Embedportal a subproduct of atSpark
Sign in Start free

Home / Docs / Embed Tableau

How to embed Tableau
into Embedportal.

The six-step setup taken straight from the product. Create a Connected App in Tableau Cloud or Server, configure the domain allowlist, copy the three credentials, paste your server details, and set a service-account username. End-to-end in about thirty minutes.

Published
2026-04-17
Reading time
8 min
Level
Beginner
Works with
Tableau Cloud · Server 2021.1+

1. Why this is needed

To embed Tableau views securely, you need to set up a Connected App in Tableau Cloud or Tableau Server. This enables JWT-based authentication, allowing Embedportal to generate trusted embed URLs for your Tableau content while Tableau continues to enforce your access controls and row-level security.

works with — Tableau Cloud, and Tableau Server 2021.1 or newer.

2. Prerequisites

  • A Tableau Cloud site or Tableau Server 2021.1+ that you administer.
  • A Tableau Site Admin account (Server Admin on Tableau Server). Connected Apps can only be created with admin permissions.
  • An Embedportal workspace. Starter includes one BI integration; Professional and Enterprise include unlimited.
  • About 30 minutes end-to-end.

3. Access Connected Apps Settings

  1. 01

    Tableau Cloud

    Sign in as a Site Administrator. Go to Settings → Connected Apps.

  2. 02

    Tableau Server

    Sign in as a Server or Site Administrator. Go to Settings → Connected Apps.

4. Create a New Connected App

  1. 01

    Click New Connected App

    Open the button at the top of the Connected Apps list.

  2. 02

    Connected app name

    Enter atSpark Integration as the Connected App name. This is the name Embedportal expects and it will appear in Tableau’s admin views.

  3. 03

    Select Direct Trust

    This is the JWT-based authentication option. Embedportal signs short-lived tokens that Tableau trusts directly — no OAuth round-trip required.

  4. 04

    Enable Allow access to REST API

    Turn on the toggle. Embedportal uses the REST API to fetch the list of views and workbooks you can embed.

5. Configure Domain Allowlist

Add your application domain to the Connected App’s allowlist. For example: 

dev.atspark.com

This ensures Tableau content can only be embedded on your domain — not on someone else’s copy-paste of the snippet.

  • Add the exact hostname you’ll embed from (no protocol, no path).
  • If you’ve set a custom domain on a Professional or Enterprise plan, add that instead.
  • Do not add wildcard domains or third-party URLs.

security — the allowlist is your line of defence against embed-jacking. Keep it strict.

6. Copy Connected App Credentials

After creating the Connected App, Tableau displays three values. Copy each one and paste it into the matching field in Embedportal’s Tableau connection form.

In TableauIn EmbedportalNotes
Client ID Client ID field Shown on the Overview tab. Safe to copy any time.
Secret ID Secret ID field Shown on the Secrets tab. Safe to copy any time.
Secret Value Secret Value field Shown once. Save immediately or you’ll have to regenerate.

important — the Secret Value cannot be retrieved after the first reveal. If you close the dialog without saving, generate a new secret.

7. Enter Server Details

Provide your Tableau instance URLs. Embedportal collects them in two fields: Slug URL (the full Tableau server URL) and Content URL (your site slug).

Tableau Cloud

  • Slug URL: https://yoursite.online.tableau.com — or your regional URL, for example https://prod-apnortheast-a.online.tableau.com.
  • Content URL: yoursite — the slug that appears in your Tableau Cloud URL after /site/.

Tableau Server

  • Slug URL: https://tableau.yourcompany.com — your internal Tableau Server domain.
  • Content URL: yoursite — or leave blank for the default site.

8. Set Tableau Username

Enter the Tableau username (email address) that will be used for JWT authentication. In Embedportal this field is labeled Cloud User (Email Address). The user must have appropriate permissions to view the content you want to embed. 

user@example.com

tip — use a service account username, not a personal account.

  • Service accounts keep embeds working when employees leave or change roles.
  • Audit logs stay clear — every embed session is attributed to one identifiable actor.
  • Rotating a service-account password doesn’t break the embed; rotating the Connected App Secret Value does.

9. Fields you’ll fill in Embedportal

Bringing the whole setup together, the Embedportal connection form expects these six values:

FieldExampleRequired
Cloud User (Email Address) user@example.com Yes
Client ID Connected app client ID from Tableau Yes
Secret ID Secret identifier from the Secrets tab Yes
Secret Value Shown once when the secret was generated Yes
Slug URL https://prod-apnortheast-a.online.tableau.com Yes — your Tableau server URL
Content URL yoursite (or blank for default) Yes

Click Save & Test Connection. Embedportal will sign a test JWT, hit Tableau’s REST API, and show a green confirmation. You’re connected.

