• TCM REST API
• Overview
• Authentication
• Unified Access Tokens
• Release Notes
• TCM Operation Error Codes
• How to Find Tenant Name
• API Reference
• • Methods Overview
  • Administrative Methods
  • Authentication Methods
  • Single Sign-on Methods
  • Site Methods
  • Tenant Methods
  • User Methods
    

Unified Access Tokens

Unified access tokens are configurations that enable JSON Web Token (JWT)-based authentication for both Tableau Cloud Manager REST API and Tableau REST API. Starting in December 2025, UATs provide an enterprise-level token solution for managing Tableau Cloud at scale.

Benefits of UATs

UATs offer the following benefits:

• Unified authentication: UATs enable JWT-based authentication for cloud administrators with the TCM REST API; and for users with both the TCM REST API and Tableau REST API.
• Concurrent sessions: UATs support multiple concurrent sessions.
• Least privileged access: Using access scopes, the JWT that is passed during sign-in and can offer the minimum permissions required to perform a task.
• Centralized control and management of tokens: Through centralization of sites under a tenant, cloud administrators gain control over the management and revocation of UATs.
• Improved auditing: You can see logs associated with a UAT to monitor activity, investigate issues, and meet compliance requirements.

Note: JWT authentication using UATs and JWT authentication using Tableau connected apps are distinct authentication and authorization capabilities. Tableau connected apps are not supported in Tableau Cloud Manager.

Table of Contents

• Benefits of UATs
• About least privileged access and access scopes
  • Access scopes
  • Wildcard access scopes
• JWT authentication using unified access tokens
  • Prerequisite: Generate JWT
    • Example JWT
  • Step 1: Sign in to Tableau Cloud Manager REST API
  • Step 2: Create a unified access token configuration
  • Step 3: Make a sign in request with unified access token JWT
    • Sign in to TCM REST API
    • Sign in to Tableau REST API
  • Step 4: Include the session header in subsequent requests
    • For Tableau Cloud Manager REST API
    • For Tableau REST API
• Monitor unified access token activity
  • Tenant-level monitoring
  • Site-level monitoring

About least privileged access and access scopes

Using UATs, you can access both the Tableau Cloud Manager (TCM) REST API and Tableau REST API. Access to these APIs are enabled by a JSON Web Token (JWT) as part of the initial sign in request.

To enable least-privileged access, the JWT must containaccess scopes that define the API methods that are available to the UAT. You can also specify a subset of those scopes in the UAT configuration itself to further restrict the access available to the JWT.

Access scopes

Scopes for UATs grant access to TCM REST API and Tableau REST API capabilities. Scopes are declared in the JWT (or in both the JWT and UAT configuration).

A scope is a colon-separated string with the following format:tableau:<resource>:<action>. The scope starts with the Tableau namespace,tableau, followed by the resource, such astcm_sites orsites, and ends with an action allowed on the resource, such asread.

You can find the required scope for a JWT-supported method in its properties block in theTCM REST API Help andTableau REST API Help. If a scope is not listed in the method’s properties block, access to that method can’t be controlled by a JWT.

Note: Access scopes listed in the Tableau REST API are shared and also used to grant access to REST API capabilities through Tableau connected apps.

Note: Access scopes listed in the Tableau REST API are shared and also used to grant access to REST API capabilities using Tableau connected apps.

Examples:

• A scope that allows you to call theGet site method in the TCM REST API istableau:tcm_sites:read.
• A scope that allows you to call theQuery site method in the Tableau REST API istableau:sites:read.

Wildcard access scopes

Instead of using the named access scope, you can replace the action in the scope string with the wildcard character (*). Doing this can enable multiple supported actions for the given resource.

Examples:

• A wildcard scope that allows you to call certainUsers Methods in the TCM REST API istableau:tcm_users:*.
• A wildcard scope that allows you to call get/list, add, delete, and update users methods inUsers and Groups Methods in the Tableau REST API istableau:users:*.

JWT authentication using unified access tokens

This section outlines the required steps for authenticating with both the TCM REST API and Tableau REST API using unified access tokens (UAT) JWT.

1. Generate a valid JWT: Configure the JWT with the required header, claims, and optional scopes.
2. Sign in to TCM REST API: Start an initial session to configure the UAT (using a personal access token).
3. Create a UAT configuration: Use the TCM REST API to create a UAT configuration, providing the JWT public key or JWKS URI.
4. Sign in with the UAT JWT: Make a sign-in request to either the TCM REST API or Tableau REST API using the JWT associated with the UAT configuration.
5. Use the credentials token in subsequent requests: Use the returned credentials token in the header of all subsequent API requests.

