid> unique [ items <uuid > ]

The tenant ID, the tenant ID and site IDs associated with the tenant, or site IDs associated with the same tenant. You can get the resourceId by calling the Get Tenant or List Tenant Sites method.

scopes
Array of strings <scope> unique [ items <scope > ]

The access scopes defined in the JSON Web Token (JWT) associated with the unified access token (UAT) configuration. Scopes in the UAT are optional and allow you to further restrict the operations available to the JWT.

enabled
boolean

If true, the unified access token (UAT) configuration is enabled. Default value is true.

Responses

Request samples

Content type
application/json
{
  • "name": "JWT - Employees",
  • "issuer": "https://myidp.okta.com/app1",
  • "publicKey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...",
  • "jwksUri": "https://myidp.okta.com/oauth2/default/v1/keys",
  • "usernameClaim": "string",
  • "resourceIds": [
    ],
  • "scopes": [
    ],
  • "enabled": true
}

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "configId": "46ff6d11-d8b2-40d8-9197-dfa33c61cd6c",
  • "name": "string",
  • "issuer": "string",
  • "publicKeyActive": "string",
  • "publicKey": "string",
  • "jwksUri": "string",
  • "usernameClaim": "string",
  • "resourceIds": [
    ],
  • "scopes": [
    ],
  • "enabled": true
}

Sign in with unified access token JWT

Signs in to Tableau Cloud Manager (TCM) REST API using a JSON Web Token (JWT).

You must have a unified access token (UAT) configuration associated with the JWT to successfully sign in to the TCM REST API using this method. To generate a UAT, you can call the Create unified access token configuration method.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: Not available. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
Request Body schema: application/json
required
token
required
string

The JSON Web Token (JWT) associated with a unified access token (UAT) configuration. Ensure you have first configured and generated a UAT by calling the Create unified access token configuration method.

Responses

Request samples

Content type
application/json
{
  • "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

Response samples

Content type
application/json
{
  • "sessionToken": "bSG+6ttrRgqMLzonp5j89w==:SUOF-rjwMZZKXg-T3GcpDVFrIKAO6VIbTyZyq39bWR0",
  • "userId": "123e4567-e89b-12d3-a456-426614174000",
  • "tenantId": "123e4567-e89b-12d3-a456-426614174000",
  • "sessionExpiration": "2019-08-24T14:15:22Z"
}

Sign out

Signs out of Tableau Cloud Manager (TCM) REST API.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager V2, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: Not required. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token

Responses

Response samples

Content type
application/json
{
  • "message": "string",
  • "reason": "string",
  • "errorCode": "string"
}

Revoke unified access token JWT

Revokes the JSON Web token (JWT) associated with a unified access token (UAT) configuration by generating a revocation record.

The revoked JWT can't be used to sign in to Tableau Cloud Manager (TCM) REST API or Tableau REST API.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_uat_revocations:create. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
Request Body schema: application/json
required
Array
jti
required
string

The JWT ID of the JSON Web Token (JWT) associated with the unified access token (UAT) configuration.

exp
required
integer <int64>

The expiration timestamp of the JSON Web Token (JWT) in seconds from Epoch (Unix epoch time).

Responses

Request samples

Content type
application/json
[]

Response samples

Content type
application/json
[]

Delete revoked unified access token JWT

Deletes the record of a revoked unified access token (UAT) JSON Web Token (JWT).

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_uat_revocations:delete. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
query Parameters
jti
string

The JWT ID of the JSON Web Token (JWT) associated with the unified access token (UAT) configuration. You can get the jti from the revoked unified access token (UAT) JSON Web Token (JWT) record by calling the List revoked unified access token JWTs method.

Responses

Response samples

Content type
application/json
{ }

List revoked unified access token JWTs

Gets a list of records for all revoked unified access token (UAT) JSON Web Tokens (JWTs).

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_uat_revocations:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
query Parameters
jti
string

The JWT ID of the JSON Web Token (JWT) associated with the unified access token (UAT) configuration. You can get the jti from the revoked unified access token (UAT) JSON Web Token (JWT) record by calling the List revoked unified access token JWTs method.

pageToken
string
Example: pageToken=fDIwMjQtMDktMDlUMDU6MDA=

The token to provide to request the next page of records.

pageSize
integer <int32>
Default: 100

The maximum number of records on a page. Default is 100.

Responses

Response samples

Content type
application/json
{
  • "records": "97df110-f4de-492e-8849-4a6af68026b0:https://myidp.okta.com:17568488555555",
  • "pageToken": "fDIwMjQtMDktMDlUMDU6MDA="
}

Single Sign-on Methods

Tableau Cloud Manager REST API Single Sign-on methods allow cloud administrators to:

  • Get a list of authentication configurations for the specified tenants, sites, or users.
  • Create or update a Google, OpenID Connect (OIDC), Salesforce, or Security Assertion Markup Language (SAML) authentication configuration for the specified resource ID.
  • Delete a Google, OIDC, Salesforce, or SAML authentication configuration for the specified resource ID.
  • Get the Google, OIDC, Salesforce, or SAML configuration for the specified resource ID.
  • Get the SAML logs for the specified resource ID.

For more information, see TCM REST API Authentication.

Create SAML configuration

Creates a new SAML configuration for Tableau Cloud Manager (TCM) authentication or Tableau Cloud site authentication using the specified resource ID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_saml_configs:create. Added in December 2025. For more information, see Access scopes for UATs.

About configuring SAML authentication for TCM

To configure SAML authentication for TCM, make sure to include the attributes and assertions in your request to correctly map user account attributes from the IdP to TCM.

