Unified access tokens are configurations that enable JSON Web Token (JWT)-based authentication for both Tableau Cloud Manager REST API and Tableau REST API. Starting in December 2025, UATs provide an enterprise-level token solution for managing Tableau Cloud at scale.
UATs offer the following benefits:
Note: JWT authentication using UATs and JWT authentication using Tableau connected apps are distinct authentication and authorization capabilities. Tableau connected apps are not supported in Tableau Cloud Manager.
Table of Contents
Using UATs, you can access both the Tableau Cloud Manager (TCM) REST API and Tableau REST API. Access to these APIs are enabled by a JSON Web Token (JWT) as part of the initial sign in request.
To enable least-privileged access, the JWT must contain access scopes that define the API methods that are available to the UAT. You can also specify a subset of those scopes in the UAT configuration itself to further restrict the access available to the JWT.
Scopes for UATs grant access to TCM REST API and Tableau REST API capabilities. Scopes are declared in the JWT (or in both the JWT and UAT configuration).
A scope is a colon-separated string with the following format: tableau:<resource>:<action>. The scope starts with the Tableau namespace, tableau, followed by the resource, such as tcm_sites or sites, and ends with an action allowed on the resource, such as read.
You can find the required scope for a JWT-supported method in its properties block in the TCM REST API Help and Tableau REST API Help. If a scope is not listed in the method’s properties block, access to that method can’t be controlled by a JWT.
Examples:
tableau:tcm_sites:read.tableau:sites:read.Instead of using the named access scope, you can replace the action in the scope string with the wildcard character (*). Doing this can enable multiple supported actions for the given resource.
Examples:
tableau:tcm_users:*.tableau:users:*.This section outlines the required steps for authenticating with both the TCM REST API and Tableau REST API using unified access tokens (UAT) JWT.
Before you can create a unified access token (UAT) configuration, you must be able to generate a valid JSON Web Token (JWT). This allow cloud administrators to interact with the tenant and its resources; and users to interact with the site and its resources.
Required claims
| Claim | Name | Description |
|---|---|---|
| alg | Algorithm | (In header) JWT signing algorithm. For example, RS256. |
| iss | Issuer | Unique issuer URI. Must match the issuer in the UAT configuration. |
| exp | Expiration time | Expiration time in seconds from Epoch (Unix epoch time). |
| https://tableau.com/tenantId | Tenant ID | Unique identifier of the tenant. Must match the tenant ID in the UAT configuration. |
| iat | Issue at | JWT creation time in seconds from Epoch (Unix epoch time). |
| <username> | Username | Username claim that maps to the Tableau user. For tenant, the user must map to the TCM user. For site, the user must map to the Tableau Cloud site user. If claim is not specified, email is used as default. |
Optional claims
| Claim | Name | Description |
|---|---|---|
| kid | Secret ID | (In header, if supplied by the Idp) Secret key identifier. Required if jwks_uri is used in the UAT configuration. |
| typ | Type | (In header, if supplied by the IdP) Type of JWT. Value must be jwt. |
| jti | JWT ID | Required for JWT revoke capabilities. |
| scp, scope | Scope | Access scopes. Defines the allowed operations. If using “scp”, values must be an array of strings. If using “scope”, values must be space delimited strings. |
| https://tableau.com/issuerOverride | Issuer override | Enables a UAT configuration to use the same tenantId and iss combination. If used, the iss value in the second UAT configuration must be set to https://tableau.com/issuerOverride. |
| https://tableau.com/siteId | Site ID | (Site-specific). Unique identifier of the site. Enables the UAT for the specified site only. Any other resource IDs specified in the UAT configuration will be ignored. |
| https://tableau.com/oda | On-demand access - capability | (Site-specific) Enables on-demand access in embedding workflows. Value must be true. |
| https://tableau.com/groups | On-demand access - groups | (Site-specific) Name of one or more groups on the Tableau Cloud site enabled for dynamic group membership. |
| <user attributes> | (User attribute values) | (Site-specific). Enables user attributes in user attribute functions (UAF) in embedding workflows. |
Here is an example JWT in Python that demonstrates required and optional claims. The Python example uses the PyJWT library.
import jwt
import datetime
#This secret key must be known by the UAT configuration
secret_key = "my_secret_key"
payload = {
{
"iss": "https://myidp.okta.com",
"exp": 1788384855,
"https://tableau.com/tenantId: "f97df110-f4de-492e-8849-4a6af68026b0"
"iat'": "1756848855123",
"jti": "https://myidp.okta.com:1756848855123",
"username": "user@myidp.com",
"scp": ["tableau:tcm_sites:read", "tableau:tcm_sites:update", "tableau:sites:read", "tableau:sites:update"]
,
"https://tableau.com/oda":"true",
"https://tableau.com/groups": ["Contractors", "Team C", "Group1", "Group2"], #Example groups
"Region": "East" #Example user attribute
},
headers = {
"kid": "kid",
"typ": "JWT"
}
}
#Encode token
token = jwt.encode(
payload,
key=secret_key,
alg = "RS256",
headers=headers
)
To create your first unified access token (UAT) configuration, you must authenticate to the Tableau Cloud Manager (TCM) REST API. This initial authentication can’t be done with a UAT.
If authenticating to the TCM REST API for the first time, follow the steps described in Sign in to Tableau Cloud Manager REST API. Otherwise, authenticate using the Sign in with personal access token method.
Use the Create unified access token configuration method to configure a UAT in the TCM REST API.
Example URI
POST https://mytenant.cloudmanager.tableau.com/api/v1/uat-configurations
Note: The URI requires the tenant name. If you don’t know the tenant name, see How to Find Tenant Name.
