Troubleshoot Connected Apps - Direct Trust

When embedded content fails to display in your custom application or Tableau REST API authorization fails, you can use a browser’s developer tools to inspect and identify error codes that might be associated with the Tableau connected app (direct trust) that’s used to display the embedded content.

Note: In order for the session token to be valid, the clocks of the external application and the server that hosts the external application must be set to Coordinated Universal Time (UTC). If either clock uses a different standard, the connected app will not be trusted.

Refer to the table below to review the description of the error code and potential resolution.

Error code Summary Description Potential resolution or explanation
5 SYSTEM_USER_NOT_FOUND Tableau user could not be found To resolve this issue, verify the 'sub' (Subject) claim value in the JWT is the user name (email address) of the authenticated Tableau Cloud user. This value is case sensitive.
16 LOGIN_FAILED Login failed This error is typically caused by one of the following claim issues in the JWT:
  • The 'exp' (Expiration Time) exceeds the default maximum validity period. To resolve this issue, review registered claims(Link opens in a new window) required for a valid JWT and ensure the correct value does not exceed 10 minutes.
  • The 'sub' (Subject) is calling an unknown user. To resolve this issue, verify the 'sub' value is the user name (email address) of the authenticated Tableau Cloud user.
67 FEATURE_NOT_ENABLED On-demand access is not supported On-demand access is available through licensed Tableau Cloud sites only.
126 CONNECTED_APP_NOT_FOUND The connected app could not be found To resolve this issue, verify the connected app is enabled and the correct client ID (also known as the connect app ID) is referenced in the JWT.
127 CONNECTED_APP_SECRET_NOT_FOUND The connected app's secret could not be found To resolve this issue, verify the correct connected app's secret ID and secret value are referenced in the JWT.
128 CONNECTED_APP_SECRET_LIMIT_EXCEEDED Maximum limit for secrets has been reached A maximum of two secrets are allowed for a connected app. This error can occur when there's an attempt to create a third secret.

To resolve this issue, delete a secret from the connected app before creating a new one.

133 INVALID_CONNECTED_APP_DOMAIN_SAFELIST Domain allowlist contains one or more invalid characters This error can occur when the domain allowlist contains one or more invalid characters.
10083 BAD_JWT JWT header contains issues The 'kid' (Secret ID) or 'clientId' (Issuer) claims are missing from the JWT header. To resolve this issue, ensure this information is included.
10084 JWT_PARSE_ERROR JWT contains issues To resolve this issue, verify the following:
  • The 'aud' (Audience) value referenced in the JWT uses the "tableau" value. This value is case sensitive.
  • The 'aud' (Audience) and 'sub' (Subject) are included in the JWT.
  • Review IssueTime or ensure there's no clock mismatch between the machine hosting the connected app and Tableau Cloud.
10085 COULD_NOT_FETCH_JWT_KEYS JWT could not find keys Could not find the secret.

To resolve this issue, verify the correct 'kid' (Secret ID) is used in the JWT header.

10089 CONNECTED_APP_NOT_FOUND Could not find connected app To resolve this issue, ensure the issuer is calling the correct connected app ID (also known as the client ID).
10090 CONNECTED_APP_DISABLED Connected app is disabled The connected app used to verify trust is disabled. To resolve this issue, enable the connected app.
10091 JTI_ALREADY_USED Unique JWT required The JWT has already been used in the authentication process. To resolve this issue, a new JWT must be generated.
10092 NOT_IN_DOMAIN_ALLOW_LIST Domain of the embedded content is not specified To resolve this issue, ensure the unrestrictedEmbedding setting is set to true or domainAllowlist parameter includes the domains where Tableau content is embedded using the Update Embedding Settings for Site(Link opens in a new window) method in the Tableau REST API.
10094 MISSING_REQUIRED_JTI Missing JWT ID To resolve this issue, verify the 'jti' (JWT ID) is included in the JWT.
10096 JWT_EXPIRATION_EXCEEDS_CONFIGURED_EXPIRATION_PERIOD Issue with expiration time The 'exp' (Expiration Time) exceeds the default maximum validity period. To resolve this issue, review registered claims(Link opens in a new window) required for a valid JWT and ensure the correct value does not exceed 10 minutes.
10097 SCOPES_MALFORMED Issues with scopes claim This error can occur when the 'scp' (Scope) claim is either missing from the JWT or not passed as a list type. To resolve this issue, verify 'scp' is included in the JWT and passed as a list type. For troubleshooting help with a JWT, see Debugger(Link opens in a new window) on the auth0 site.
10098 JWT_UNSIGNED_OR_ENCRYPTED JWT is unsigned or encrypted Tableau does not support an unsigned or encrypted JWT.
10099 SCOPES_MISSING_IN_JWT Missing scopes claim The JWT is missing the required 'scp' (scope) claim. To resolve this issue, verify 'scp' is included in the JWT. For troubleshooting help with a JWT, see Debugger(Link opens in a new window) on the auth0 site.
10100 JTI_PERSISTENCE_FAILED Unexpected JWT ID error There was an unexpected 'jti' (JWT ID) error. To resolve this issue, a new JWT with a new 'jti' must be generated.
10101 EPHEMERAL_USER_LOGIN_FAILED_SITE_NOT_UBP_ENABLED On-demand access is not supported The site is not licensed with the Embedded Analytics usage-based model that is required to enable on-demand access. For more information, see Understanding License Models.
10102 EPHEMERAL_USER_NOT_SUPPORTED On-demand access is not supported when iframe-auth attribute is enabled This error can occur when the iframe-auth attribute is enabled. To resolve this issue, verify that the Tableau Embedding API version 3.6 or later is being used.
10103 JWT_MAX_SIZE_EXCEEDED JWT exceeds maximum size This error can occur when JWT size exceeds 8000 bytes. To resolve this issue, make sure that only the necessary claims are being passed to Tableau Cloud.
10105 ORIGIN_HEADER_NOT_A_VALID_URI Invalid Origin header This error can occur because 1) a URL is specified in the domain allowlist and 2) the Origin header does not contain a valid URL.
10106 ORIGIN_HEADER_NOT_SET Missing Origin header This error can occur because 1) a URL is specified in the domain allowlist and 2) the Origin header is not set.
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!