The following attributes are required when configuring SAML authentication for TCM:

  • entityDescriptor or idpMetadataUrl is specified
    Note: If both attributes are passed, the entityDescriptor attribute will take precedence.
  • emailMapping is specified

Example

curl -X POST "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/samlconfiguration" -H "accept: application/json" -D '{ "enabled": true, "idpMetadataUrl": "https://myidp.okta.com/app/123456789/sso/saml/metadata", "attributeMapping": { "emailMapping": "NameID", "firstNameMapping": "FirstName", "lastNameMapping": "LastName", "emailAddressMapping": "Email" } }'

About configuring SAML authentication for Tableau Cloud sites

To configure SAML authentication for a site, make sure to include the attributes and assertions in your request to correctly map user account attributes from the IdP to the site.

The following attributes are required when configuring SAML authentication for Tableau Cloud sites:

  • enabled is true
  • entityDescriptor or idpMetadataUrl is specified
    Note: If both attributes are passed, the entityDescriptor attribute will take precedence.
  • idpConfigurationName is specified
  • emailMapping is specified

Example

curl -X POST "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/samlconfiguration" -H "accept: application/json" -D '{ "enabled": true, "entityDescriptor": "https://myidp.okta.com/app/123456789/sso/saml/metadata", idpConfigurationName: "SAML - Contractors", allowEmbeddedAuthentication: false, "attributeMapping": { "emailMapping": "NameID", "firstNameMapping": "FirstName", "lastNameMapping": "LastName", "emailAddressMapping": "Email" } }'
Authorizations:
x-tableau-session-token
path Parameters
resourceId
required
string <uuid>
Example: 123e4567-e89b-12d3-a456-426614174000

ID of the tenant or site whose SAML configuration is being created. You can get the resourceId by calling the Get Tenant or List Tenant Sites method.

Request Body schema: application/json
required
enabled
boolean

If true, the authentication configuration is enabled. Default value is true.

entityDescriptor
string

IdP's metadata (.xml) file. Specify this value or idpMetadataUrl, but not both.

allowEmbeddedAuthentication
boolean

(Site-specific) How users authenticate to the Tableau Cloud site when accessing embedded views. If false, users authenticate in a separate pop-up window. If true, users authenticate using an inline frame (IFrame), which is less secure. Default value is false.

idpConfigurationName
string

(Site-specific) Name of the authentication configuration.

idpConfigurationId
string

(Site-specific) ID of the authentication configuration. Do not pass this attribute if you are creating a new authentication configuration.

idpMetadataUrl
string

URL endpoint of the IdP's metadata. Specify this value or entityDescriptor, but not both.

object (SiteAttributeMapping)

Responses

Request samples

Content type
application/json
{
  • "enabled": true,
  • "entityDescriptor": "string",
  • "allowEmbeddedAuthentication": false,
  • "idpConfigurationName": "SAML - Contractors",
  • "idpConfigurationId": "b2207590-024c-4a6e-ac4a-eca6eefabb2e",
  • "idpMetadataUrl": "https://myidp.okta.com/app/123456789/sso/saml/metadata",
  • "attributeMapping": {
    }
}

Response samples

Content type
application/json
{
  • "enabled": true,
  • "serviceProviderEntityId": "string",
  • "authenticationTypeForEmbedded": "DEFAULT",
  • "idpCertificates": [
    ],
  • "certificateUrl": "string",
  • "testLoginUrl": "string",
  • "ssoServiceURL": "string",
  • "acsUrl": "string",
  • "entityDescriptorValidationResult": {
    }
}

Delete SAML configuration

Deletes the SAML configuration for the specified resource ID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_saml_configs:delete. Added in December 2025. For more information, see Access scopes for UATs.

To delete a SAML configuration on a site, specify the idpConfigurationName or idpConfigurationId query parameter.

Examples

curl -X DELETE "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/samlconfiguration?idpConfigurationName={idpConfigurationName}"

curl -X DELETE "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/samlconfiguration?idpConfigurationId={idpConfigurationId}"
Authorizations:
x-tableau-session-token
path Parameters
resourceId
required
string <uuid>
Example: 123e4567-e89b-12d3-a456-4266141740000

The ID of the tenant or site whose SAML configuration is being deleted. You can get the resourceId by calling the Get Tenant or List Tenant Sites method.

query Parameters
idpConfigurationName
string

(Site-specific) Name of the site-level authentication configuration. You can get the idpConfigurationName by calling the List authentication configurations method.

idpConfigurationId
string

(Site-specific) ID of the site-level authentication configuration. You can get the idpConfigurationId by calling the List authentication configurations method.

Responses

Response samples

Content type
application/json
"string"

Get SAML configuration

Gets the SAML configuration for the specified resource ID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_saml_configs:read. Added in December 2025. For more information, see Access scopes for UATs.

To get a specific SAML authentication configuration on a site, specify the idpConfigurationName or idpConfigurationId query parameter.

Examples

curl -X GET "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/samlconfiguration?idpConfigurationName={idpConfigurationName}.

curl -X GET "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/samlconfiguration?idpConfigurationId={idpConfigurationId}.
Authorizations:
x-tableau-session-token
path Parameters
resourceId
required
string <uuid>
Example: 123e4567-e89b-12d3-a456-426614174000

The ID of the tenant or site whose SAML configuration is being retrieved. You can get the resourceId by calling the Get Tenant or List Tenant Sites method.

query Parameters
idpConfigurationName
string

(Site-specific) Name of the site-level authentication configuration. You can get the idpConfigurationName by calling the List authentication configurations method.

idpConfigurationId
string

(Site-specific) ID of the site-level authentication configuration. You can get the idpConfigurationId by calling the List authentication configurations method.