Example request body
The request body must contain the following:
issuer in the UAT configuration must match the iss specified in the JWT.{
"name": "UAT for FTE Admins",
"issuer": "https://myidp.okta.com",
"publicKey": "...",
"jwksUri": "https://myidp.okta.com/keys",
"usernameClaim": "email",
"resourceIds": [
"497f6eca-6276-4993-bfeb-53cbbbba6f08"
],
"scopes": [
"tableau:tcm_sites:read",
"tableau:tcm_sites:update",
"tableau:sites:read",
"tableau:sites:update"
]
"enabled": true,
}
Example response body
The request produces the following response body.
{
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",
"configId": "46ff6d11-d8b2-40d8-9197-dfa33c61cd6c",
"name": "UAT for FTE Admins",
"issuer": "https://myidp.okta.com",
"publicKeyActive": "...",
"publicKey": "...",
"jwksUri": "https://myidp.okta.com/keys",
"usernameClaim": "email",
"resourceIds": [
"497f6eca-6276-4993-bfeb-53cbbbba6f08"
],
"scopes": [
"tableau:tcm_sites:read",
"tableau:tcm_sites:update",
"tableau:sites:read",
"tableau:sites:update"
]
"enabled": true
}
After the UAT is configured, you can use the JWT (generated in the prerequisite step) to sign in to either the Tableau Cloud Manager (TCM) REST API or Tableau REST API.
Use the Sign in with unified access token method to generate a TCM credentials token.
Example URI
POST https://mytenant.cloudmanager.tableau.com/api/v1/tcuJwt/login
Note: The URI requires you to include the tenant name. If you don’t know the tenant name, see How to Find Tenant Name.
Example request body
The request body must contain the JWT (as the token value) associated with the UAT configuration you created in the Step 2.
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30"
}
Example response body
The request produces the following response body. The response includes the TCM credentials token, sessionToken.
{
"sessionToken": "bSG+6ttrRgqMLzonp5j89w==:SUOF-rjwMZZKXg-T3GcpDVFrIKAO6VIbTyZyq39bWR0",
"userId": "306982a2-4bb0-b858-b82eeI24b857",
"tenantId": "56978815-59b6-4a61-b9e8-ede126e23bab",
"sessionExpiration": "2025-0706T84:53:13.688541Z"
}
You can use the same UAT configuration to sign in to the Tableau REST API using the Sign in with JWT method to generate a Tableau credentials token.
Example URI
POST https://mypod.online.tableau.com/api/3.27/auth/signin
Note: The URI requires you to include the pod name, such as prod-ca-a, eu-west-1a, or pro-apsoutheast-a. If you don’t know the pod name, see About the pod name in the Tableau REST API Help.
Example request body
The request body must contain the following:
isUAT: Must be set to true. This attribute is required to sign in with UAT JWT. Ignore this attribute to sign in with a Tableau connected apps JWT.contentUrl: A required attribute for Tableau Cloud sign-in. For more information, see About the Site Attribute in the Tableau REST API Help.{
"credentials": {
"jwt": "eyJpc3MiOiI1NmUwZGZhYi0zNDA3LTRlNWMtYWY5Ni04YzI1ZmY0NWI3ODMiLCJhbGciOiJIUzI1NiIsImtpZCI6ImJlNzFkNDc0LWMxOTctNDljNS04ZWIzLTM5YWU4MWVjNDNhYyJ9.eyJhdWQiOiJ0YWJsZWF1Iiwic3ViIjoidGVzdDEyMyIsInNjcCI6WyJ0YWJsZWF1OmNvbnRlbnQ6cmVhZCJdLCJpc3MiOiI1NmUwZGZhYi0zNDA3LTRlNWMtYWY5Ni04YzI1ZmY0NWI3ODMiLCJleHAiOjE2NDc2MjM1NzUsImp0aSI6ImY0MzdkNDFmLWM1MmMtNGE5Mi1hYTA1LWFjYTYyMGViZTgzMSJ9.pntsSpHmrxTT5XmiJi1Ls2qQdu4qMRQ5vgRuN7gtS_U",
"isUat": true,
"site": {
"contentUrl": ""
}
}
}
Example response body
The request produces the following response body. The response includes the Tableau credentials token, token.
{
"credentials": {
"site": {
"id": "9a8b7c6d5-e4f3-a2b1-c0d9-e8f7a6b5c4d",
"contentUrl": ""
},
"user": {
"id": "9f9e9d9c-8b8a-8f8e-7d7c-7b7a6f6d6e6d"
},
"token": "HvZMqFFfQQmOM4L-AZNIQA|5fI6T54OPK1Gn1p4w0RtHv6EkojWRTwq|a946d998-2ead-4894-bb50-1054a91dcab3"
}
}
Use the credentials token you generated in Step 3 to make subsequent requests.
Add the sessionToken to the x-tableau-session-token header for all subsequent TCM REST API requests.
Example header
x-tableau-session-token:+iUzQx+s:E9T43sqund-xDGle-9trR7WPLkqCkT_7zks3_dVsV0By_Jji
The TCM credentials token is short-lived. It expires after 4 hours or when the session is idle for 30 continuous minutes with no requests. When the TCM credentials token expires, you need to sign in to Tableau Cloud Manager REST API again to get a new TCM credentials token.
Add the token to the X-Tableau-Auth header for all subsequent Tableau REST API requests.
Example header
X-Tableau-Auth:HvZMqFFfQQmOM4L-AZNIQA|5fI6T54OPK1Gn1p4w0RtHv6EkojWRTwq|a946d998-2ead-4894-bb50-1054a91dcab3
The Tableau credentials token is short-lived. It expires after 120 minutes or when the sessions is idle for 30 continuous minutes with no requests. When the Tableau credentials token expires, you need to sign in to Tableau REST API again to get a new Tableau credentials token.