10. Register a dashboard

Each dashboard you want to surface is added as a navigation item in Embedportal. Open Navigation → Add dashboard and fill in:

  • Dashboard name — the label viewers see in the sidebar of your portal.
  • Description — optional note for your team.
  • Tableau View URL — paste the view URL from Tableau; Embedportal parses the workbook and view name.
  • Category — optional grouping, e.g. Revenue, Operations, Customers.
  • Authentication modeAuthenticated or Anonymous.
  • Enable RLS — available on Authenticated mode only.
  • Status — toggle off to hide the dashboard without deleting the configuration.

Save. The dashboard is now embedded in your portal behind Embedportal’s auth and branding.

11. Authenticated vs Anonymous mode

Every dashboard is registered in one of two modes.

Authenticated

Viewers must be signed in to your portal. Embedportal signs the JWT with the viewer’s identity and any RLS claims they’re entitled to. Tableau filters the rows at query time.

Anonymous

No sign-in required. Embedportal still signs a JWT, but with no user identity and no RLS claims. Every viewer sees the same data. Use this for public product status pages, pitch decks, or aggregate marketing dashboards.

You can mix modes within the same portal — some dashboards authenticated, others public.

12. Row-level security

Turn one dashboard into per-viewer data. Embedportal forwards the viewer’s tenant, region, role or custom attributes as JWT claims; Tableau reads them via USERATTRIBUTE() on a data source filter and scopes the query automatically.

For the full setup with calculated-field formulas, see our dedicated guide: Row-level security for embedded dashboards.

13. Security best practices

  • Use a dedicated service account with the minimum permissions required to view embedded content.
  • Rotate Connected App secrets on a schedule — every 12 months is a reasonable default.
  • Keep the domain allowlist strict. Only add domains you control.
  • Monitor Connected App usage in Tableau’s admin views for unexpected traffic patterns.
  • If a secret leaks, delete the Connected App in Tableau immediately and create a fresh one.

14. Troubleshooting

  • Connection test fails with 401 — the Secret Value doesn’t match. Regenerate the secret in Tableau and paste the fresh values.
  • Connection test fails with 403 — the Connected App is disabled, or the Tableau username doesn’t have permission to access the REST API.
  • Dashboard loads blank inside the portal — the View URL slug is case-sensitive. Copy it exactly from Tableau.
  • Dashboard shows all rows even though RLS is on — in Tableau, the RLS calculated field must be applied as a data source filter, not a view or dashboard filter.
  • Users see “not authorised” — the service-account username in Embedportal doesn’t have access to the view. Grant the account project-level view permission.
  • Embed works internally but not from a different domain — the domain isn’t on the Connected App’s allowlist. Add it.

15. FAQ

Does this setup work for both Tableau Cloud and Tableau Server?

Yes. The same Connected App flow works on Tableau Cloud and on Tableau Server 2021.1 and newer. The only difference is where you sign in and the shape of the Server URL you paste into Embedportal.

What should I use as the Tableau username?

Use a dedicated Tableau service account. The account needs permission to view every dashboard you plan to embed. Using a service account keeps embeds working through employee turnover and gives you cleaner audit logs.

The Secret Value is only shown once — what if I lose it?

You cannot retrieve a Tableau Connected App Secret Value after the first reveal. Regenerate the secret in Tableau, paste the fresh Client ID, Secret ID and Secret Value into Embedportal, and disable the old secret.

Can I embed Tableau without the viewer logging in?

Yes. When you register a dashboard, set the authentication mode to Anonymous. Embedportal signs a JWT with no user identity, so every viewer sees the same data.

How often do I need to rotate the Connected App secret?

Rotating every 12 months is a reasonable default. Rotate immediately if the secret is exposed — in a leaked environment file, a committed config, or an over-privileged dashboard share.

What is the domain allowlist for?

The allowlist is Tableau’s way of restricting which sites can embed content from this Connected App. Adding only your Embedportal domain prevents anyone else from using your credentials to embed your dashboards on their own site.

Ready to embed?

A Tableau connection and your first dashboard usually take under an hour. Start on Professional with a 14-day free trial — no credit card, unlimited users and dashboards.

Start free trial Book a walkthrough