Responses

Response samples

Content type
application/json
{
  • "enabled": true,
  • "serviceProviderEntityId": "string",
  • "authenticationTypeForEmbedded": "DEFAULT",
  • "idpCertificates": [
    ],
  • "certificateUrl": "string",
  • "testLoginUrl": "string",
  • "ssoServiceURL": "string",
  • "acsUrl": "string",
  • "entityDescriptorValidationResult": {
    }
}

Update SAML configuration

Updates a SAML configuration for the specified resource ID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: Tableau Cloud Manager license required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_saml_configs:update. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
resourceId
required
string <uuid>
Example: 123e4567-e89b-12d3-a456-426614174000

The ID of the tenant or site whose SAML configuration is being updated. You can get the resourceId by calling the Get Tenant or List Tenant Sites method.

Request Body schema: application/json
required
enabled
boolean

If true, the authentication configuration is enabled. Default value is true.

entityDescriptor
string

IdP's metadata (.xml) file. Specify this value or idpMetadataUrl, but not both.

allowEmbeddedAuthentication
boolean

(Site-specific) How users authenticate to the Tableau Cloud site when accessing embedded views. If false, users authenticate in a separate pop-up window. If true, users authenticate using an inline frame (IFrame), which is less secure. Default value is false.

idpConfigurationName
string

(Site-specific) Name of the authentication configuration.

idpConfigurationId
string

(Site-specific) ID of the authentication configuration. Do not pass this attribute if you are creating a new authentication configuration.

idpMetadataUrl
string

URL endpoint of the IdP's metadata. Specify this value or entityDescriptor, but not both.

object (SiteAttributeMapping)

Responses

Request samples

Content type
application/json
{
  • "enabled": true,
  • "entityDescriptor": "string",
  • "allowEmbeddedAuthentication": false,
  • "idpConfigurationName": "SAML - Contractors",
  • "idpConfigurationId": "b2207590-024c-4a6e-ac4a-eca6eefabb2e",
  • "idpMetadataUrl": "https://myidp.okta.com/app/123456789/sso/saml/metadata",
  • "attributeMapping": {
    }
}

Response samples

Content type
application/json
{
  • "enabled": true,
  • "serviceProviderEntityId": "string",
  • "authenticationTypeForEmbedded": "DEFAULT",
  • "idpCertificates": [
    ],
  • "certificateUrl": "string",
  • "testLoginUrl": "string",
  • "ssoServiceURL": "string",
  • "acsUrl": "string",
  • "entityDescriptorValidationResult": {
    }
}

List authentication configurations

Gets list of authentication configurations for the specified resource IDs.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_auth_configs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
Request Body schema: application/json
required
resourceIds
required
Array of strings

A comma separated list of IDs of a single tenant, multiple site IDs within a tenant and that tenant ID, or multiple sites within the same tenant with no tenant ID. You can get a tenant ID or site ID by calling the Get tenant or List tenant sites method.

Important: Providing multiple tenant IDs or site IDs that belong to different tenants can produce unexpected results.

requireMultipleIDPs
boolean

(Site-specific) If true, returns the authentication configurations when the capability for multiple authentication methods is enabled.

Responses

Request samples

Content type
application/json
{
  • "resourceIds": [
    ],
  • "requireMultipleIDPs": true
}

Response samples

Content type
application/json
[
  • {
    }
]

Create or update OIDC configuration

Creates a new Google, OpenID Connect (OIDC), or Salesforce configuration for Tableau Cloud Manager (TCM) authentication using the specified resource ID.

If a configuration already exists, this method updates the configuration for the specified resource ID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_oidc_configs:update. Added in December 2025. For more information, see Access scopes for UATs.

About configuring Google or Salesforce authentication

To configure Google authentication, make sure to include the required enabled and knownProviderAlias attributes in your request. 

curl -X POST "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/oidcconfiguration" -H "accept: application/json" -D '{ "enabled": true, "knownProviderAlias: "Google" }'

To configure Salesforce authentication, make sure to include the required enabled and knownProviderAlias, and optionally the salesforceDomain attributes in your request.

curl -X POST "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/oidcconfiguration" -H "accept: application/json" -D '{ "enabled": true, "knownProviderAlias: "Salesforce" }'

About configuring OIDC authentication

To configure OpenID Connect (OIDC) authentication, be sure to include the attributes and claims in your request to correctly map user account attributes from the IdP to TCM.

curl -X POST "http://mytenant.cloudmanager.tableau.com/api/v1/resources/{resourceId}/oidcconfiguration" -H "accept: application/json" -D '{ "enabled": true, "testLoginUri": "string", "clientId": "string", "clientSecret": "string", "discoveryEndpoint": "string", "authorizationEndpoint": "string", "tokenEndpoint": "string", "userinfoEndpoint": "string", "jwksUri": "string", "endSessionEndpoint": "string", "customScope": "string", "prompt": "string", "clientAuthentication": "string", "essentialAcrValues": "string", "voluntaryAcrValues": "string", "attributeMapping": { "emailMapping": "string", "firstNameMapping": "string", "lastNameMapping": "string", "fullNameMapping": "string", "useFullName": true, "emailAddressMapping": "string" }, }'

The following attribute and claims are required when configuring OIDC authentication:

  • enabled is true
  • clientId is the client ID from the IdP (for example, 0oa111usf1gpUkVUt0h1)
  • clientSecret is the client secret from the IdP
  • authorizationEndpoint is the authorization endpoint (authorization_endpoint) from the IdP (for example, https://myidp.com/oauth2/v1/authorize)
  • tokenEndpoint is the token endpoint (token_endpoint) from the IdP (for example, https://myidp.com/oauth2/v1/token)
  • userinfoEndpoint is the user information endpoint (userinfo_endpoint) from the IdP (for example, https://myidp.com/oauth2/v1/userinfo)
  • jwksUri is the JWK set URI endpoint (jwks_uri) from the IdP (for example, https://myidp.com/oauth2/v1/keys)
Authorizations:
x-tableau-session-token
path Parameters
resourceId
required
string
Example: 123e4567-e89b-12d3-a456-426614174000

The ID of the tenant whose configuration is being created or updated. You can get a tenant ID by calling the Get Tenant method.

