Troubleshoot Connected Apps - Direct Trust
When embedded content fails to display in your custom application or Tableau REST API authorisation fails, you can use a browser’s developer tools to inspect and identify error codes that might be associated with the Tableau connected app
Note: In order for the session token to be valid, the clocks of the external application and the server that hosts the external application must be set to Coordinated Universal Time (UTC). If either clock uses a different standard, the connected app will not be trusted.
Refer to the table below to review the description of the error code and potential resolution.
| Error code | Summary | Description | Potential resolution or explanation |
| 5 | SYSTEM_USER_NOT_FOUND | Tableau user could not be found | sub' (Subject) claim value in the JWT is the username (email address) of the authenticated Tableau Cloud user. This value is case sensitive. |
| 16 | LOGIN_FAILED | Login failed | This error is typically caused by one of the following claim issues in the JWT:
|
| 67 | FEATURE_NOT_ENABLED | On-demand access is not supported | On-demand access is available through licensed Tableau Cloud sites only. |
| 126 | CONNECTED_APP_NOT_FOUND | The connected app could not be found | To resolve this issue, verify that the connected app is enabled and the correct client ID (also known as the connect app ID) is referenced in the JWT. |
| 127 | CONNECTED_APP_SECRET_NOT_FOUND | The connected app's secret could not be found | To resolve this issue, verify that the correct connected app's secret ID and secret value are referenced in the JWT. |
| 128 | CONNECTED_APP_SECRET_LIMIT_EXCEEDED | Maximum limit for secrets has been reached | A maximum of two secrets are allowed for a connected app. This error can occur when there's an attempt to create a third secret. To resolve this issue, delete a secret from the connected app before creating a new one. |
| 133 | INVALID_CONNECTED_APP_DOMAIN_SAFELIST | Domain allowlist contains one or more invalid characters | This error can occur when the domain allowlist contains one or more invalid characters. |
| 10083 | BAD_JWT | JWT header contains issues | The 'kid' (Secret ID) or 'clientId' (Issuer) claims are missing from the JWT header. To resolve this issue, ensure this information is included. |
| 10084 | JWT_PARSE_ERROR | JWT contains issues | To resolve this issue, verify the following:
|
| 10085 | COULD_NOT_FETCH_JWT_KEYS | JWT could not find keys | Could not find the secret. To resolve this issue, verify the correct 'kid' (Secret ID) is used in the JWT header. |
| 10089 | CONNECTED_APP_NOT_FOUND | Could not find connected app | To resolve this issue, ensure the issuer is calling the correct connected app ID (also known as the client ID). |
| 10090 | CONNECTED_APP_DISABLED | Connected app is disabled | The connected app used to verify trust is disabled. To resolve this issue, enable the connected app. |
| 10091 | JTI_ALREADY_USED | Unique JWT required | The JWT has already been used in the authentication process. To resolve this issue, a new JWT must be generated. |
| 10092 | NOT_IN_DOMAIN_ALLOW_LIST | Domain of the embedded content is not specified | To resolve this issue, ensure the unrestrictedEmbedding setting is set to true or domainAllowlist parameter includes the domains where Tableau content is embedded using the Update Embedding Settings for Site(Link opens in a new window) method in the Tableau REST API. |
| 10094 | MISSING_REQUIRED_JTI | Missing JWT ID | To resolve this issue, verify the 'jti' (JWT ID) is included in the JWT. |
| 10096 | JWT_EXPIRATION_EXCEEDS_CONFIGURED_EXPIRATION_PERIOD | Issue with expiry time | exp' (Expiry Time) exceeds the default maximum validity period. To resolve this issue, review registered claims(Link opens in a new window) required for a valid JWT and ensure the correct value does not exceed 10 minutes. |
| 10097 | SCOPES_MALFORMED | Issues with scopes claim | This error can occur when the 'scp' (Scope) claim is either missing from the JWT or not passed as a list type. To resolve this issue, verify 'scp' is included in the JWT and passed as a list type. For troubleshooting help with a JWT, see Debugger(Link opens in a new window) on the auth0 site. |
| 10098 | JWT_UNSIGNED_OR_ENCRYPTED | JWT is unsigned or encrypted | Tableau does not support an unsigned or encrypted JWT. |
| 10099 | SCOPES_MISSING_IN_JWT | Missing scopes claim | The JWT is missing the required 'scp' (scope) claim. To resolve this issue, verify 'scp' is included in the JWT. For troubleshooting help with a JWT, see Debugger(Link opens in a new window) on the auth0 site. |
| 10100 | JTI_PERSISTENCE_FAILED | Unexpected JWT ID error | There was an unexpected 'jti' (JWT ID) error. To resolve this issue, a new JWT with a new 'jti' must be generated. |
| 10101 | EPHEMERAL_USER_LOGIN_FAILED_SITE_NOT_UBP_ENABLED | On-demand access is not supported | The site is not licensed with the Embedded Analytics usage-based model that is required to enable on-demand access. For more information, see Understanding Licence Models. |
| 10102 | EPHEMERAL_USER_NOT_SUPPORTED | On-demand access is not supported when iframe-auth attribute is enabled | This error can occur when the iframe-auth attribute is enabled. To resolve this issue, verify that the Tableau Embedding API version 3.6 or later is being used. |
| 10103 | JWT_MAX_SIZE_EXCEEDED | JWT exceeds maximum size | This error can occur when JWT size exceeds 8000 bytes. To resolve this issue, make sure that only the necessary claims are being passed to Tableau Cloud. |
| 10105 | ORIGIN_HEADER_NOT_A_VALID_URI | Invalid Origin header | This error can occur because 1) a URL is specified in the domain allowlist and 2) the Origin header does not contain a valid URL. |
| 10106 | ORIGIN_HEADER_NOT_SET | Missing Origin header | This error can occur because 1) a URL is specified in the domain allowlist and 2) the Origin header is not set. |