Better Tableau REST API Security with Personal Access Tokens

Tableau Server has an application programming interface (API) that gives you programmatically access to manage workbooks, users, data sources and many other resources on your server. With this API you can for example import a list of users from an Active Directory Group, generate thumbnails of your workbooks or delete views and data sources. There are lots and lots of possibilities with this RESTful API. This API uses standard web requests over HTTP to communicate between client-server. For each resource you want to access through the REST API you need to authenticate yourself, currently this is done by acquiring an authentication token. You get this token by sending a POST request to the Sign In URI containing your username and password. However, with Tableau version 2019.4 we can authenticate in a new way, by using Personal Access Tokens. In this blog post I will explain how you can use Personal Access Tokens (PAT) and what the benefits are for using this type of authentication.

Background

Pre-2019.4 you can authenticate yourself by sending the following body to the Sign In URI:

    {
    	"credentials": {
    		 "name": "myName",
    		 "password": "mySuperSecretPassW0rd",
    		 "site": {
    				 "contentUrl": "myAmazingSite"
    		}
    	}
    }

But you probably already see a few problems with this payload. First of all, you have to add the name and password into the body. This means your credentials can potentially be exposed. Secondly, you have to use this type of login for each application you are building. There is no clear oversight of what credentials are being used for what application. Thirdly, you can't revoke these credentials because that would mean all of your application will stop working. On top of that, many companies have security policies that force you to change your password every so often. This mean you also have to update all of your custom build applications. A very common one we internally face is the Publish to Tableau Server tool in Alteryx. When credentials change you need to update this tool.

2019.4

With Personal Access Tokens these problems are all addressed. These tokens consist of a name and the actual token. You can generate as many as you want. The name is decided by you, the token is generated by Tableau. This means that there is a better management of these keys. You can generate as many as you want and you can also easily revoke them. That means you can create a token for each script you write. If you change your password or login details of Tableau Server these do not affect your generated tokens.

The new login body looks like so:

    {
    	"credentials": {
    		"clientId": "MY_TOKEN_NAME_WHICH_I_CAN_REVOKE",
    		"personalAccessToken": "1234567890qwertyuiop",
    		"site": {
    			"contentUrl": "myAmazingSite"
    		}
    	}
    }

As you can see, no username or password.

Create a Personal Access Token

Tableau made it really easy to create an generate a PAT. Login to your 2019.4 Tableau Server or Online instance - at time of writing 2019.4 is in beta. Click on the 'Users' tab on the left hand side of your server. Then in the settings pane you set a Personal Access Token. Give your token a name and hit 'Create new token'. Make sure you copy the token out of the popup modal because it will only be showed to you once.

Super simple right? I'm quite happy with this new feature because it really takes the pain away of having to manage and update your scripts. Especially if this will be added to the Alteryx tools for Tableau then it will make my Alteryx life a lot easier.

You can read more about these PAT in the official documentation