Request Body schema: application/json
required
enabled
required
boolean

If true, the authentication configuration is enabled. Default is true.

testLoginUri
string

URL to validate the OIDC authentication configuration.

knownProviderAlias
required
string

Authentication type. For example, Google or Salesforce. For OpenID Connect (OIDC), do not use or is null.

salesforceDomain
string

Salesforce authentication only. URL of the Salesforce domain.

allowEmbeddedAuthentication
boolean

(Site-specific) How users authenticate to the Tableau Cloud site when accessing embedded views. If false, users authenticate in a separate pop-up window. If true, users authenticate using an inline frame (IFrame), which is less secure. Default value is false.

clientId
required
string

OpenID Connect (OIDC) authentication only. Client ID from the identity provider (IdP).

clientSecret
required
string

OpenID Connect (OIDC) authentication only. Client secret from the identity provider (IdP).

discoveryEndpoint
string

OpenID Connect (OIDC) authentication only. Location of the configuration discovery document for the identity provider (IdP) metadata.

authorizationEndpoint
required
string

OpenID Connect (OIDC) authentication only. Authorization endpoint from the identity provider (IdP).

tokenEndpoint
required
string

OpenID Connect (OIDC) authentication only. Token endpoint from the identity provider (IdP).

userinfoEndpoint
required
string

OpenID Connect (OIDC) authentication only. User information endpoint from the identity provider (IdP).

jwksUri
required
string

OpenID Connect (OIDC) authentication only. JWK set URI from the identity provider (IdP).

endSessionEndpoint
string

(Site-specific) OpenID Connect (OIDC) authentication only. If single logout (SLO) is enabled for the site, which is done through Tableau Cloud site UI, the configuration URL or the end session endpoint from the identity provider (IdP).

customScope
string

OpenID Connect (OIDC) authentication only. Specifies a custom scope user-related value to query the identity provider (IdP).

prompt
string

OpenID Connect (OIDC) authentication only. If users are prompted for re-authentication and consent.

clientAuthentication
string

OpenID Connect (OIDC) authentication only. Token endpoint authentication method. Default value is client_secret_basic.

essentialAcrValues
string

OpenID Connect (OIDC) authentication only. List of essential Authentication Context Reference Class values used for authentication.

voluntaryAcrValues
string

OpenID Connect (OIDC) authentication only. List of voluntary Authentication Context Reference Class values used for authentication.

object (SiteAttributeMapping)
idpConfigurationName
string

(Site-specific) Name of the authentication configuration.

idpConfigurationId
string

(Site-specific) ID of the authentication configuration.

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{}

Delete OIDC configuration

Deletes the Google, OpenID Connect (OIDC), or Salesforce configuration for the provided resource ID. If the configuration doesn't exist, it fails silently.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_oidc_configs:delete. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
resourceId
required
string
Example: 123e4567-e89b-12d3-a456-426614174000

The ID of the tenant whose configuration is being deleted. You can get a tenant ID by calling the Get Tenant method.

Responses

Response samples

Content type
application/json
{}

Get OIDC configuration

Gets the Google, OpenID Connect (OIDC), or Salesforce configuration for the specified resource ID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_oidc_configs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
resourceId
required
string
Example: 123e4567-e89b-12d3-a456-426614174000

The ID of the tenant whose configuration is being retrieved. You can get a tenant ID by calling the Get Tenant method.

Responses

Response samples

Content type
application/json
{}

List SAML logs

Gets a list of SAML log entries for the specified resource ID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, December 2025, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_saml_configs:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
resourceId
required
string <uuid>

The ID of the tenant or site whose SAML logs are being retrieved. You can get the resourceId by calling the Get Tenant or List Tenant Sites method.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Site Methods

Tableau Cloud Manager REST API Site methods allow cloud administrators to manage sites in the following ways:

  • Create a site in a tenant.
  • List sites in a tenant.
  • Get site details.
  • Suspend a site in a tenant.
  • Update license limit for a site in a tenant.
  • Create a project in a tenant.
  • Reactivate a suspended site in a tenant.

Create site

Creates a new site under the given tenant. The site name must be unique within the tenant.

Note: To describe the site location, specify one of either a regionUUID or a podUUID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:create. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier of the tenant where the site is created.

Request Body schema: application/json
required
name
required
string

The name of the site.

The site name must be between 1 and 80 characters long. The site name only contain Unicode letters and numbers, white spaces, and the characters !, @, $, %, *, ., ?, -, _, ,, , (, ), &, /, :, #. The site name must not start or end with a space. The site name must not contain the following reserved words: 'default', 'system', 'admin', 'administrator', 'all', 'guest', 'public', 'internal', private', 'protected', 'root', 'service', 'services', 'tableau', 'user', 'users', 'web', 'www'.

contentUrl
required
string

The subdomain name of the site's URL.

This value is globally unique and can contain only characters that are upper or lower case alphabetic characters, numbers, hyphens (-), or underscores (_). If you provide unsupported special characters, Tableau creates the site content URL by omitting those characters from the string. For example, if you provide the site URL as "test.site", Tableau converts it to "testsite" and returns this new URL in the response.

regionUUID
string <uuid>

(Required if no podUUID is specified.)

The Unique ID of Tableau region where the site should be created.

Provide this or the podUUID. Use the List Locations or List regions method to get the region IDs.

podUUID
string <uuid>

(Required if no regionUUID is specified.)

The Unique ID of Tableau pod where the site should be created.

