Access Scopes for Connected Apps

Starting with Tableau Server version 2022.3 , using Tableau-connected apps, you can programmatically call and access the Tableau REST API through your custom application on behalf of Tableau Server users. Access to the REST API is enabled by a JSON Web Token (JWT) defined as part of the initial Sign In request. The JWT must contain scopes that define the REST API methods that are available to your custom application and its users through the connected app.

Authorise access to the REST API using connected apps to:

  • Enhance security – using a JWT as a bearer token is inherently more secure than storing and managing admin user passwords through .env files in vaults
  • Enhance efficiency – using a JWT as a bearer token enables a simplified impersonation with one request to the Sign In endpoint instead of two requests
  • Extend and automate complex Tableau integrations and backend queries – such as dynamic content retrieval and advanced filtering

Scope actions

Connected apps use scopes that grant access to content or administrative actions through the REST API methods that support JWT authorisation (below). A scope is a colon-separated string that starts with the namespace tableau, followed by the Tableau resource that access is being granted to, such as datasources, and ends with the action that is allowed on the resource, such as update.

The action a scope can take includes:

  • create
  • read
  • run
  • update
  • download
  • delete

For example, a scope that allows your custom application to call the Update Data Source(Link opens in a new window) method looks like:

tableau:datasources:update

Scope types

The type of scope you use depends on the content or administrative action that you want to enable. Scopes generally fall into one of the following types: content read, individual, wildcard and cross-category.

  • Content read scope: The content read scope, tableau:content:read, enables supported GET methods for Tableau content. When you use this scope, you enable actions across REST API categories. More specifically, using this scope you enable GET methods for data sources, metrics, views, workbooks, projects and sites. Starting in Tableau Server 2023.3, you also specify this scope in a JWT that will be used to create a credentials token for use with the Metadata API(Link opens in a new window).

    Note: To enable GET methods for administrative actions, like users and groups, you can use their individual scopes.

  • Individual scopes: To enable supported content and administrative actions, you can use their individual scopes. An individual scope is generally associated with a single method and REST API category.

    Examples:

    • To enable publish or update a data source action, you can use the individual tableau:datasources:create or tableau:datasources:update scope, respectively.
    • For administrative actions like add or remove users, you can use the individual tableau:users:create or tableau:users:delete scope, respectively.

    Note: There are some individual scopes that can enable actions across REST API categories. For example, tableau:views:download enables actions in the view data and workbooks REST API categories.

  • Wildcard (*) scopes: For certain scopes, you can replace the action with the wildcard character (*) to enable supported actions within a specific REST API category.

    Examples:

    • You can use the tableau:projects:* wildcard scope to enable the create, delete and update actions in the projects REST API category.
    • You can use the tableau:users:* wildcard scope to enable the get/list, add, delete and update actions in the users REST API category.
    • You can use the tableau:tasks:* wildcard scope to enable the get/list, add, delete, update and run actions of extract and subscriptions REST API categories. In addition, this scope enables update data source (if an extract) and update workbook.
  • Cross-category scopes: In addition to the content read scope, there are a few additional scopes that, if used, enable supported actions across different REST API categories.

    Examples:

    • If using the tableau:tasks:run scope, you enable actions in the data sources and workbooks REST API categories.
    • Again, if using the tableau:views:download scope, you enable actions in the view data and workbook REST API categories.
    • If using permissions scopes like tableau:permissions:update or tableau:permissions:delete, you enable actions in the data sources, workbooks and projects REST API categories.

Summary of how to authorise REST API access

The following list summarises the steps to request access to the REST API through a JWT:

  1. Create a connected app using one of the following methods:
  2. Generate a valid JWT – at runtime your custom application will generate a valid JWT, configured with the scopes you have included
  3. Make a Sign In(Link opens in a new window) request – your custom application will make a Sign In request using the JWT to return a Tableau credentials token and site ID (LUID)
  4. Use the Tableau access token in subsequent requests – in subsequent REST API calls, use 1) the Tableau credentials token as the X-Tableau-Auth(Link opens in a new window) header value and 2) the site ID (LUID) in the request URI

Example

For example, suppose you create a connected app using direct trust. Using direct trust, your custom application that calls the REST API generates a valid JWT using the client ID and client secret generated by the connected app.

Scopes in the JWT

To successfully authorise access to the REST API, the JWT must also contain the scopes that define the REST API capabilities. For example, to enable various data source-related methods, you might include the following scopes in the JWT:

"tableau:content:read","tableau:datasources:create","tableau:datasources:update","tableau:datasources:download","tableau:tasks:run"

Or

"tableau:content:read","tableau:datasources:*","tableau:tasks:run"

Note: Scope values must be passed as a list type.

