Environment Variables

Values for the following environment variables can be provided to configure the Tableau MCP server.

`SERVER`

The URL of the Tableau server.

For Tableau Cloud, specify your site's specific pod e.g. https://prod-useast-c.online.tableau.com
Required unless AUTH is oauth.

`SITE_NAME`

The name of the Tableau site to use.

For Tableau Cloud, specify your site name.
For Tableau Server, you may leave this value blank to use the default site.
Required unless AUTH is oauth.

`TRANSPORT`

The MCP transport type to use for the server.

Default: stdio
Possible values: stdio or http
For http, see HTTP Server Configuration for additional variables.
See MCP Transports for details.

`AUTH`

The method the MCP server uses to authenticate to the Tableau REST APIs.

Default: pat
Possible values: pat, direct-trust, or oauth
See Authentication for additional required variables depending on the desired method.

`ENABLE_SERVER_LOGGING`

When true, the server will continue sending notifications to MCP clients, but will now also write them to local files in the directory specified in the SERVER_LOG_DIRECTORY environment variable. Notifications include tool calls and their arguments as well as HTTP traces for the requests and responses to the Tableau REST APIs.

Default: false
The log file names are in the format YYYY-MM-DDTHH-00-00-000Z.log e.g. 2025-10-15T22-00-00-000Z.log meaning this log file contains all log messages for hour 22 of 2025-10-15 in UTC time. All log entries for a given hour of the day are appended to the same file.
Each line in the log file is a JSON object with the following properties:
- timestamp: The timestamp of the log message in UTC time.
- username: For tool calls, the username of the user who made the call. This is only present when OAuth is enabled and has the user context.
- level: The logging level of the log message.
- logger: The logger of the log message. This is typically rest-api for HTTP traces or tableau-mcp for tool calls.
- message: The log message itself. This may be a string or a JSON object.
All notifications are written to the local log files regardless of the server's currently configured minimum logging level, since that only applies to notifications sent to MCP clients. See DEFAULT_LOG_LEVEL for more information.
Secrets are masked by default in the log files. To reveal them for debugging purposes, set the DISABLE_LOG_MASKING environment variable to true.

`SERVER_LOG_DIRECTORY`

The directory server logs are written to when ENABLE_SERVER_LOGGING is true.

Default: [build directory]/logs i.e. build/logs.
The server will attempt to create the directory if it does not exist.
There is no cleanup of old log files. The server will continue to create log files indefinitely.

`DEFAULT_LOG_LEVEL`

The default logging level of the server.

Default: debug
Possible values:
- debug
- info
- notice
- warning
- error
- critical
- alert
- emergency

This value determines the minimum log level in which to send notifications to MCP clients. That is, if the server's currently configured minimum logging level is debug, all log messages will be sent to MCP clients. If the level is set to error, only log messages with a level of error or higher will be sent. Note that MCP clients can change the minimum log level any time they want.

`DISABLE_LOG_MASKING`

Disable masking of credentials in MCP client notifications and server logs. For debug purposes only.

Default: false

`DATASOURCE_CREDENTIALS`

A JSON string that includes usernames and passwords for any datasources that require them.

The format is:

{"ds-luid1":[{"luid":"ds1-connection-luid1","u":"username1","p":"password1"},{"luid":"ds1-connection-luid2","u":"username2","p":"password2"}],"ds-luid2":[{"luid":"ds2-connection-luid1","u":"username3","p":"password3"}]}

This is a JSON-stringified version of the following object:

{
  "ds-luid1": [
    { luid: "ds1-connection-luid1", u: "username1", p: "password1" },
    { luid: "ds1-connection-luid2", u: "username2", p: "password2" }
  ],
  "ds-luid2": [
    { luid: "ds2-connection-luid1", u: "username3", p: "password3" }
  ]
}

The connection LUIDs can be determined using the Query Data Source Connections REST API.

Future work will include a tool to automate this process. For more information, see Connect to your data source.

`INCLUDE_TOOLS`

A comma-separated list of tool or tool group names to include in the server. Only these tools will be available.

Default: Empty string (all are included)
For a list of available tools and groups, see toolName.ts.
Mixing tool names and group names is allowed.

`EXCLUDE_TOOLS`

A comma-separated list of tool or tool group names to exclude from the server. All other tools will be available.

Default: Empty string (none are excluded)
Cannot be provided with INCLUDE_TOOLS.

`MAX_RESULT_LIMIT`

If a tool has a limit parameter and returns an array of items, the maximum length of that array.

Default: Empty string (no limit)
Must be a positive number.

`DISABLE_QUERY_DATASOURCE_VALIDATION_REQUESTS`

Disables requests that are made to the VizQl Data Service for validating queries in the query-datasource tool. Does not disable the ability to query the datasource.

Default: false
When true, skips validation of queries against metadata results and validation of SET and MATCH filters.

`DISABLE_QUERY_DATASOURCE_FILTER_VALIDATION`

Note: This environment variable was deprecated in Tableau MCP v1.13.0 and replaced by DISABLE_QUERY_DATASOURCE_VALIDATION_REQUESTS.

Disable validation of SET and MATCH filter values in the query-datasource tool.

Default: false
When true, skips the validation that checks if filter values exist in the target field.

`DISABLE_METADATA_API_REQUESTS`

Disables graphql requests to the Tableau Metadata API in the get-datasource-metadata tool.

Default: false
When true, skips requests to the graphql endpoint that provides additional context to field metadata.
Set this to true if you are using the get-datasource-metadata tool and the Tableau Metadata API is not enabled on your Tableau Server.

`DISABLE_SESSION_MANAGEMENT`

When false (the default) and using the Streamable HTTP transport, the MCP server will create and manage sessions as per the Session Management section of the MCP spec. The only state persisted in the session from one request to another is information about the client's identity, capabilities, and protocol version compatibility.

Default: false
Does not apply to the stdio transport.
When true, the MCP server will no longer assign a session ID at initialization time nor require clients to provide that session ID in the mcp-session-id header for subsequent requests.
Set this to true if you are using the HTTP transport and your client does not support or need session management.

`TABLEAU_SERVER_VERSION_CHECK_INTERVAL_IN_HOURS`

Some tools may have behavior or arguments that depend on the Tableau Server or Cloud version the MCP server is connected to. Rather than checking the Tableau version with every request, the MCP server will cache the version and only check it again after the interval specified by this environment variable.

Default: 1 hour
Must be a positive number between 1 and 168 (7 days).

SERVER​

SITE_NAME​

TRANSPORT​

AUTH​

ENABLE_SERVER_LOGGING​

SERVER_LOG_DIRECTORY​

DEFAULT_LOG_LEVEL​

DISABLE_LOG_MASKING​

DATASOURCE_CREDENTIALS​

INCLUDE_TOOLS​

EXCLUDE_TOOLS​

MAX_RESULT_LIMIT​

DISABLE_QUERY_DATASOURCE_VALIDATION_REQUESTS​

DISABLE_QUERY_DATASOURCE_FILTER_VALIDATION​

DISABLE_METADATA_API_REQUESTS​

DISABLE_SESSION_MANAGEMENT​

TABLEAU_SERVER_VERSION_CHECK_INTERVAL_IN_HOURS​