Prerequisite: Generate JWT

Before you can create a unified access token (UAT) configuration, you must be able to generate a valid JSON Web Token (JWT). This allows cloud administrators to interact with the tenant and its resources; and users to interact with the site and its resources.

Required claims

Optional claims

Example JWT

Here is an example JWT in Python that demonstrates required and optional claims. The Python example uses the PyJWT library.

import jwtimport datetime#This secret key must be known by the UAT configurationsecret_key = "my_secret_key"payload = {{"iss": "https://myidp.okta.com","exp": 1788384855,    "https://tableau.com/tenantId: "f97df110-f4de-492e-8849-4a6af68026b0"    "iat'": "1756848855123","jti": "https://myidp.okta.com:1756848855123",    "username": "user@myidp.com","scp": ["tableau:tcm_sites:read", "tableau:tcm_sites:update", "tableau:sites:read", "tableau:sites:update"],    "https://tableau.com/oda":"true",    "https://tableau.com/groups": ["Contractors", "Team C", "Group1", "Group2"], #Example groups    "Region": "East" #Example user attribute},headers = {"kid": "kid",    "typ": "JWT"  }}#Encode tokentoken = jwt.encode(    payload,    key=secret_key,    alg = "RS256",    headers=headers)

Step 1: Sign in to Tableau Cloud Manager REST API

To create your first unified access token (UAT) configuration, you must authenticate to the Tableau Cloud Manager (TCM) REST API. This initial authentication can’t be done with a UAT.

If authenticating to the TCM REST API for the first time, follow the steps described inSign in to Tableau Cloud Manager REST API. Otherwise, authenticate using theSign in with personal access token method.

Step 2: Create a unified access token configuration

Use theCreate unified access token configuration method to configure a UAT in the TCM REST API.

Example URI

POST https://cloudmanager.tableau.com/api/v1/uat-configurations

Note: The URI requires the tenant name. If you don’t know the tenant name, seeHow to Find Tenant Name.

Example request body

The request body must contain the following:

• Issuer: Theissuer in the UAT configuration must match theiss specified in the JWT.
• JWT public key orJWKS URI.
• Resource IDs: An array of IDs. This can include the tenant ID, the tenant ID and the site IDs associated with the tenant, or just the site IDs on the same tenant.Note: Specifying the tenant ID alone does not enable the UAT for all sites in the tenant. You must specify the site ID for each site you want to enable.

{  "name": "UAT for FTE Admins",  "issuer": "https://myidp.okta.com",  "publicKey": "...",  "jwksUri": "https://myidp.okta.com/keys",  "usernameClaim": "email",  "resourceIds": [    "497f6eca-6276-4993-bfeb-53cbbbba6f08"  ],  "scopes": [    "tableau:tcm_sites:read",    "tableau:tcm_sites:update",    "tableau:sites:read",    "tableau:sites:update"  ]  "enabled": true,}

Example response body

The request produces the following response body.

{  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",  "tenantId": "f97df110-f4de-492e-8849-4a6af68026b0",  "configId": "46ff6d11-d8b2-40d8-9197-dfa33c61cd6c",  "name": "UAT for FTE Admins",  "issuer": "https://myidp.okta.com",  "publicKeyActive": "...",  "publicKey": "...",  "jwksUri": "https://myidp.okta.com/keys",  "usernameClaim": "email",  "resourceIds": [    "497f6eca-6276-4993-bfeb-53cbbbba6f08"  ],  "scopes": [    "tableau:tcm_sites:read",    "tableau:tcm_sites:update",    "tableau:sites:read",    "tableau:sites:update"  ]  "enabled": true}

Step 3: Make a sign in request with unified access token JWT

After the UAT is configured, you can use the JWT (generated in the prerequisite step) to sign in to either the Tableau Cloud Manager (TCM) REST API or Tableau REST API.

Sign in to TCM REST API

Use theSign in with unified access token JWT method to generate a TCM credentials token.

Example URI

POST https://cloudmanager.tableau.com/api/v1/jwt/login

Note: The URI requires you to include the tenant name. If you don’t know the tenant name, seeHow to Find Tenant Name.

Example request body

The request body must contain the JWT (as thetoken value) associated with the UAT configuration you created in theStep 2.

{ "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30"}

Example response body

The request produces the following response body. The response includes the TCM credentials token,sessionToken.

{"sessionToken": "bSG+6ttrRgqMLzonp5j89w==:SUOF-rjwMZZKXg-T3GcpDVFrIKAO6VIbTyZyq39bWR0","userId": "306982a2-4bb0-b858-b82eeI24b857","tenantId": "56978815-59b6-4a61-b9e8-ede126e23bab","sessionExpiration": "2025-0706T84:53:13.688541Z"}

Sign in to Tableau REST API

You can use the same UAT configuration to sign in to the Tableau REST API using theSign in with JWT method to generate a Tableau credentials token.

Example URI

POST https://mypod.online.tableau.com/api/3.27/auth/signin

Note: The URI requires you to include the pod name, such as prod-ca-a, eu-west-1a, or pro-apsoutheast-a. If you don’t know the pod name, seeAbout the pod name in the Tableau REST API Help.

Example request body

The request body must contain the following:

1. JWT: JSON Web Token (JWT) associated with the UAT configuration you created inStep 2.
2. isUAT: Must be set totrue. This attribute is required to sign in with UAT JWT. Ignore this attribute to sign in with a Tableau connected apps JWT.
3. contentUrl: A required attribute for Tableau Cloud sign-in. For more information, seeAbout the Site Attribute in the Tableau REST API Help.

{  "credentials": {    "jwt": "eyJpc3MiOiI1NmUwZGZhYi0zNDA3LTRlNWMtYWY5Ni04YzI1ZmY0NWI3ODMiLCJhbGciOiJIUzI1NiIsImtpZCI6ImJlNzFkNDc0LWMxOTctNDljNS04ZWIzLTM5YWU4MWVjNDNhYyJ9.eyJhdWQiOiJ0YWJsZWF1Iiwic3ViIjoidGVzdDEyMyIsInNjcCI6WyJ0YWJsZWF1OmNvbnRlbnQ6cmVhZCJdLCJpc3MiOiI1NmUwZGZhYi0zNDA3LTRlNWMtYWY5Ni04YzI1ZmY0NWI3ODMiLCJleHAiOjE2NDc2MjM1NzUsImp0aSI6ImY0MzdkNDFmLWM1MmMtNGE5Mi1hYTA1LWFjYTYyMGViZTgzMSJ9.pntsSpHmrxTT5XmiJi1Ls2qQdu4qMRQ5vgRuN7gtS_U",    "isUat": true,    "site": {      "contentUrl": ""    }  }}

Example response body

The request produces the following response body. The response includes the Tableau credentials token,token.

{  "credentials": {    "site": {      "id": "9a8b7c6d5-e4f3-a2b1-c0d9-e8f7a6b5c4d",      "contentUrl": ""    },    "user": {      "id": "9f9e9d9c-8b8a-8f8e-7d7c-7b7a6f6d6e6d"      },    "token": "HvZMqFFfQQmOM4L-AZNIQA|5fI6T54OPK1Gn1p4w0RtHv6EkojWRTwq|a946d998-2ead-4894-bb50-1054a91dcab3"    }}

Step 4: Include the session header in subsequent requests

Use the credentials token you generated inStep 3 to make subsequent requests.

For Tableau Cloud Manager REST API

Add thesessionToken to thex-tableau-session-token header for all subsequent TCM REST API requests.

Example header

x-tableau-session-token:+iUzQx+s:E9T43sqund-xDGle-9trR7WPLkqCkT_7zks3_dVsV0By_Jji

The TCM credentials token is short-lived. It expires after 4 hours or when the session is idle for 30 continuous minutes with no requests. When the TCM credentials token expires, you need to sign in to Tableau Cloud Manager REST API again to get a new TCM credentials token.

For Tableau REST API

Add thetoken to theX-Tableau-Auth header for all subsequent Tableau REST API requests.

Example header

X-Tableau-Auth:HvZMqFFfQQmOM4L-AZNIQA|5fI6T54OPK1Gn1p4w0RtHv6EkojWRTwq|a946d998-2ead-4894-bb50-1054a91dcab3

The Tableau credentials token is short-lived. It expires after 120 minutes or when the sessions is idle for 30 continuous minutes with no requests. When the Tableau credentials token expires, you need to sign in to Tableau REST API again to get a new Tableau credentials token.

Monitor unified access token activity

You can monitor unified access token (UAT) activity through the activity log methods. The methods can retrieve up to 14 days of activity data or additional days of data if you have Enterprise or the Advanced Management add-on.

Tenant-level monitoring

You can use theGet activity logs for tenant andList activity logs for tenant to monitor UAT configuration changes and TCM REST API sign-in with a UAT JWT.

For example, you can query the following event types (eventType) in theList activity logs for tenant method:

• create_or_update_uat_configuration
• delete_uat_configuration
• create_uat_revocation
• delete_uat_revocation
• validate_uat_jwt

For more information about each event, seeActivity Log Tenant Event Type Reference in the Tableau Cloud Help.

Site-level monitoring

You can use theGet activity logs for site andList activity logs for site to monitor Tableau REST API sign-in with a UAT JWT.

For example, you can query the following event type (eventType) using theList activity logs for site method:

• login_with_jwt.

For more information about the event, seeActivity Log Site Event Type References in the Tableau Cloud Help.