Direct Trust

When AUTH is direct-trust, the MCP server will use the provided Tableau Direct Trust Connected App info to generate a scoped JSON Web Token (JWT) and use it to authenticate to the Tableau REST APIs.

The generated JWT will have the minimum set of scopes necessary to invoke the methods called by the tool being executed.

For example, for the query-datasource tool, since it internally calls into VizQL Data Service, the JWT will only have the tableau:viz_data_service:read scope.

Required Variables

`JWT_SUB_CLAIM`

The username for the sub claim of the JWT.

Can either be a hard-coded username, or the OAuth username by setting it to {OAUTH_USERNAME}.

`CONNECTED_APP_CLIENT_ID`

The client ID of the Tableau Connected App.

`CONNECTED_APP_SECRET_ID`

The secret ID of the Tableau Connected App.

`CONNECTED_APP_SECRET_VALUE`

The secret value of the Tableau Connected App.

warning

Treat your Connected App secret value securely and do not share it with anyone or in any client-side code where it could accidentally be revealed.

Optional Variables

`JWT_ADDITIONAL_PAYLOAD`

A JSON string that includes any additional user attributes to include on the JWT. It also supports dynamically including the OAuth username.

Example:

{ "username": "{OAUTH_USERNAME}", "region": "West" }

Required Variables​

JWT_SUB_CLAIM​

CONNECTED_APP_CLIENT_ID​

CONNECTED_APP_SECRET_ID​

CONNECTED_APP_SECRET_VALUE​

Optional Variables​

JWT_ADDITIONAL_PAYLOAD​