Direct Trust

When AUTH is direct-trust, the MCP server will use the provided Tableau Direct Trust Connected App info to generate a scoped JSON Web Token (JWT) and use it to authenticate to the Tableau REST APIs.

For general multi-user HTTP deployments, prefer OAuth. Direct Trust with OAuth disabled is intended for testing/prototyping or deployments that are licensed and approved for user-based licensing (UBL), not as the default shared-account end-user deployment path. Confirm non-OAuth HTTP usage with your Tableau licensing and security guidance.

The generated JWT will have the minimum set of scopes necessary to invoke the methods called by the tool being executed.

For example, for the query-datasource tool, since it internally calls into VizQL Data Service, the JWT will only have the tableau:viz_data_service:read scope.

Required Variables

`JWT_SUB_CLAIM`

The username for the sub claim of the JWT.

For OAuth-backed per-user access, set this to {OAUTH_USERNAME} so the generated JWT uses the signed-in Tableau user.
A hard-coded username should only be used for deployments that are licensed and approved for that user-based licensing (UBL) pattern.

`CONNECTED_APP_CLIENT_ID`

The client ID of the Tableau Connected App.

`CONNECTED_APP_SECRET_ID`

The secret ID of the Tableau Connected App.

`CONNECTED_APP_SECRET_VALUE`

The secret value of the Tableau Connected App.

warning

Treat your Connected App secret value securely and do not share it with anyone or in any client-side code where it could accidentally be revealed.

Optional Variables

`JWT_ADDITIONAL_PAYLOAD`

A JSON string that includes any additional user attributes to include on the JWT. It also supports dynamically including the OAuth username.

Example:

{ "username": "{OAUTH_USERNAME}", "region": "West" }

Required Variables​

JWT_SUB_CLAIM​

CONNECTED_APP_CLIENT_ID​

CONNECTED_APP_SECRET_ID​

CONNECTED_APP_SECRET_VALUE​

Optional Variables​

JWT_ADDITIONAL_PAYLOAD​