The Tableau MCP server ships with its own “embedded” authorization server, responsible for issuing access and refresh tokens to MCP clients. It leverages the authentication mechanisms provided by Tableau server and configured at the Tableau site level to ensure access is limited to users who can already access the Tableau sites. When OAuth is enabled on the MCP server, the Tableau user context is securely stored within the access token issued to MCP clients so user capabilities and privileges persist end-to-end.
The embedded authorization server is currently the only supported authorization server for use when self-hosting the Tableau MCP server for Tableau Server customers. This has no impact on the authentication configuration of the Tableau Server itself. If your Tableau Server is configured to require OpenID Connect via an external identity provider, this doesn’t change. The embedded authorization server only protects the deployment of Tableau MCP, not Tableau Server.
This issue exists to resolve one particular limitation of the embedded authorization server that is worth mentioning. The refresh tokens issued to MCP clients are currently stored in the memory of the Tableau MCP server process. In the event the process is stopped or restarted, all refresh tokens are effectively forgotten so if a client later attempts to exchange a refresh token for a new access token, it will fail and the user will need to reconnect their client.
More resources:
The Tableau MCP server ships with its own “embedded” authorization server, responsible for issuing access and refresh tokens to MCP clients. It leverages the authentication mechanisms provided by Tableau server and configured at the Tableau site level to ensure access is limited to users who can already access the Tableau sites. When OAuth is enabled on the MCP server, the Tableau user context is securely stored within the access token issued to MCP clients so user capabilities and privileges persist end-to-end.
The embedded authorization server is currently the only supported authorization server for use when self-hosting the Tableau MCP server for Tableau Server customers. This has no impact on the authentication configuration of the Tableau Server itself. If your Tableau Server is configured to require OpenID Connect via an external identity provider, this doesn’t change. The embedded authorization server only protects the deployment of Tableau MCP, not Tableau Server.
This issue exists to resolve one particular limitation of the embedded authorization server that is worth mentioning. The refresh tokens issued to MCP clients are currently stored in the memory of the Tableau MCP server process. In the event the process is stopped or restarted, all refresh tokens are effectively forgotten so if a client later attempts to exchange a refresh token for a new access token, it will fail and the user will need to reconnect their client.
More resources: