Tokens Data Source
Tokens contains information about active, unexpired user tokens on the site, including personal access tokens (PATs), refresh tokens, and OAuth tokens. Site administrators can monitor token usage and expiration through the data source, rotating essential tokens as needed.
The following tokens are included in the data source:
-
OAuth Database - Manage the access tokens used for OAuth connections. The tokens are valid until a Tableau Cloud user deletes it, or the data provider revokes it. For more information, see OAuth Connections.
-
OAuth Client - Manage refresh tokens used by connected clients, such as Tableau Desktop and Tableau Prep. For more information, see Access Sites from Connected Clients.
-
Personal access tokens (PATs) - Manage long-lived authentication tokens used to sign in to Tableau Cloud, such as automated scripts and tasks that are created with the Tableau REST API. For more information, see Personal Access Tokens.
At any time, site administrators can quickly revoke a token by unlicensing a user with the undesired token. With the caveat that new tokens have to be created when the user is relicensed. For steps on removing or revoking specific types of tokens, follow the links in the previous section.
Create custom views
If you're a site admin or someone who has been granted access to the Admin Insights project, you can access the Admin Insights data sources directly from Tableau Cloud using Web Authoring or through Tableau Desktop to build custom views. For more information about connecting to Admin Insights data sources, see Use Admin Insights to Create Custom Views.
Example: When were OAuth Database tokens last updated?
Use the following steps to create a view that measures when OAuth database tokens were last update and token rotation compliance within an organization.
-
Connect to the Tokens data source.
-
From the Data pane, drag Token Type to the Filter shelf. Select the OAuth Database checkbox, and click OK.
-
Drag Database Type, Database User Name, and Last Updated to the Rows shelf.
-
On the Rows shelf, right-click Last Updated and select Exact Date from the context menu. Change the field from continuous to discrete.
-
From the menu, click Analysis > Create Calculated Field.
-
Name: Days Since Last Update
-
Calculation:
ROUND(TODAY()-[Last Updated])
-
-
Click OK.
-
From the Data pane, drag Days Since Last Update to the Rows shelf. Change the field from continuous to discrete.
Example: When do embedded OAuth database tokens expire?
To prevent disruptions such as view load errors and failed extract refreshes, it's important to monitor the expiration of embedded OAuth database tokens. Use the following steps to create a view that identifies tokens nearing expiration, enabling users to refresh their credentials proactively.
Note: Tableau doesn't store expiration times for OAuth database tokens. To obtain this information, contact your database administrator to verify expiration details for each database type.
-
Connect to the Tokens data source.
-
From the Data pane, drag Token Type to the Filter shelf. Select the OAuth Database checkbox, and click OK.
-
Drag Database Type and Owner Email to the Rows shelf.
-
From the menu, click Analysis > Create Calculated Field. In this example, we use a Snowflake database with a 90-day expiration period.
-
Name:
Expires At (all tokens)
-
Calculation:
IF [Token Type] = 'OAuth Database'
THEN
IF [Database Type] = 'snowflake'
THEN DATEADD('day', 90, [Last Updated])
// add conditions for other database types here //
ELSE NULL
END
ELSE [Expires At]
END
-
-
From the menu, click Analysis > Create Calculated Field.
-
Name:
Days Until Expiration
-
Calculation:
DATEDIFF('day', TODAY(), [Expires At (all tokens)])
-
-
Drag Days Until Expiration to the Rows shelf. Change the field from continuous to discrete.
-
Drag Days Until Expiration to the Filters shelf. Select All Values, setting the Maximum to 14. This filters tokens expiring in the next 14 days or those already expired. Adjust as needed.
-
Use the resulting values to contact users whose tokens are set to expire soon.
Example: Which users own PATs on the site?
The following example displays the names and site roles of users who own PATs on the site. You can adjust the filter for other token types.
-
Connect to the Tokens and TS Users data sources.
-
Select Data > Edit Blend Relationships.
-
In the Blend Relationships dialog, set the primary data source to Tokens, and select the Custom radio button.
-
Click Add.
-
In the Add/Edit Field Mapping dialog, map Owner Email to User Email, and click OK > OK.
-
From the Data pane, drag Token Type to the Filter shelf. Select the PAT checkbox, and click OK.
-
From the Data pane, drag User Name, User Site Role, Expires At, and Last Used At At to the Rows shelf.
- Verify that User Email is the linking field in the Data pane. If there is a broken link, click the icon next to the field name to link the two data sources.
-
On the Rows shelf, right-click Expires At and select Exact Date from the context menu. Change the field from continuous to discrete.
-
Repeat step 7 for Last Used At.
Do more with your data
Using Tableau Prep, you can join Tokens with other Admin Insights data sources on the following fields to get more visibility into your site. If you're analyzing data from multiple Tableau Cloud sites, you must also join on "Site LUID = Site LUID".
-
To see the site role of the token owner, join Tokens to TS Users on “Owner Email” = “User Email”
-
To see group membership of the token owner, join Tokens to Groups on “Owner Email” = “User Email”
For more information, see Aggregate, Join, or Union Data(Link opens in a new window) in Tableau Prep Help.
Data schema
The following table lists the fields included in the Tokens data source. Each row of data corresponds to a combination of Token ID and Owner Email.
Folder | Field Name | Type | Description |
---|---|---|---|
Database | Asset Key ID | Numeric | ID of the database entry. Applies to OAuth Database tokens. |
Database Type | String | The type of database, for example, Salesforce, Snowflake, etc. Applies to OAuth Database tokens. | |
Database User Name | String | Name of the user connecting to the database. Applies to OAuth Database tokens. | |
Instance URL | String | The instance URL for the data provider, for example, https://login.salesforce.com. Applies to OAuth Database tokens. | |
Last Updated | Date-time | Date and time the data source credentials were last changed in UTC. Applies to OAuth Database tokens. | |
Devices | Device ID | String | ID of the connected client associated with the token. Applies to OAuth Client tokens. |
Device Name | String | Name of the connected client associated with the token. Applies to OAuth Client tokens. | |
Site | Site LUID | String | The LUID of the Tableau Cloud site. Primarily used to reference content via the REST API. |
Site Name | String | Name of the Tableau Cloud site. | |
Token | Expires At | Date-time | Date and time the token expires in UTC. Applies to PAT and OAuth Client tokens. |
GUID | String | Unique ID of the token. Applies to PAT and OAuth Client tokens. | |
Issued At | Date-time | Date and time the token was issued in UTC. | |
Last Used At | Date-time | Date and time the token was last used in UTC. Applies to PAT and OAuth Client tokens. | |
Owner Email | String | Email address of the token owner. | |
PAT Name | String | Name of the personal access token. Applies to PATs. | |
Token Identifier | String | Uniquely identifies a row of data using the GUID for PAT and OAuth Client tokens and Asset Key ID for OAuth Database tokens. | |
Token Type | String | An enumerated value for the token type. Either personal access token (PAT), OAuth Client, or OAuth Database. | |
- | Admin Insights Published At | Date-time | Date and time the Admin Insights data source was last published in UTC. |