Sign In Request URI

To make a call to the REST API, your custom application must first make a Sign In request to generate a Tableau credentials token.

POST https://myco/api/3.17/auth/signin

Request body

To authorise REST API access using a JWT, the Sign In request body must contain the valid JWT like the example below.

<tsRequest>
   <credentials jwt="eyJpc3MiOiI4ZTFiNzE3Mi0zOWMzLTRhMzItODg3ZS1mYzJiNDExOWY1NmQiLCJhbGciOiJIUzI1NiIsImtpZCI6ImIwMTE1YmY5LTNhNGItNGM5MS1iMDA5LWNmMGMxNzBiMWE1NiJ9.eyJhdWQiOiJ0YWJsZWF1Iiwic3ViIjoicm1vaGFuQHRhYmxlYXUuY29tIiwic2NwIjpbInRhYmxlYXU6c2l0ZXM6cmVhZCJdLCJpc3MiOiI4ZTFiNzE3Mi0zOWMzLTRhMzItODg3ZS1mYzJiNDExOWY1NmQiLCJleHAiOjE2NDg2Njg0MzksImp0aSI6IjY1ZWFmMmYxLTNmZTgtNDc5Ny1hZmRiLTMyODMzZDVmZGJkYSJ9.mUv2o4gtBTrMVLEXY5XTpzDQTGvfE2LGi-3O2vdGfT8">
    <site contentUrl="mycodotcom"/>
   </credentials>
</tsRequest>

Response body

The Sign In request produces the following response body, which includes the Tableau credentials token.

<tsResponse>
   <credentials token="12ab34cd56ef78ab90cd12ef34ab56cd">
    <site id="9a8b7c6d5-e4f3-a2b1-c0d9-e8f7a6b5c4d" contentUrl=""/>
    <user id="9f9e9d9c-8b8a-8f8e-7d7c-7b7a6f6d6e6d" />
   </credentials>
</tsResponse>

After the Tableau access token is generated, add the Tableau credentials token to the header of all subsequent REST API requests.

Header

X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd

All subsequent REST API requests using the Tableau access token are then bounded by the scopes in the JWT.

REST API methods that support JWT authorisation

The following scopes can be associated with the connected app to define access and methods your custom application can have to the REST API(Link opens in a new window) on users' behalf.

Notes:

Wildcard (*) scopes

Wildcard scopes use the wildcard character (*) instead of a specific action, to enable multiple supported actions within a specific REST API category. These include:

ScopeMethods enabled
tableau:datasources:*Enables create, update and update connection data source methods.
tableau:metrics:*Enables query, update and delete metrics actions.
tableau:workbooks:*Enables publish, update, download and preview image workbook actions.
tableau:groups:*Enables create, query, update and delete groups actions.
tableau:projects:*Enables create, delete and update projects methods.
tableau:users:*Enables get/list, add, delete and update users methods.
tableau:tasks:*

Note: This scope is also cross-category.

Enables get/list, add, delete update and run methods for extracts and subscription tasks.

Enables update methods for data sources for workbooks.

Cross-category scopes

Cross-category scopes enable multiple supported actions across multiple REST API categories. These include:

ScopeMethods enabled
tableau:content:readEnables read/list methods for Tableau content, including data sources, metrics, views, workbooks, projects and sites.
tableau:tasks:runEnables run methods for data sources, workbooks and extracts.
tableau:views:downloadEnables download methods for view data and workbooks.
tableau:tasks:*

Note: This scope is also wildcard.

Enables get/list, add, delete, update and run methods for extracts and subscription tasks.

Enables update methods for data sources for workbooks.

Individual scopes

MethodScopeDescription
(Methods without scopes)(None)When no scopes are defined in the JWT, access to the REST API is denied.
Sign in(No scope needed)Signs you in as a user on the specified site on Tableau Server.
Sign out(No scope needed)Signs you out of the current session.
(Content read scope)tableau:content:readEnables read/list actions for Tableau content: data sources, metrics, views, workbooks and projects.

Data sources

  
(All tableau:datasources: methods)tableau:datasources:*Enables create data source, update data source and update data source connection methods.
Publish data sourcetableau:datasources:createPublish a data source to a site or append data to an existing published data source.
Query data sourcetableau:content:readGet information about a published data source.
Query data sourcestableau:content:readGet information about all published data sources on a site.
Query data source connectionstableau:content:readGet server address, port, username or password information about a published data source.
Update data sourcetableau:datasources:updateUpdate owner, project or certification status of the data source.
Update data source connectiontableau:datasources:updateUpdate server address, port, username or password of the data source connection.
Update data source nowtableau:tasks:runRun extract refresh.

Extracts

  
(All tableau:tasks: methods)tableau:tasks:*Enables create, delete, get, list, run and update refresh actions for extracts, subscriptions, update data source (for data sources with extracts), and update workbook methods.
List extract refresh tasks in sitetableau:tasks:readList the extract refreshes tasks configured for in a site.
Run extract refresh tasktableau:tasks:runRuns an extract refresh task.

Flows

  
Publish flowtableau:flows:createPublish a flow.

Metrics

Retirement of the legacy metrics feature

Tableau's legacy metrics feature will be retired in Tableau Cloud in February 2024 and in Tableau Server version 2024.2. In October 2023, Tableau retired the ability to embed legacy metrics in Tableau Cloud and Tableau Server version 2023.3. With Tableau Pulse, we've developed an improved experience to track metrics and ask questions of your data. For more information, see Create Metrics with Tableau Pulse to learn about the new experience and Create and Troubleshoot Metrics (Retired) for the retired feature.

(All tableau:metrics: methods)tableau:metrics:*Enables query, update and delete metrics actions.
Get metrictableau:content:readGet a metric.
Delete metrictableau:metrics:deleteDelete a metric.
List metricstableau:content:readGet list of metrics for a site.
Query metrics datatableau:metrics:downloadGet underlying data of a metric in comma-separated value (.csv) format.
Update metrictableau:metrics:updateUpdate owner, project, suspend status and name of the metric.

Subscriptions

  
(All tableau:tasks: methods)tableau:tasks:*Enables create, delete, get, list, run and update refresh actions for extracts, subscriptions, update data source (for data sources with extracts), and update workbook methods.
Create subscriptiontableau:tasks:createCreate a subscription.
Delete subscriptiontableau:tasks:deleteDelete a subscription.
Get subscriptiontableau:tasks:readGets the details of a subscription.
List subscriptionstableau:tasks:readLists subscriptions in a site.
Update subscriptiontableau:tasks:updateUpdates a subscription.

Views

  
Delete custom viewtableau:views:updateDelete the specified custom view.
Get custom viewtableau:content:readGet the details of a specified custom view.
Get custom view imagetableau:views:downloadDownload a .png format image file of a specified custom view.
Get viewtableau:content:readGet details about a view.
Get view by pathtableau:content:readGet details for all views on a site using the specified name.
List custom viewstableau:content:readGet a list of custom views on a site.
Query view datatableau:views:downloadGet a view rendered in comma-separated value (.csv) format.
Query view PDFtableau:views:downloadGet a view as a PDF (.pdf) file.
Query view imagetableau:views:downloadGet a view as an image (.png) file.
Query views for sitetableau:content:readGet all views for a site.
Query views for workbooktableau:content:readGet all views for the specified workbook.
Query view preview imagetableau:views:downloadGet the thumbnail image (.png) of the view.
Update custom viewtableau:views:updateChange the owner or name of an existing custom view.

Workbooks

  
(All tableau:workbooks: methods)tableau:workbooks:*Enables publish, update, download and preview image workbook actions.
Publish workbooktableau:workbooks:createPublish a workbook (.twb or .twbx).
Query workbooktableau:content:readGet a specified workbook and its details.
Query workbook for sitetableau:content:readGet a list of workbooks published to a site.
Query workbook preview imagetableau:workbooks:downloadGet the thumbnail image (.png) of the workbook.
Update workbooktableau:workbooks:updateModify an existing workbook.
Update workbook connectiontableau:workbooks:updateUpdate the connection information.
Update workbook nowtableau:tasks:runInitiate a workbook refresh outside of a scheduled task.

Publish

  
Append to file uploadtableau:file_uploads:createUpload a block of data and append it to the data that is already uploaded – to be used after an upload has been initiated using the "initiate file upload" method.
Initiate file uploadtableau:file_uploads:createInitiate the upload process of a file.

Download

  
Download data sourcetableau:datasources:downloadDownload the data source (.tdsx).
Download view crosstab Exceltableau:views:downloadDownload an Excel (.xlsx) file containing crosstab data from the view.
Download workbooktableau:workbooks:downloadDownload a workbook (.twb or .twbx).
Download workbook revisiontableau:workbooks:downloadDownload a specific version of the workbook (.twb or .twbx).
Download workbook PDFtableau:views:downloadDownload a PDF (.pdf) file containing images of the sheets in the workbook.
Download workbook PowerPointtableau:views:downloadDownload a PowerPoint (.pptx) file containing slides of the sheets in the workbook.

