Skip to main content

Passthrough Authentication

With passthrough authentication enabled, authentication to the MCP server acts similarly to the Tableau REST APIs. The same X-Tableau-Auth header used to authenticate to the Tableau REST APIs can also be used to authenticate to the MCP server.

When a request is made to the MCP server, the X-Tableau-Auth header is read.

  • When the header is present, the value will be "passed through" and re-used during MCP tool calls when they authenticate to the Tableau REST APIs.
  • When absent, normal authentication will resume as defined by the AUTH environment variable. This allows clients that do not provide the X-Tableau-Auth header to still authenticate to the MCP server.
warning

When using passthrough authentication, the calling application is responsible for creating the credential for the X-Tableau-Auth header and managing its lifecycle. The MCP server will not automatically terminate the Tableau session associated with the credential after its use nor will it refresh it after it expires. Providing an invalid or expired credential will result in downstream authentication failures.

Additionally, if OAuth is enabled, all requests to the MCP server must include the X-Tableau-Auth header, otherwise the client will be considered unauthorized and will be forced to authenticate using OAuth. This even includes MCP lifecycle requests like the Initialization request, even though it does not make any downstream Tableau REST API calls.

danger

Do not use a Personal Access Token (PAT) to generate the X-Tableau-Auth credential when using passthrough authentication since PATs cannot be used concurrently. Signing in multiple times with the same PAT at the same time will terminate any prior session and will result in an authentication error. See Understand personal access tokens for more details.

ENABLE_PASSTHROUGH_AUTH

  • Default: false
  • When true, passthrough authentication is enabled.
  • Only applies when TRANSPORT is http.

PASSTHROUGH_AUTH_USER_SESSION_CHECK_INTERVAL_IN_MINUTES

  • Default: 10 minutes
  • How often the server re-checks that a passthrough auth token is still valid. Between checks, recently validated tokens are trusted without re-verification. Downstream requests to the Tableau REST APIs could potentially fail if the token was invalidated during this interval.
  • Valid range: 0 to 1440 (24 hours). Use 0 to verify the token on every request.