Embedportal a subproduct of atSpark
FeaturesPricingDocsCompareBlog Start free →
Start free

Home/Docs/How to embed Tableau into Embedportal

How to embed Tableau
into Embedportal.

Six-step Tableau Embedded setup for SaaS — Connected App JWT, domain allowlist, credentials, service-account. End-to-end in about thirty minutes.

Published
2026-04-17
Reading time
8 min
Level
Beginner
Works with
Tableau Cloud · Server 2021.1+

On this page

  1. 1. Why this is needed
  2. 2. Prerequisites
  3. 3. Access Connected Apps Settings
  4. 4. Create a New Connected App
  5. 5. Configure Domain Allowlist
  6. 6. Copy Connected App Credentials
  7. 7. Enter Server Details
  8. 8. Set Tableau Username
  9. 9. Security best practices
  10. 10. Troubleshooting
  11. 11. FAQ

Why this is needed

To embed Tableau views securely, you need to set up a Connected App in Tableau Cloud or Tableau Server. This enables JWT-based authentication, allowing Embedportal to generate trusted embed URLs for your Tableau content while Tableau continues to enforce your access controls and row-level security.

works with — Tableau Cloud, and Tableau Server 2021.1 or newer.

Prerequisites

  • A Tableau Cloud site or Tableau Server 2021.1+ that you administer.
  • A Tableau Site Admin account (Server Admin on Tableau Server). Connected Apps can only be created with admin permissions.
  • An Embedportal workspace. Starter includes one BI integration; Professional and Enterprise include unlimited.
  • About 30 minutes end-to-end.

Access Connected Apps Settings

Tableau Cloud — Sign in as a Site Administrator. Go to Settings → Connected Apps.

Tableau Server — Sign in as a Server or Site Administrator. Go to Settings → Connected Apps.

Create a New Connected App

  1. Click New Connected App.
  2. Name the Connected App atSpark Integration. This is the name Embedportal expects.
  3. Select Direct Trust (JWT-based authentication). Embedportal signs short-lived tokens that Tableau trusts directly.
  4. Enable Allow access to REST API. Embedportal uses the REST API to fetch the list of views and workbooks you can embed.

Configure Domain Allowlist

Add your application domain to the Connected App’s allowlist. For example:

dev.atspark.com

This ensures Tableau content can only be embedded on your domain — not on someone else’s copy-paste of the snippet.

  • Add the exact hostname you’ll embed from (no protocol, no path).
  • If you’ve set a custom domain on a Professional or Enterprise plan, add that instead.
  • Do not add wildcard domains or third-party URLs.

security — the allowlist is your line of defence against embed-jacking. Keep it strict.

Copy Connected App Credentials

After creating the Connected App, Tableau displays three values. Copy each into the matching field in Embedportal:

In TableauIn EmbedportalNotes
Client IDClient ID fieldShown on the Overview tab
Secret IDSecret ID fieldShown on the Secrets tab
Secret ValueSecret ValueShown once — save immediately or regenerate

important — the Secret Value cannot be retrieved after the first reveal. If you close the dialog without saving, generate a new secret.

Enter Server Details

Paste your Tableau instance URLs into Embedportal. The form has two fields: Slug URL (the full Tableau server URL) and Content URL (your site slug).

Tableau Cloud

  • Slug URL: https://yoursite.online.tableau.com — or your regional URL e.g. https://prod-apnortheast-a.online.tableau.com
  • Content URL: yoursite — the slug in your Tableau Cloud URL after /site/.

Tableau Server

  • Slug URL: https://tableau.yourcompany.com
  • Content URL: yoursite — or leave blank for the default site.

Set Tableau Username

Enter the Tableau username (email address) that will be used for JWT authentication. In Embedportal this field is labeled Cloud User (Email Address). The user must have appropriate permissions to view the content you want to embed.

user@example.com

tip — use a service account username, not a personal account.

  • Service accounts keep embeds working when employees leave or change roles.
  • Audit logs stay clear — every embed session is attributed to one identifiable actor.
  • Rotating a service-account password doesn’t break the embed; rotating the Connected App Secret Value does.

Security best practices

  • Use a dedicated service account with the minimum permissions required to view embedded content.
  • Rotate Connected App secrets on a schedule — every 12 months is a reasonable default.
  • Keep the domain allowlist strict. Only add domains you control.
  • Monitor Connected App usage in Tableau’s admin views for unexpected traffic patterns.
  • If a secret leaks, delete the Connected App in Tableau immediately and create a fresh one.
  • For per-viewer data isolation, follow the row-level security guide — Tableau’s USERATTRIBUTE() function plus Embedportal’s session-level rule forwarding.
  • Weighing Tableau against other embed options? See the Tableau Embedded vs Embedportal comparison or the 2026 embedded-analytics pricing breakdown for the full economics.

Troubleshooting

  • Connection test fails with 401 — the Secret Value doesn’t match. Regenerate the secret in Tableau and paste the fresh values.
  • Connection test fails with 403 — the Connected App is disabled, or the Tableau username doesn’t have permission to access the REST API.
  • Dashboard loads blank inside the portal — the View URL slug is case-sensitive. Copy it exactly from Tableau.
  • Dashboard shows all rows even though RLS is on — in Tableau, the RLS calculated field must be applied as a data source filter, not a view or dashboard filter.
  • Users see “not authorised” — the service-account username in Embedportal doesn’t have access to the view. Grant the account project-level view permission.
  • Embed works internally but not from a different domain — the domain isn’t on the Connected App’s allowlist. Add it.

11. FAQ

Does this setup work for both Tableau Cloud and Tableau Server?

Yes. The same Connected App flow works on Tableau Cloud and on Tableau Server 2021.1 and newer. The only difference is where you sign in and the shape of the Server URL you paste into Embedportal.

What should I use as the Tableau username?

Use a dedicated Tableau service account. The account needs permission to view every dashboard you plan to embed. Using a service account keeps embeds working through employee turnover and gives you cleaner audit logs.

The Secret Value is only shown once — what if I lose it?

You cannot retrieve a Tableau Connected App Secret Value after the first reveal. Regenerate the secret in Tableau, paste the fresh Client ID, Secret ID and Secret Value into Embedportal, and disable the old secret.

Can I embed Tableau without the viewer logging in?

Yes. When you register a dashboard, set the authentication mode to Anonymous. Embedportal signs a JWT with no user identity, so every viewer sees the same data.

How often do I need to rotate the Connected App secret?

Rotating every 12 months is a reasonable default. Rotate immediately if the secret is exposed — in a leaked environment file, a committed config, or an over-privileged dashboard share.

What is the domain allowlist for?

The allowlist is Tableau’s way of restricting which sites can embed content from this Connected App. Adding only your Embedportal domain prevents anyone else from using your credentials to embed your dashboards on their own site.

Ready to embed?

Start on Professional with a 14-day free trial — no credit card, unlimited dashboards and users.

Start free trial Book a walkthrough

Related

Row-level security for embedded dashboards → All documentation → Tableau Connected Apps official docs →
© 2026 atSpark Inc. Embedportal is a subproduct of atSpark. About Privacy Terms Security Cookies