Skip to main content

HTTP Server

The Tableau MCP server can be configured to run as an HTTP server, leveraging the Streaming HTTP MCP transport. This is useful for deploying the server remotely and exposing it to multiple clients.

warning

When TRANSPORT is http, the default behavior changes to require protecting your MCP server with OAuth as a security best practice.

To opt out of this behavior at your own risk, please see the entry on DANGEROUSLY_DISABLE_OAUTH.

When TRANSPORT is http, the following environment variables can be used to configure the HTTP server. They are all optional.

AUTH

The method the MCP server uses to authenticate to the Tableau REST APIs.

danger

Do not use a PAT when TRANSPORT is http if you expect simultaneous requests from multiple clients since PATs cannot be used concurrently. Signing in multiple times with the same PAT at the same time will terminate any prior session and will result in an authentication error. See Understand personal access tokens for more details.

OAuth is recommended but Direct Trust can also be used.

HTTP_PORT_ENV_VAR_NAME

The environment variable name to use for the HTTP server port.

  • Default: PORT

[Value of HTTP_PORT_ENV_VAR_NAME]

The port to use for the HTTP server.

  • Default: 3927

SSL_KEY

The path to the SSL key file to use for the HTTP server.

SSL_CERT

The path to the SSL certificate file to use for the HTTP server.

CORS_ORIGIN_CONFIG

The origin or origins to allow CORS requests from.

  • Default: true
  • Acceptable values include true, false, *, or a URL or array of URLs. See cors config options for details.

TRUST_PROXY_CONFIG

The value to provide to the trust proxy setting in the Express application.

  • Default: None (no trust proxy config)
  • Acceptable values include true, false, number, or string. See Express trust proxy for details.
  • Example: Set this to 1 to use the address that is at most 1 hop away from the Express application.
  • This is useful to configure Express in your hosting environment (e.g. Heroku) in order to access client IP addresses while preventing IP spoofing.