Skip to main content
Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
The Tableau MCP server lets you govern access to Tableau Cloud and Tableau Server — workbooks, data sources, projects, users, groups, sites, schedules, and subscriptions — as tools your AI clients can call through C1. Tableau authenticates with a session token that C1 sends in the X-Tableau-Auth header. You generate the session token from a Tableau personal access token (PAT). A single token authenticates everyone, so all tool calls reach Tableau as one shared identity.

How C1 connects to Tableau

C1 hosts the Tableau MCP server, so your users’ AI clients only ever see MCP tools — they never call Tableau directly. When an AI client calls one of these tools, C1 makes the matching request to the Tableau API using the credentials you configure here, then returns the result to the AI client. The credentials you set up below are what C1 uses to call Tableau on your users’ behalf.

Before you begin

  • AI access management must be enabled for your tenant. See Enable AI access management.
  • A Tableau user with the site role needed for the operations C1 should perform. Use a Site Administrator Creator for full admin coverage, or a narrower Explorer or Viewer role for reads only. For a shared production setup, create a dedicated Tableau service-account user and generate the PAT from that account.
If you don’t see Tableau in your MCP server catalog, contact the C1 support team to enable it for your tenant.

Generate a Tableau personal access token

Create a personal access token for the Tableau user C1 should run as. For Tableau’s own walkthrough, see Manage Your Account Settings and Personal Access Tokens.
1
Sign in to Tableau Cloud or Tableau Server as the user C1 should run as.
2
Select your profile picture, then My Account Settings, and scroll to Personal Access Tokens.
3
Enter a Token Name such as C1, then select Create Token.
4
Copy the Token Secret immediately. Tableau shows it only once and you cannot view it again after you dismiss the dialog.

Find your instance URL and site

C1 needs your Tableau instance URL and site to scope its requests. Find both while you’re signed in to Tableau.
1
Your instance URL is your Tableau Cloud pod host, such as https://10ay.online.tableau.com, or your Tableau Server URL. Use the host without a trailing slash. Look at the URL while you’re signed in: the host before .online.tableau.com is your pod.
2
Your site content URL is the path segment after /#/site/ in the browser, such as MarketingTeam. For a default site, the content URL is an empty string.

Create a session token

Tableau’s REST API uses a two-step flow: you exchange a personal access token for a short-lived session token, then send that session token on every request. The value C1 stores in the X-Tableau-Auth header is the session token, not the raw PAT.
1
Sign in to the Tableau REST API by sending a POST request to https://<your-pod>.online.tableau.com/api/3.21/auth/signin with your personal access token name, token secret, and site content URL in the JSON body.
2
Copy the credentials.token value from the response. This is your session token.
3
Copy the credentials.site.id value from the response. This is your site LUID, which C1 needs to scope requests to your site.
A session token expires after about 4 hours, or 15 days of inactivity. The PAT itself expires after 15 days of inactivity or 1 year of active use, whichever comes first. When the session token expires, sign in again to mint a new one and update it in C1.

How Tableau credentials are shared

Every user’s tool calls use the one session token you provided, so Tableau sees a single shared identity, scoped to the site role of the user whose PAT produced the token. C1 still attributes each call to the individual user in the AI tool usage audit log. For a shared production setup, generate the PAT from a dedicated service-account user so Tableau activity is attributable to C1 rather than a person. For how shared and per-user credentials work across MCP servers, see Configure authentication.

Register the Tableau MCP server in C1

With your session token and site details ready, register the server and provide your credentials.
1
Follow Register an MCP server and select Tableau from the catalog.
2
Enter your instance URL, such as https://10ay.online.tableau.com, and your site LUID from the sign-in response.
3
When you configure authentication, choose Custom header, set the header name to X-Tableau-Auth, and paste your session token as the value.
4
Save your changes. C1 starts a sync that discovers the tools the Tableau server exposes.

Discover and govern tools

After you register the server, C1 runs tool discovery against Tableau. Discovered tools appear on the server’s Tools tab. Each tool starts as either Pending review or automatically Approved, depending on the option chosen when the server was set up or your tenant’s default tool settings in Settings > AI Connections. See Require tool approval and Default tool classification. Before anyone can call a Tableau tool, it must be approved, added to a toolset, and bound to an access profile. Continue to Govern tools and toolsets to set this up.
Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn’t confirm that authentication is working. You confirm your Tableau credentials when an approved user successfully calls a Tableau tool from their AI client.

Manage your Tableau credentials

  • Refresh the session token by signing in to the Tableau REST API again before the token expires, then updating the X-Tableau-Auth value in C1. Because the session token is short-lived, plan to refresh it on a schedule.
  • Rotate the personal access token by generating a new PAT in My Account Settings before the old one expires, using it to mint a fresh session token, then updating C1. Each user can have up to 10 active PATs.
  • Adjust access by changing the site role of the user whose PAT you use, or by switching to a PAT from a user with the role you need.