Provide this or the regionUUID. Use the List Locations method to get the pod IDs.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "contentUrl": "string",
  • "regionUUID": "8cc23c52-0d6e-468d-9156-952d9b566d86",
  • "podUUID": "e2e568b4-35a7-4aa5-8686-107bbf9f050c"
}

Response samples

Content type
application/json
{
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "siteUUID": "c9e56a0f-ad64-4cef-a0e8-cd7f1d44ab67",
  • "name": "string",
  • "contentUrl": "string",
  • "instance": {
    },
  • "creatorCapacity": 0,
  • "explorerCapacity": 0,
  • "viewerCapacity": 0,
  • "creatorCapacityIsDefaultCloudLimit": true,
  • "explorerCapacityIsDefaultCloudLimit": true,
  • "viewerCapacityIsDefaultCloudLimit": true,
  • "location": "string",
  • "migrationStatus": "NotStarted",
  • "storageQuota": 100000000,
  • "storageUsed": 100000000,
  • "status": "Unknown",
  • "createDateTime": "2019-08-24T14:15:22Z",
  • "lastUpdateDateTime": "2019-08-24T14:15:22Z",
  • "suspendedDateTime": "2019-08-24T14:15:22Z",
  • "fromPodSiteAttributes": {
    }
}

List tenant sites

Gets details for all sites under a tenant.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier for the tenant.

query Parameters
location
string

The unique identifier for the Tableau region of the site.

maxResults
integer <int32>

The maximum number of sites to include in the response. Default is no maximum.

pageToken
string

The next page of results to return, typically the pageToken field of the response body from your previous call to the List sites method.

Responses

Response samples

Content type
application/json
{
  • "sites": [
    ],
  • "pageToken": "string"
}

Get site

Returns site details for the specified site.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier for the tenant.

siteId
required
string

The LUID for the site.

Responses

Response samples

Content type
application/json
{
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "siteUUID": "c9e56a0f-ad64-4cef-a0e8-cd7f1d44ab67",
  • "name": "string",
  • "contentUrl": "string",
  • "instance": {
    },
  • "creatorCapacity": 0,
  • "explorerCapacity": 0,
  • "viewerCapacity": 0,
  • "creatorCapacityIsDefaultCloudLimit": true,
  • "explorerCapacityIsDefaultCloudLimit": true,
  • "viewerCapacityIsDefaultCloudLimit": true,
  • "location": "string",
  • "migrationStatus": "NotStarted",
  • "storageQuota": 100000000,
  • "storageUsed": 100000000,
  • "status": "Unknown",
  • "createDateTime": "2019-08-24T14:15:22Z",
  • "lastUpdateDateTime": "2019-08-24T14:15:22Z",
  • "suspendedDateTime": "2019-08-24T14:15:22Z"
}

Suspend site

Suspends a site. Suspended sites are not accessible to users. Suspended sites can be reactivated.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:delete. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier for the tenant.

siteId
required
string

The LUID for the site.

Responses

Response samples

Content type
application/json
"string"

Update license limit for site

Updates license/role limit for a site.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:update. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier for the tenant.

siteId
required
string

The LUID for the site.

Request Body schema: application/json
required
object (UserQuota)

The limit of number of users with licenses for the viewer role for the site.

object (UserQuota)

The limit of number of users with licenses for the viewer role for the site.

object (UserQuota)

The limit of number of users with licenses for the viewer role for the site.

Responses

Request samples

Content type
application/json
{
  • "creatorCapacity": {
    },
  • "explorerCapacity": {
    },
  • "viewerCapacity": {
    }
}

Response samples

Content type
application/json
{
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "siteUUID": "c9e56a0f-ad64-4cef-a0e8-cd7f1d44ab67",
  • "name": "string",
  • "contentUrl": "string",
  • "instance": {
    },
  • "creatorCapacity": 0,
  • "explorerCapacity": 0,
  • "viewerCapacity": 0,
  • "creatorCapacityIsDefaultCloudLimit": true,
  • "explorerCapacityIsDefaultCloudLimit": true,
  • "viewerCapacityIsDefaultCloudLimit": true,
  • "location": "string",
  • "migrationStatus": "NotStarted",
  • "storageQuota": 100000000,
  • "storageUsed": 100000000,
  • "status": "Unknown",
  • "createDateTime": "2019-08-24T14:15:22Z",
  • "lastUpdateDateTime": "2019-08-24T14:15:22Z",
  • "suspendedDateTime": "2019-08-24T14:15:22Z"
}

Create project

Creates a new project on a site in a tenant. A project is a container for workbooks, data sources, and other Tableau content that all inherit the permissions set for the Project.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:create. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier for the tenant.

siteId
required
string

The LUID for the site.

Request Body schema: application/json
required
ownerId
required
string

The LUID of the user that owns the project.

Responses

Request samples

Content type
application/json
{
  • "ownerId": "string"
}

Response samples

Content type
application/json
{
  • "project": {
    }
}

Reactivate suspended site

Reactivates a suspended site. Reactivated sites are accessible to users

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:update. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string

The unique identifier for the tenant.

siteId
required
string

The LUID for the site.

Responses

Response samples

Content type
application/json
{
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "siteUUID": "c9e56a0f-ad64-4cef-a0e8-cd7f1d44ab67",
  • "name": "string",
  • "contentUrl": "string",
  • "instance": {
    },
  • "creatorCapacity": 0,
  • "explorerCapacity": 0,
  • "viewerCapacity": 0,
  • "creatorCapacityIsDefaultCloudLimit": true,
  • "explorerCapacityIsDefaultCloudLimit": true,
  • "viewerCapacityIsDefaultCloudLimit": true,
  • "location": "string",
  • "migrationStatus": "NotStarted",
  • "storageQuota": 100000000,
  • "storageUsed": 100000000,
  • "status": "Unknown",
  • "createDateTime": "2019-08-24T14:15:22Z",
  • "lastUpdateDateTime": "2019-08-24T14:15:22Z",
  • "suspendedDateTime": "2019-08-24T14:15:22Z"
}

Update site name and content url

Updates site name and/or content url for a given site in a tenant.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_sites:update. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier for the tenant.

siteId
required
string <uuid>

The LUID for the site.

