Curator 101: The Ins and Outs of Tableau's PAT

Matthew Orr
Curator Engineer
September 22, 2022

Getting Personal

Tableau’s Personal Access Tokens (PAT) have been around for a while now. These are used as an alternative to your normal login credentials, especially for automation/scripting since they avoid issues with Multi-Factor Authentication (MFA) and password expiration policies. In fact, if you’re using Tableau Cloud you’ve probably already had to switch your Curator portal to use them to avoid MFA requirements.

Same but Also Different

While PATs avoid some issues related to authenticating automated process, there are some key similarities and differences that need to be understood when using them:

• Like regular credentials, PATs are tied to a user.
• A user can have multiple PATs active at the same time. Separate PATs should be generated for each automated process that connects to Tableau.
• PATs will expire after a year by default or after 15 consecutive days of inactivity.
• PATs can be revoked at any point before they expire if needed.
• As discussed previously, PATs are immune to MFA, so anyone with the token name and secret can authenticate.
• PATs are global for a Tableau Server, so one token will allow authentication to any site the user has access to.
• When authenticating to Tableau using the REST API, the site still must be specified. Tableau will respond to a successful PAT authentication with a temporary credentials token. This token will be used in subsequent API calls to that Tableau site in lieu of the PAT details.
• Credentials tokens expire after a short period. The PAT details must be used to re-authenticate after the credentials token expires and a new credentials token will be returned.
• There can only be one active credentials token at a time per PAT. Subsequent authentications to the same or even other sites using the same PAT will immediately invalidate all previous credentials tokens without notice.

Ramifications for Curator

Some of the differences discussed above mean they must be handled in a slightly different manner in Curator:

• Do not reuse the same PAT for multiple Curator instances. Generate a separate PAT for each of your Curator portals or they will trip over each other when trying to authenticate. This is true even with cloned test/staging/QA portals and production portals.
• If your Curator portal has content published from multiple sites on the same Tableau Server, avoid using PAT if possible until such a time that Curator allows specifying 1 PAT per Tableau site. Due to Tableau’s limitation of one active credentials token at a time per PAT, these will be frequently invalidated while Curator is communicating with those sites, which will affect the stability and performance of your portal.
• You still must use a PAT tied to a site or server administrator account.
• If the PAT expires (15 days inactivity, or one year by default), Curator will lose the ability to communicate with Tableau. You’ll need to regenerate a new PAT to restore the connection. It’s best to generate a new PAT and update Curator before expiration.

Tableau Documentation

To learn more about Tableau’s Personal Access Tokens, visit the following Tableau documentation:

https://help.tableau.com/current/server/en-us/security_personal_access_tokens.htm

To learn how to generate Personal Access Tokens, visit the following Tableau documentation:

https://help.tableau.com/current/pro/desktop/en-us/useracct.htm#create-and-revoke-personal-access-tokens