Tableau REST API Help
Authentication Methods
Using the authentication methods of the Tableau REST API you can:
- Sign in a user to Tableau Server or Tableau Cloud
- Authenticate with apersonal access token(Link opens in a new window) (PAT) for improved security with granular monitoring and revocation
- If you're any Tableau Cloud user, you can list and revoke PATs
- If you're a Tableau Cloud site admin, you can list and revoke users' PATs
- Authenticate with username and password for quick manual sign in for all users and user impersonation for administrators
- Authorize access using a Tableau connected app and a JSON Web Token (JWT)
- Impersonate a user if you are a Tableau Server administrator, using username and password or PAT
- Authenticate with apersonal access token(Link opens in a new window) (PAT) for improved security with granular monitoring and revocation
- Sign out a user from a Tableau server
- Switch the from the current site you are signed into, to another on the server without authenticating again
This functionality relates to the UI elements and concepts described at:Sign in to Tableau Server or Online(Link opens in a new window).
TheTableau Server Client library(Link opens in a new window), a Python wrapper for the REST API, offers the following related items:Auth Methods(Link opens in a new window); andSign In and Out(Link opens in a new window).
Use Postman
Postman is a free, comprehensive API platform that simplifies the entire API lifecycle, providing a collaborative environment for designing, testing, and managing APIs. Postman allows you to construct, send, and examine HTTP requests to the Tableau Server or Tableau Cloud API without writing initial code.
Postman: Authenticate(Link opens in a new window)
List Personal Access Tokens
List all personal access tokens (PATs). If you're a site admin, list PATs of a user when you are the site admin on all sites that the PAT owner is a member of.
This method is not available for Tableau Server.
Version: Available in API 3.21 (Tableau Cloud October 2023) and later.Version Overview(Link opens in a new window)
License: No additional license required.
Permissions: Any Tableau Cloud user. If you're a Tableau Cloud site admin, you can list the PATs of a user when you are the site admin on all sites that the PAT owner is a member of. Permissions Overview(Link opens in a new window)
JWT Access Scope: Not available.
URI
GET /api/api-version/sites/site-luid/users/user-luid/personal-access-tokens
URI Parameter Values
| api-version | The version of the API to use, such as3.27. For more information, seeREST API and Resource Versions. |
| site-luid | The LUID for the site. |
| user-luid | The LUID of the user. The user LUID is returned after you successfully authenticate to the Tableau REST API. |
Request Body
None
cURL Request Example
curl "http://myco/api/3.27/sites/9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d/users/d5704762-603a-42b2-a9a7-f9cd2b2c4253/personal-access-tokens" -X GET -H "X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd"
Response Code
200
Response Body
<tsResponse>
<personalAccessTokens>
<personalAccessToken tokenName="user_pat1" tokenGuid="011b6267-a067-473a-9d16-b34cc58f90df" lastUsedAt="2023-06-13T16:55:46Z" expiresAt="2024-06-12T16:55:46Z"/>
<personalAccessToken tokenName="user_pat4" tokenGuid="0fb30637-b638-4ce2-bbac-ac6611104ed9" lastUsedAt="2023-06-13T16:55:51Z" expiresAt="2024-06-12T16:55:51Z"/>
<personalAccessToken tokenName="user_pat5" tokenGuid="db8c0b5d-5946-4f7c-a966-af334a3d10a5" lastUsedAt="2023-06-13T16:55:56Z" expiresAt="2024-06-12T16:55:56Z"/>
</personalAccessTokens>
</tsResponse>{
"personalAccessTokens": [
{
"tokenName": "user_pat1",
"tokenGuid": "011b6267-a067-473a-9d16-b34cc58f90df",
"lastUsedAt": "2023-06-13T16:55:46Z",
"expiresAt": "2024-06-12T16:55:46Z"
},
{
"tokenName": "user_pat4",
"tokenGuid": "0fb30637-b638-4ce2-bbac-ac6611104ed9",
"lastUsedAt": "2023-06-13T16:55:51Z",
"expiresAt": "2024-06-12T16:55:51Z"
},
{
"tokenName": "user_pat5",
"tokenGuid": "db8c0b5d-5946-4f7c-a966-af334a3d10a5",
"lastUsedAt": "2023-06-13T16:55:56Z",
"expiresAt": "2024-06-12T16:55:56Z"
}
]
}Errors
| HTTP status | error Code | Condition | Details |
|---|---|---|---|
| 400 | 400000 | Bad Request | The content of the request body is missing or incomplete, or contains malformed XML. |
| 401 | 401002 | Unauthorized Access | The authentication token provided in the request header was invalid or has expired. |
| 403 | 403004 | Forbidden | You can only list PATs that are yours. |
| 403 | 403010 | Cross-site access is forbidden | You're a site admin and can't list PATs when you're not the site admin for all sites the PAT owner is a member of. |
For more information, seeHandling Errors.
Revoke Administrator Personal Access Tokens
Revokes allpersonal access tokens(Link opens in a new window) (PATs) created by server administrators. This method is not available for Tableau Cloud.
URI
DELETE /api/api-version/auth/serverAdminAccessTokens
Parameter Values
| api-version | The version of the API to use, such as3.27. For more information, seeREST API and Resource Versions. |
Request Body
None
Permissions
Only Tableau Server users with server administrator permissions can use this method.
Access Scope
Scope added in API 3.27 (Tableau Cloud December 2025 / Server 2025.3).
tableau:server_admin_tokens:deleteFor more information, seeAccess scopes for UATs(Link opens in a new window) (Cloud)and access scopes for connected apps:Cloud(Link opens in a new window),Server-Windows(Link opens in a new window),orServer-Linux(Link opens in a new window).
Response Code
204
Response Body
None
Version
Version 3.11 and later. For more information, seeREST API and Resource Versions.
Errors
| HTTP status | error Code | Condition | Details |
|---|---|---|---|
| 403 | 403004 | Revoke server admin tokens forbidden, | The user does not have the server administrator permissions required to call this method. |
| 404 | 404000 | Server not found | The Tableau Server in the URI doesn't correspond to an existing server. |
| 405 | 405000 | Invalid request method | Request type was notDELETE. |
For more information, seeHandling Errors.
Revoke Personal Access Token
Revoke a personal access token (PAT). If you're a site admin, you can revoke a users PAT owhen you are the site admin on all sites that the PAT owner is a member of.
This method is not available for Tableau Server.
Version: Available in API 3.21 (Tableau Cloud October 2023) and later.Version Overview(Link opens in a new window)
License: No additional license required.
Permissions: Any Tableau Cloud user. If you're a Tableau Cloud site admin, you can revoke the PAT of a user when you are the site admin on all sites that the PAT owner is a member of. Permissions Overview(Link opens in a new window)
JWT Access Scope: Not available.
URI
DELETE /api/api-version/sites/site-luid/users/user-luid/personal-access-tokens/pat-name
URI Parameter Values
| api-version | The version of the API to use, such as3.27. For more information, seeREST API and Resource Versions. |
| site-luid | The LUID for the site. |
| user-luid | The LUID of the user. The user LUID is returned after you successfully authenticate to the Tableau REST API. |
| pat-name | The name of the PAT you want to revoke. |
Request Body
None
cURL Request Example
curl "http://myco/api/3.27/sites/9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d/users/d5704762-603a-42b2-a9a7-f9cd2b2c4253/personal-access-tokens/my_pat" -X DELETE -H "X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd"
Response Code
204
Response Body
None
Errors
| HTTP status | error Code | Condition | Details |
|---|---|---|---|
| 401 | 401002 | Unauthorized Access | The credentials token provided in the request header was invalid or has expired. |
| 403 | 403004 | Forbidden | You can only revoke PATs that are yours. |
| 403 | 403010 | Cross-site access is forbidden | You're a site admin and can't revoke a PAT when you're not the site admin for all sites the PAT owner is a member of. |
| 404 | 404051 | Personal access token not found | The PAT couldn't be revoked because it does not exist. |
| 405 | 405000 | Not supported | This error can occur for the following reasons:
|
For more information, seeHandling Errors.
Sign In
Signs you in as a user on the specified site on Tableau Server or Tableau Cloud.
This call returns a credentials token that you use in subsequent calls to Tableau Server or Tableau Cloud. For more information about authentication, seeSigning In and Signing Out (Authentication).
Notes:
SAML single sign on(Link opens in a new window) (SSO) authentication does not validate REST API requests. For a scenario where you want to integrate Tableau authentication into a SSO environment you will need to incorporate a REST sign in request, and then use the credentials token from its response in the header of subsequent requests.
The credentials token is valid for REST API calls and Tableau Metadata API (GraphQL) queries. You cannot use the credentials token as authentication for other operations with Tableau Server. In addition, the credentials token is good only for operations in the site that you're signed in to. You cannot sign in to one site and then use the credentials token you get back to send requests to a different site. If you do, the server returns an HTTP403 (Forbidden) error.
(Tableau Cloud only) If multi-factor authentication (MFA) is enabled with Tableau authentication, PATs are required. You must use a PAT, instead of user name and password, to make a REST API sign in request to Tableau Cloud.
Tableau Server
Typically, a credentials token is valid for 240 minutes. With administrator permissions on Tableau Server, you can change this timeout by using thetsm configuration set(Link opens in a new window)command and setting thewgserver.session.idle_limit option.
In addition, if you are a Tableau Server administrator, you can use your username and password to sign in and impersonate a specific user. You might use impersonation in order to double check or troubleshoot the impact of permissions settings for that user.
Tableau Cloud
A credentials token is valid for 120 minutes on Tableau Cloud.
URI
POST /api/api-version/auth/signin
Note: For Tableau Cloud, the server address in the URI must contain the pod name, such as prod-ca-a or us-east-1. For example, the URI to sign in to a site in the 10ay pod would be:https://prod-ca-a.online.tableau.com/api/api-version/auth/signin. For more information, seeAbout the pod name.
Parameter Values
| api-version | The version of the API to use, such as3.27. For more information, seeREST API and Resource Versions. |
Request Body
PAT
Signing in with a user's personal access token (PAT):
- For Tableau Server, seepersonal access token(Link opens in a new window).
- For Tableau Cloud, seepersonal access token(Link opens in a new window).
<tsRequest> <credentials personalAccessTokenName="personal-access-token-name" personalAccessTokenSecret="personal-access-token-secret" > <site contentUrl="content-url" /> </credentials></tsRequest>User name and password
Signing in with a user's user name and password:
<tsRequest> <credentials name="username" password="password" > <site contentUrl="content-url" /> </credentials></tsRequest>Impersonating user using username and password
Signing in with server administrator's username and password to impersonate a user (Tableau Server only):
<tsRequest> <credentials name="username" password="password" ><site contentUrl="content-url" /><userapi-placeholder">user-to-impersonate" /> </credentials></tsRequest>Impersonating user using PAT
Signing in with server administrator'spersonal access token(Link opens in a new window) (PAT) to impersonate a user (Tableau Server only):
<tsRequest> <credentials personalAccessTokenName="personal-access-token-name" personalAccessTokenSecret="personal-access-token-secret" > <site contentUrl="content-url" /> <userapi-placeholder">user-to-impersonate" /> </credentials></tsRequest>Connected apps JWT
Signing in with a JSON Web Token (JWT), from aconnected app(Link opens in a new window) (added in Tableau Cloud June 2022 (API 3.16); Tableau Server 2022.3 (API 3.17)):
<tsRequest> <credentials jwt="json-web-token" <site contentUrl="content-url" /> </credentials></tsRequest>When a JWT sign-in is used, the JWT must be configured with the scopes of the REST API methodsthe connected app can access. You can find the scope for a JWT-supported method in a method's properties block or references details under theAccess scope section. These sections show the scope declaration to use in the JWT that calls that method. You can also see a full list of JWT-supported scopes inREST API methods that support JWT authorization(Link opens in a new window) (Tableau Cloud Help) orREST API methods that support JWT authorization(Link opens in a new window) (Tableau Server Help).
Note: Beginning in API 3.20 (June 2023) for Tableau Cloud and API 3.21 (Tableau 2023.3) for Tableau Server, the Sign In (and Sign Out) method is supported by JWT authorization but does not require a scope to use.
About connected app errors
If you encounter issues with signing in with a JWT, the response body is appended with an additional error code that you can reference inTroubleshoot scopes(Link opens in a new window) (Tableau Cloud Help) orTroubleshoot scopes(Link opens in a new window) (Tableau Server Help). For example, in the following response body, you can reference “10084” to help troubleshoot issues with signing in to Tableau Cloud or Tableau Server using a JWT for REST API authorization.
<error code="401001"> "summary": "Signin Error", "detail": "Error signing in to Tableau Cloud (10084)"</error>
Unified access tokens JWT
Signing in with a JSON Web Token (JWT) using a unified access token (added in Tableau Cloud December 2025 (API 3.27)):
XML
<tsRequest> <credentials jwt="json-web-token"isUat="true" <site contentUrl="content-url" /> </credentials></tsRequest>JSON
{"credentials": {"jwt": "json-web-token","isUat": is-uat,"site": {"contentUrl": ""}}}When a JWT sign-in is used, the JWT must be configured with the scopes for the REST API capabilities that should be available to the unified access token (UAT). You can find the scope for a JWT-supported method in a method's properties block. The properties block shows the scope declaration to use in the JWT that calls that method. If a scope is not listed in the method's properties block, access to that method can't be limited by a JWT.
For more information about UATs, seeUnified Access Tokens(Link opens in a new window) in the Tableau Cloud Manager REST API Help.
Attribute Values
| personal-access-token-name | The name of the personal access token when signing in with a personal access token. The token name is available on a user’s account page on Tableau server or online. |
| personal-access-token-secret | The secret value of the personal access token when signing in with a personal access token. The value of the secret is available only in the dialog that appears when a usercreates a personal access token(Link opens in a new window) as described in the Tableau Help. |
| username | The name of the user when signing in with username and password. The name and password in the<credentials> element can represent any user in the specified site. If the user is not an administrator, they might have limited permissions to perform subsequent operations. Note: If the server is configured to use Active Directory authentication, and if the user name is not unique across domains, you must include the domain as part of the user name (for example,domain_name\Adam). |
| password | The password when signing in with username and password. |
| json-web-token | A JSON Web Token (JWT) associated with a Tableau connected app or unified access token (Tableau Cloud only). Tableau connected apps JWT: If using Tableau connected apps, the JWT uses a shared secret provided by the Tableauconnected app(Link opens in a new window) and signed by your external application. Depending on the method used to create the connected app, a JWT can be generated by the connected app as part of the external app's call to sign in to Tableau. The JWT must includeaccess scopes(Link opens in a new window)that determine which REST methods the external app can call. Unified access tokens: Starting in December 2025, if using unified access tokens (UATs), the JWT uses a shared secret as part of the UAT configuration. Added in API 3.27, Tableau Cloud only. |
| is-uat | Enables JWT authorization using a unified access token (UAT) when set totrue. Added in API 3.27, Tableau Cloud only. |
| content-url | The permanent name of the site to sign in to. The content URL appears in the URL path of Tableau content in your browser address bar after the Tableau Server URL.
For Tableau Server, to specify the default site, omit For Tableau Cloud, a sign-in request must have a |
| user-to-impersonate | The LUID of a user to sign in as. For impersonation when a system administrator signs in with user name and password. |
Permissions
Any Tableau user can sign in through the REST API. A user that does not have administrator permissions will have limited permissions to perform subsequent operations. Only server administrators can sign in with username and password in order to impersonate other Tableau Server users.
Response Code
200
Response Body
<tsResponse> <credentials token="authentication-token" estimatedTimeToExpiration="time-to-expiration" > <siteapi-placeholder">site-id" contentUrl="content-url" /> <userapi-placeholder">user-id-of-signed-in-user" </credentials></tsResponse>AnestimatedTimeToExpiration value is returned when you sign in using a PAT. The value represents the approximate timeuntil the token returned from the PAT sign in will expire and need to be refreshed. The estimated time is based on regular usage of thetoken for authenticating calls, but actual time may be shorter if the token is unused for an extended length of time.
Version
Version 1.0 and later. For more information, seeREST API and Resource Versions.
Errors
| HTTP status | error Code | Condition | Details |
|---|---|---|---|
| 400 | 400000 | Bad request | The content of the request body is missing or incomplete, or contains both username/password and a personal access token, or contains malformed XML. |
| 401 | 401001 | Login error | The credentials (name or password, or personal access token name or secret) are invalid for the specified site, or the site contentURL is invalid. |
| 401 | 401001 | Login error | Login is blocked because several requests with invalid credentials were made. |
| 401 | 401001 | Login error | The Administrator requires the user to update their password. |
| 401 | 401001 | Login error | The password has expired. |
| 401 | 401009 | Login error | The request body is missing or empty. |
| 405 | 405000 | Invalid request method | Request type was notPOST. If you are signing in to a Tableau Cloud site, this error may be caused by leaving the pod name out of the server address in the URI. The error can also be caused by attempting to make a request to a SSL-protected server using HTTP, rather than HTTPS. |
For more information, seeHandling Errors.
Example
curl "https://MY-SERVER/api/3.27/auth/signin" -X POST -d @signin.xml
Content of signin.xml:
<tsRequest> <credentials personalAccessTokenName="MY_PAT_NAME"personalAccessTokenSecret="vFel4qtGTZ2+Po0ZWT7YWg==:nMmSHnQ5kJBP17ZtsBgPtuVWdYJFAbBG" > <site contentUrl="MarketingSite" /> </credentials></tsRequest>Example response:
<tsResponseversion-and-namespace-settings> <credentials token="HvZMqFFfQQmOM4L-AZNIQA|5fI6T54OPK1Gn1p4w0RtHv6EkojWRTwq|a946d998-2ead-4894-bb50-1054a91dcab3"> <site contentUrl="MarketingSite"/> </credentials></tsResponse>Sign Out
Signs you out of the current session. This call invalidates the authentication token that is created by a call toSign In.
Note: Beginning in API 3.20 (June 2023) for Tableau Cloud and API 3.21 (Tableau 2023.3) for Tableau Server, the Sign Out (and Sign In) method is supported by JWT authorization but does not require a scope to use. For more information, seeJWT.
URI
POST /api/api-version/auth/signout
Parameter Values
| api-version | The version of the API to use, such as3.27. For more information, seeREST API and Resource Versions. |
Request Body
None
Permissions
Any user can call this method.
Access Scope
Scope added in API 3.27 (Tableau Cloud December 2025 / Server 2025.3).
tableau:*:*For more information, seeAccess scopes for UATs(Link opens in a new window) (Cloud)and access scopes for connected apps:Cloud(Link opens in a new window),Server-Windows(Link opens in a new window),orServer-Linux(Link opens in a new window).
Response Code
204
Response Body
None
Version
Version 1.0 and later. For more information, seeREST API and Resource Versions.
Errors
| HTTP status | error Code | Condition | Details |
|---|---|---|---|
| 405 | 405000 | Invalid request method | Request type was notPOST. |
For more information, seeHandling Errors.
Example
curl "http://MY-SERVER/api/3.27/auth/signout" -X POST -H "X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd"
Switch Site
Switches you onto another site without having to provide a user name and password again.
This method allows an authenticated user to switch sites that they have access to. When you call this method, you must provide the current authorization token as the value of the X-Tableau-Auth header. Using the current authentication token, the method signs you in as a user on the site specified in the request payload. The method returns a new authentication token and invalidates the old one. You have the permissions of the user associated with the authorization token. By default, the token is good for 240 minutes. (You can specify a different timeout value for the token by calling thetsm configuration set command to change the wgserver.session.idle_limit setting.)
Note This method is not available on Tableau Cloud.
URI
POST /api/api-version/auth/switchSite
Parameter Values
| api-version | The version of the API to use, such as3.27. For more information, seeREST API and Resource Versions. |
Request Body
<tsRequest> <site contentUrl="content-url" /></tsRequest>Attribute Values
| content-url | The permanent name of the site to sign in to. The content URL appears in the URL path of Tableau content in your browser address bar after the Tableau Server URL.
For Tableau Server, to specify the default site, omit For Tableau Cloud, a sign-in request must have a |
Permissions
Tableau Server users who are not server administrators can switch sites, provided that they have access to the destination site.
Access Scope
Scope added in API 3.27 (Tableau Cloud December 2025 / Server 2025.3).
tableau:sites:switchFor more information, seeAccess scopes for UATs(Link opens in a new window) (Cloud)and access scopes for connected apps:Cloud(Link opens in a new window),Server-Windows(Link opens in a new window),orServer-Linux(Link opens in a new window).
Response Code
200
Response Body
<tsResponse> <credentials token="authentication-token" > <siteapi-placeholder">site-id" contentUrl="content-url" /> <userapi-placeholder">user-id-of-signed-in-user" /> </credentials></tsResponse>Version
Version 2.6 and later. For more information, seeREST API and Resource Versions.
Errors
| HTTP status | error Code | Condition | Details |
|---|---|---|---|
| 400 | 400000 | Bad request | The content of the request body is missing or incomplete, or contains malformed XML. |
| 401 | 401000 | Unauthorized access | No authentication credentials were provided. |
| 401 | 401002 | Unauthorized access | Invalid authentication credentials were provided. |
| 401 | 401003 | Switch site error | There was a problem switching sites. The site might be unavailable or is not found. |
| 403 | 403070 | Cannot switch to the same site | The site specified as the destination site is also the current site. |
| 405 | 405000 | Invalid request method | Request type was notPOST. |
For more information, seeHandling Errors.
Example
curl "https://MY-SERVER/api/3.27/auth/switchSite" -X POST -H "X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd"-d @switch_site.xml
Content of switch_site.xml:
<tsRequest> <site contentUrl="MarketingSite" /></tsRequest>Example response:
<tsResponseversion-and-namespace-settings> <credentials token="HvZMqFFfQQmOM4L-AZNIQA|5fI6T54OPK1Gn1p4w0RtHv6EkojWRTwq|a946d998-2ead-4894-bb50-1054a91dcab3"> <site contentUrl="MarketingSite"/> </credentials></tsResponse>