Personal access tokens (PATs) provide Tableau Cloud users the ability to create long-lived authentication tokens. The tokens allow users to run automation with Tableau REST APIs without requiring hard-coded credentials or interactive sign in. More information about using personal access tokens with Tableau REST APIs is at Signing In and Out (Authentication)(Link opens in a new window).
Personal access tokens are not used for generic client access to Tableau Cloud. To use personal access tokens with tabcmd, install the new version of tabcmd from https://tableau.github.io/tabcmd/.
Note: You must use a PAT, instead of user name and password, to make a REST API sign in request to Tableau Cloud with multi-factor authentication (MFA) enabled with Tableau authentication.
We recommend creating personal access tokens for automated scripts and tasks that are created with Tableau REST API:
Improve security: Personal access tokens reduce risk in the event credentials are compromised. In the case where Tableau Server uses Active Directory as an identity store, you can reduce the scope of credential compromise by using a personal access token for automated tasks. In this case, using an application-specific token doesn't expose the broader system in the event that automation or script files are compromised. If a token gets compromised or is used in automation that is failing or posing a risk, you can just revoke the token. You do not need to rotate or revoke the user's credentials.
Manage automation: A token can be created for each script or task that is run. This allows you to silo and review automation tasks across your organization. Additionally, by using tokens then password resets or metadata changes (username, email, etc.) on user accounts will not disrupt automation as it would when credentials are hard-coded into the scripts.
Understand personal access tokens
When a token is created, it is hashed then stored in the repository. After the token is hashed and stored, the original token is deleted. Users are instructed to copy the token to a safe place and to handle it as they would a password. When the token is used at run-time, Tableau Cloud hashes the token presented by the user and compares it to the hashed value stored in the repository. If a match is made, then an authenticated session is started.
Note: One personal access token is required per concurrent request. Signing in again with the same access token, whether at the same site or a different site, will terminate the previous session and result in an authentication error.
In the context of authorization, Tableau Cloud handles the authenticated session with same permissions and rights that the user has as an interactive user.
Users with accounts on Tableau Cloud can create, manage, and revoke personal access tokens on the My Account Settings page. For more information, see ManageYour Account Settings(Link opens in a new window) in the Tableau Help.
Users must create their own personal access tokens. Site admins can't create tokens on behalf of their users.
Personal access tokens will expire if they are not used after 15 consecutive days. If they are used more frequently than every 15 days, an access token will expire after 1 year. After a year, you must create a new token. These expiration values are not configurable. Expired personal access tokens will not display on the My Account Settings page.
Revoke users' tokens
Users are able to revoke their own tokens on the My Account Settings page. As an administrator, you can also revoke personal access tokens.
- Sign in to Tableau Cloud using your site admin credentials and navigate to the Users page.
- Locate the user whose token you want to revoke. For more information about navigating Server Admin pages and locating users, see View, Manage, or Remove Users.
- Click the user's name to open their profile page.
- On the user's profile page, click the Settings tab.
- In the Personal Access Tokens section, identify the token that you want to revoke and then click Revoke.
- On the verification pop-up, click Delete.