Users

  
(All tableau:users methods)tableau:users:*Enables add, query, update and remove users actions.
Add user to grouptableau:groups:updateAdd a user to a group.
Add user to sitetableau:users:createAdd a user and assign the user to a site.
Get users in grouptableau:groups:readGet a list of users in a group.
Get users on sitetableau:users:readGet all users on a site.
Query user on sitetableau:users:readGet a user on a site.
Remove users from grouptableau:groups:updateRemove a user from a group.
Remove user from sitetableau:users:deleteRemove the user from a site.

Groups

  
(All tableau:groups: methods)tableau:groups:*Enables create, query, update and delete groups actions.
Create grouptableau:groups:createCreate a group.
Delete grouptableau:groups:deleteDelete a group.
Get groups for usertableau:users:readGet a list of groups that a user belongs to.
Query groupstableau:groups:readGet a list of groups on a site.
Update grouptableau:groups:updateUpdate a group.

Projects

  
(All tableau:projects: methods)tableau:projects:*Enables create, update and delete projects actions.
Create projecttableau:projects:createCreate a project.
Delete projecttableau:projects:deleteDelete a project.
Query projecttableau:content:readGet a list of projects.
Update projecttableau:projects:updateUpdate the name, description or project hierarchy of the project.

Permissions

  
(All tableau:permissions: methods)tableau:permissions:*Enables add, query, update and delete permissions actions.
Add data source permissionstableau:permissions:updateAdd permissions to a data source for a Tableau Server user or group.
Add default permissionstableau:permissions:updateAdd default permission capabilities to a user or group, for metric, flow, workbook, data source, data role or lens resources in a project.
Add project permissionstableau:permissions:updateAdd permissions to a project for a user or group
Add view permissionstableau:permissions:updateAdd permissions to a view for a user or group.
Add workbook permissionstableau:permissions:updateAdd permissions to a specified workbook for a user or group.
Delete data source permissionstableau:permissions:deleteDelete default permission capabilities of a user or group, for metric, flow, workbook, data source, data role or lens resources in a project.
Delete default permissionstableau:permissions:deleteDelete default permission capabilities of a user or group, for metric, flow, workbook, data source, data role or lens resources in a project.
Delete project permissionstableau:permissions:deleteDelete the project permission for a user or group.
Delete view permissionstableau:permissions:deleteDelete the view permission for a user or group.
Delete workbook permissionstableau:permissions:deleteDelete the workbook permission for a user or group.
Query data source permissionstableau:permissions:readGet a list of permissions for the data source.
Query default permissionstableau:permissions:readGet default permission capabilities of users and groups for metrics, workbooks and data sources.
Query project permissionstableau:permissions:readGet a list of permissions for the project.
Query view permissionstableau:permissions:readGet a list of permissions for the view.
Query workbook permissionstableau:permissions:readGet a list of permissions for the workbook.

Site

  
(All tableau:sites: methods)tableau:sites:*Enables create, query, update and delete sites actions.
Create sitetableau:sites:createCreate a site on Tableau Server.
Delete sitetableau:sites:deleteDelete a site on Tableau Server.
Get recently viewed sitetableau:content:readGet views and workbook details on the most recently created, updated or accessed by the signed in user.
Query sitestableau:sites:readList all sites on Tableau Server.
Query views for sitetableau:content:readList all views on a site.
Update sitetableau:sites:updateUpdate a site.

Troubleshoot scopes

401001 - signin error

If you encounter error 401001, the Sign In response body is appended with one of the following additional connected apps-specific error codes: 16, 10084, or 10085.

For example, in the following response body, "10084” is the connected apps error code you can use to help troubleshoot issues with signing in to Tableau Server using a JWT for REST API authorisation.

<error code="401001">  
  "summary": "Signin Error",
  "detail": "Error signing in to Tableau Cloud (10084)"
</error>

To help resolve the issue, refer to the description of the applicable error code and its potential causes.

  • 16: Could not find user – this error can occur because the incorrect "sub" (user name) was specified

  • 10084: Could not parse access token – this error can occur for the following reasons:

    • JWT is invalid or there was an unexpected problem
    • Incorrect "aud" (audience) was specified
    • For direct trust, there was a problem with signing the secret
  • 10085: Could not fetch secret to verify signature for client ID – this error can occur for the following reasons:

    • Incorrect client ID in "iss" specified
    • For direct trust, incorrect "kid" (secret ID) was specified
    • For EAS, unable to fetch keys from the JWKSource

401002 – unauthorised access error

If you encounter error 401002 and have confirmed that you have the appropriate permissions to make the request, ensure the scope included in the JWT is correct and matches the request you're trying to make. For a list of endpoints and supported scopes, see the REST API methods that support JWT authorisation section above.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!