Request Body schema: application/json
required
name
string

The name of the site.

The site name must be between 1 and 80 characters long. The site name only contain Unicode letters and numbers, white spaces, and the characters !, @, $, %, *, ., ?, -, _, ,, , (, ), &, /, :, #. The site name must not start or end with a space. The site name must not contain the following reserved words: 'default', 'system', 'admin', 'administrator', 'all', 'guest', 'public', 'internal', private', 'protected', 'root', 'service', 'services', 'tableau', 'user', 'users', 'web', 'www'.

contentUrl
string

The subdomain name of the site's URL. This value can contain only characters that are upper or lower case alphabetic characters, numbers, hyphens (-), or underscores (_).

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "contentUrl": "string"
}

Response samples

Content type
application/json
{
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "siteUUID": "c9e56a0f-ad64-4cef-a0e8-cd7f1d44ab67",
  • "name": "string",
  • "contentUrl": "string",
  • "instance": {
    },
  • "creatorCapacity": 0,
  • "explorerCapacity": 0,
  • "viewerCapacity": 0,
  • "creatorCapacityIsDefaultCloudLimit": true,
  • "explorerCapacityIsDefaultCloudLimit": true,
  • "viewerCapacityIsDefaultCloudLimit": true,
  • "location": "string",
  • "migrationStatus": "NotStarted",
  • "storageQuota": 100000000,
  • "storageUsed": 100000000,
  • "status": "Unknown",
  • "createDateTime": "2019-08-24T14:15:22Z",
  • "lastUpdateDateTime": "2019-08-24T14:15:22Z",
  • "suspendedDateTime": "2019-08-24T14:15:22Z"
}

Tenant Methods

Tableau Cloud Manager REST API Tenant methods allow cloud administrators to manage tenants in the following ways:

  • Get the details of a specified tenant.

Get tenant

Returns the tenant record for the specified tenant ID.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_tenants:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string
Example: 123e4567-e89b-12d3-a456-426614174000

The unique identifier of the tenant.

Responses

Response samples

Content type
application/json
{
  • "tenantId": "123e4567-e89b-12d3-a456-426614174000",
  • "tenantName": "Abc",
  • "encodeUri": "string",
  • "status": "Unknown",
  • "createDateTime": "2019-08-24T14:15:22Z",
  • "lastUpdateDateTime": "2019-08-24T14:15:22Z",
  • "lastDestinationMergedDateTime": "2019-08-24T14:15:22Z",
  • "termsAndConditions": {
    }
}

User Methods

Tableau Cloud Manager REST API User methods allow cloud administrators to manage users in the following ways:

  • Get the details of a specified user.
  • Add a user to a tenant.
  • List all users in a tenant, or get the details of a specified batch.
  • Import a batch of users specified in a .gzip file.
  • Delete a user or a specified batch of users from a tenant.
  • Update the role and language preference for a user in a tenant.
  • Get the sites and tenants that a user is a member of.

Add tenant user

Creates a new user in the tenant.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users:create. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

Request Body schema: application/json
required
userName
required
string

The unique username of the user.

email
string

The email address of the user.

language
string
Enum: "DE_DE" "EN_GB" "EN_US" "ES_ES" "FR_CA" "FR_FR" "IT_IT" "JA_JP" "KO_KR" "PT_BR" "SV_SE" "TH_TH" "ZH_CN" "ZH_TW"

The language of the user.

locale
string
Enum: "ar_AE" "ar_BH" "ar_DZ" "ar_EG" "ar_IQ" "ar_JO" "ar_KW" "ar_LB" "ar_LY" "ar_MA" "ar_OM" "ar_QA" "ar_SA" "ar_SD" "ar_SY" "ar_TN" "ar_YE" "be_BY" "bg_BG" "ca_ES" "cs_CZ" "da_DK" "de_AT" "de_CH" "de_DE" "de_LU" "el_CY" "el_GR" "en_AU" "en_CA" "en_GB" "en_IE" "en_IN" "en_MT" "en_NZ" "en_PH" "en_SG" "en_US" "en_ZA" "es_AR" "es_BO" "es_CL" "es_CO" "es_CR" "es_DO" "es_EC" "es_ES" "es_GT" "es_HN" "es_MX" "es_NI" "es_PA" "es_PE" "es_PR" "es_PY" "es_SV" "es_US" "es_UY" "es_VE" "et_EE" "fi_FI" "fr_BE" "fr_CA" "fr_CH" "fr_FR" "fr_LU" "hi_IN" "hr_HR" "hu_HU" "in_ID" "is_IS" "it_CH" "it_IT" "iw_IL" "ja_JP" "ko_KR" "lt_LT" "lv_LV" "mk_MK" "ms_MY" "mt_MT" "nl_BE" "nl_NL" "no_NO" "pl_PL" "pt_BR" "pt_PT" "ro_RO" "ru_RU" "sk_SK" "sl_SI" "sq_AL" "sr_BA" "sr_ME" "sr_RS" "sv_SE" "th_TH" "tr_TR" "uk_UA" "vi_VN" "zh_CN" "zh_HK" "zh_SG" "zh_TW"

The locale of the user.

Array of objects (UserLinkRoleDTO)

The tenant roles for the user.

Array of objects (UserSiteRoleDTO)

The site roles of the user.

Responses

Request samples

Content type
application/json
{
  • "userName": "string",
  • "email": "string",
  • "language": "DE_DE",
  • "locale": "ar_AE",
  • "linkRoles": [
    ],
  • "siteRoles": [
    ]
}

Response samples

Content type
application/json
{
  • "jobId": "9d222c6d-893e-4e79-8201-3c9ca16a0f39",
  • "userId": "2c4a230c-5085-4924-a3e1-25fb4fc5965b",
  • "transactionId": "string",
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0"
}

List tenant users

Gets a list of tenant users and their details.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users:read. Added in December 2025. For more information, see Access scopes for UATs.

Responses can be filtered by email, userId, tcmRoleName, maxSiteRole, userName and paginated using pageToken, and maxResults. Multiple filters can be applied with ampersand-separated expressions, for example:

 {{tcmBaseUrl}}/api/v1/tenants/:tenantId/users?maxSiteRole=SiteAdministratorCreator&excludeRoles=true

If excludeRoles=true is set, the curtailed responses will be faster.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant used to filter the response.

query Parameters
email
string
Example: email=xyz@tableau.com

The email address of a user used to filter the response.

userId
string <uuid>
Example: userId=83e34e72-5c71-4858-93b5-945a144e6e70

The unique identifier of a user used to filter responses.

tcmRoleName
string
Enum: "TCM_ADMIN" "NULL"

The tenant role used to filter the response.

maxSiteRole
string
Enum: "SiteAdministratorExplorer" "SupportUser" "ExplorerCanPublish" "Explorer" "Unlicensed" "Viewer" "Creator" "SiteAdministratorCreator"

The site role with the highest permissions used to filter the response.

userName
string

The name of a user used to filter the response.

pageToken
string [ 0 .. 1000 ] characters

The token used to get the next page of results.

maxResults
integer <int32>
Example: maxResults=100

The maximum number of results per page. Default maximum is 100.

excludeRoles
boolean

If true, site and tenant role information is not returned, only return user details. Default is false.

Responses

Response samples

Content type
application/json
{
  • "jobId": "9d222c6d-893e-4e79-8201-3c9ca16a0f39",
  • "userId": "2c4a230c-5085-4924-a3e1-25fb4fc5965b",
  • "transactionId": "string",
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0"
}

Batch import users with .gzip

Import users in bulk using a .gzip (compressed CSV) file.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users_bulk_operation:create. Added in December 2025. For more information, see Access scopes for UATs.

If no siteId is provided, users are imported as tenant users.

An example of a multipart form data request is as follows:


curl -X POST "http://mytenant.cloudmanager.tableau.com/api/v1/tenants/{tenantId}/users/bulk-import" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "file=@/path/to/file.csv.gz" -F "siteId="d9103a00-d7e5-433f-a0c3-debb7d4f7741" -F "idp="TableauIDWithMFA"
Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

query Parameters
siteId
string <uuid>

The unique identifier of the site.

idp
string
Enum: "OpenID" "SAML" "TableauIDWithMFA"

The authentication type configured for the tenant.

Request Body schema: multipart/form-data
required
file
required
string <binary>

A .gzip (compressed CSV) file containing data of users to be imported. A correctly formatted file has no header row.

Note: When importing, make sure your CSV file is in UTF-8 format without a byte order mark (BOM).

The expected columns, in the required order, are:

  1. URI (for the tenant or site)

  2. Username

  3. Password

  4. Display Name

  5. License Level (Explorer, Creator, Viewer, or Unlicensed)

  6. Administrator Level (Cloud, Site, or None)

  7. Can Publish (TRUE or FALSE)

  8. Authentication (OpenID, SAML, TableauIDWithMFA, or DEFAULT. Note: DEFAULT is only allowed at the site-level if your site supports it.)

Responses

Response samples

Content type
application/json
{
  • "jobId": "9d222c6d-893e-4e79-8201-3c9ca16a0f39"
}

Batch delete tenant users

Starts a job to delete the specified batch of users from the specified tenant.

To see progress and results, use the returned jobId in a request to the List status for job method.

Note: If the user owns content in a tenant site, the user will become unlicensed but will not be removed from the tenant or from any sites where they own content. To remove the user from a tenant and shift ownership of their content to another user, you can take the following steps:

  1. Make a request to the TCM List tenant sites method, which returns the LUIDs of all sites on a tenant.
  2. Sign in to the Tableau REST API then, for each of the site LUIDs returned for the tenant, use Remove User from site with the mapAssetsTo query parameter set to use the LUID of the new owner for each site.
  3. Use this tenant method (Delete tenant users) to remove the user from the tenant.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users:delete. Added in December 2025. For more information, see Access scopes for UATs.

This method returns an identifier for an asynchronous job. To see progress and results, use List status for job.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

Request Body schema: application/json
required
userIds
required
Array of strings <uuid> unique [ items <uuid > ]

A comma separated list of user LUIDs to delete.

Responses

Request samples

Content type
application/json
{
  • "userIds": [
    ]
}

Response samples

Content type
application/json
{
  • "jobId": "9d222c6d-893e-4e79-8201-3c9ca16a0f39"
}

Batch get tenant users

Lists the details of a batch of users specified in a comma separated list of user IDs.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

Request Body schema: application/json
required
userIds
required
Array of strings <uuid> unique [ items <uuid > ]

Comma separated list of user LUIDs to get details about.

Responses

Request samples

Content type
application/json
{
  • "userIds": [
    ]
}

Response samples

Content type
application/json
{
  • "users": [
    ]
}

Delete tenant user

Starts a job to delete the specified user from the specified tenant.

To see progress and results, use the returned jobId in a request to the Get batch user job status method. Without an additional license, log files take 2 hours to become available. For more information see, Activity Log.

Note: If the user owns content in a tenant site, the user will become unlicensed but will not be removed from the tenant or from any sites where they own content. To remove the user from a tenant and shift ownership of their content to another user, you can take the following steps:

  1. Make a request to the TCM List tenant sites method, which returns the LUIDs of all sites on a tenant.
  2. Sign in to the Tableau REST API then, for each of the site LUIDs returned for the tenant, use Remove User from site with the mapAssetsTo query parameter set to use the LUID of the new owner for each site.
  3. Use this tenant method (Delete tenant users) to remove the user from the tenant.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users:delete. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

userId
required
string <uuid>

The unique identifier of the user.

Responses

Response samples

Content type
application/json
{
  • "jobId": "9d222c6d-893e-4e79-8201-3c9ca16a0f39"
}

Get tenant user

Gets the details of a tenant user.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

userId
required
string <uuid>

The unique identifier of the user.

Responses

Response samples

Content type
application/json
{
  • "user": {
    }
}

Update role and language for tenant user

Updates the tenant role, site role, language, and/or locale for a tenant user.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users:update. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
tenantId
required
string <uuid>

The unique identifier of the tenant.

userId
required
string <uuid>

The unique identifier of the user.

Request Body schema: application/json
required
language
string
Enum: "DE_DE" "EN_GB" "EN_US" "ES_ES" "FR_CA" "FR_FR" "IT_IT" "JA_JP" "KO_KR" "PT_BR" "SV_SE" "TH_TH" "ZH_CN" "ZH_TW"

The new language to apply to the user.

locale
string
Enum: "ar_AE" "ar_BH" "ar_DZ" "ar_EG" "ar_IQ" "ar_JO" "ar_KW" "ar_LB" "ar_LY" "ar_MA" "ar_OM" "ar_QA" "ar_SA" "ar_SD" "ar_SY" "ar_TN" "ar_YE" "be_BY" "bg_BG" "ca_ES" "cs_CZ" "da_DK" "de_AT" "de_CH" "de_DE" "de_LU" "el_CY" "el_GR" "en_AU" "en_CA" "en_GB" "en_IE" "en_IN" "en_MT" "en_NZ" "en_PH" "en_SG" "en_US" "en_ZA" "es_AR" "es_BO" "es_CL" "es_CO" "es_CR" "es_DO" "es_EC" "es_ES" "es_GT" "es_HN" "es_MX" "es_NI" "es_PA" "es_PE" "es_PR" "es_PY" "es_SV" "es_US" "es_UY" "es_VE" "et_EE" "fi_FI" "fr_BE" "fr_CA" "fr_CH" "fr_FR" "fr_LU" "hi_IN" "hr_HR" "hu_HU" "in_ID" "is_IS" "it_CH" "it_IT" "iw_IL" "ja_JP" "ko_KR" "lt_LT" "lv_LV" "mk_MK" "ms_MY" "mt_MT" "nl_BE" "nl_NL" "no_NO" "pl_PL" "pt_BR" "pt_PT" "ro_RO" "ru_RU" "sk_SK" "sl_SI" "sq_AL" "sr_BA" "sr_ME" "sr_RS" "sv_SE" "th_TH" "tr_TR" "uk_UA" "vi_VN" "zh_CN" "zh_HK" "zh_SG" "zh_TW"

The new locale to apply to the user.

email
string

Email address of the user to be updated.

Array of objects (PatchUserLinkRoleDTO)

The tenant roles of the user.

Array of objects (PatchUserSiteRoleDTO)

Site role of the user

Responses

Request samples

Content type
application/json
{
  • "language": "DE_DE",
  • "locale": "ar_AE",
  • "email": "string",
  • "linkRoles": [
    ],
  • "siteRoles": [
    ]
}

Response samples

Content type
application/json
{
  • "jobId": "9d222c6d-893e-4e79-8201-3c9ca16a0f39"
}

List status for user job

Get the status of a batch user job.

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users_bulk_operation:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
jobId
required
string <uuid>

The unique identifier of the job whose details are to be retrieved.

query Parameters
showDetailed
boolean
Example: showDetailed=true

If true, show the detailed status of each user operation in paginated format. Default is false.

pageToken
string [ 0 .. 1000 ] characters

The pageToken used for getting next set of records. Only valid if showDetailed = true.

Responses

Response samples

Content type
application/json
{
  • "jobId": "9d222c6d-893e-4e79-8201-3c9ca16a0f39",
  • "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
  • "operation": "BULK_USER_IMPORT",
  • "ownerId": "4d206909-730f-409a-88f6-dcfaa8fc28cc",
  • "ownerRole": "UNAUTHENTICATED",
  • "siteId": "60189e9c-7d12-438c-b9ca-6998d9c364b1",
  • "triggerSource": "string",
  • "bulkOpAttributes": {
    },
  • "status": "NEW",
  • "expectedOpsCount": 0,
  • "successfulOpsCount": 0,
  • "failedOpsCount": 0,
  • "skippedLinesCount": 0,
  • "submitTime": "2019-08-24T14:15:22Z",
  • "lastUpdateTime": "2019-08-24T14:15:22Z",
  • "createdTime": "2019-08-24T14:15:22Z",
  • "statusChangeHistory": [
    ],
  • "items": [
    ],
  • "nextPageToken": "string"
}

Get user information

Gets information about the user

Permissions: Only cloud administrators can call this method.

Version: Available in Tableau Cloud Manager v1, June 2024, and later.

License: No additional Tableau license is required. For more information, see About Tableau Cloud Manager.

Access scope: tableau:tcm_users_resources:read. Added in December 2025. For more information, see Access scopes for UATs.

Authorizations:
x-tableau-session-token
path Parameters
userName
required
string

The username of the user to get resource details for.

query Parameters
resourceId
string <uuid>

The unique identifier of a site or tenant optionally used to filter results.

resourceType
string
Enum: "SITE" "TENANT"

The type of resource optionally used to filter results.

authType
string
Enum: "OpenID" "SAML" "TableauIDWithMFA" "DEFAULT"

The type of user authentication optionally used to filter results.

authUserId
string

The unique identifier of the user optionally used to filter results.

Responses

Response samples

Content type
application/json
{
  • "resources": [
    ],
  • "userName": "string"
}