Tableau Embedding: Integrating Dashboards into Web Applications

Embedding Tableau analytics into web applications solves a genuine user experience problem: most decisions happen in operational systems, not in dedicated analytics portals. A sales manager makes decisions in the CRM. An operations manager works in the ERP or the scheduling system. A product manager lives in the product dashboard. When analytics lives in a separate Tableau portal, it requires users to leave their workflow context to find insights — and most do not make that switch often enough.

Embedding brings the analytics into the context where decisions get made. Done well, it looks and feels like part of the application. Done poorly, it looks like an iframe with a Tableau watermark that does not match the application's visual design.

Tableau Embedding API v3

The current embedding standard is the Tableau Embedding API v3, introduced in Tableau 2021.4. It replaces the older JavaScript API v1/v2 and the embed parameter approach. The v3 API uses Web Components — specifically a 'tableau-viz' custom HTML element that browsers render natively without requiring an explicit JavaScript initialisation call.

The minimal embed:

<script type="module" src="https://your-tableau-server/javascripts/api/tableau.embedding.3.latest.min.js"></script>

<tableau-viz

id="tableauViz"

src="https://your-tableau-server/views/WorkbookName/SheetName"

width="1200"

height="800"

toolbar="hidden">

</tableau-viz>

This renders the specified view in the page. For public content on Tableau Public, this is the complete implementation. For content requiring authentication, additional configuration is needed.

Authentication Patterns

Authentication is the central technical challenge in embedding. Users accessing the embedded analytics must be authenticated to Tableau, but they should not be prompted to log in separately — a separate Tableau login prompt in an embedded context breaks the seamless experience.

**Trusted Authentication** (Tableau Server only): The web server calls the Tableau Server REST API with a trusted IP ticket request, receives a one-time token, and passes it to the embed. The browser presents the token to Tableau Server, which exchanges it for a session. Trusted Authentication is simple to implement but requires the web server to be on Tableau Server's trusted IP list.

**Connected Apps (JWT)**: The current recommended authentication mechanism for new implementations. An administrator creates a Connected App in Tableau Cloud or Server, obtaining a client ID and secret. The web server signs a JWT containing the user's credentials and desired site/workbook, and embeds it in the 'tableau-viz' element's token attribute. Tableau validates the JWT against the Connected App configuration.

Connected Apps support two modes:

- **Default OAuth 2.0**: The signed JWT is presented in the embed; Tableau validates and creates a session for the specified user. The user must exist as a licensed user on the Tableau site.

- **EAS (External Authorization Server)**: Tableau trusts a third-party identity provider. This enables single sign-on with identity providers that are not Tableau-native.

**SAML SSO**: For organisations already using SAML-based SSO, Tableau can be configured as a SAML service provider. When the user is already authenticated via the IdP, Tableau accepts the SAML assertion and creates a session without a separate login prompt. Requires IdP-side configuration.

For Tableau Cloud embedded applications, Connected Apps with JWT is the standard path. For Tableau Server, Trusted Authentication or SAML SSO are common depending on existing infrastructure.

User Filtering and Data Security

Embedding analytics in a multi-tenant application requires ensuring each user sees only their data. Two patterns:

**User filters via URL parameters**: Pass filter values as URL parameters to the 'tableau-viz' element. The embed URL includes filter parameters that restrict the view to the relevant customer, user, or account. This is straightforward but has a security limitation: URL parameters can be manipulated client-side if the application does not validate them server-side.

**Row-level security via user attributes**: The more robust pattern. In Tableau, create a calculated field that compares the current Tableau user (USERNAME() function) against the data field that determines row access. Combined with Connected Apps JWT authentication that specifies the Tableau username as the embedded user's identifier, each user's session returns only rows matching their identity. This enforces data access at the data source level — not at the URL parameter level — so client-side manipulation cannot expose unauthorized data.

For multi-tenant SaaS applications embedding Tableau for customer analytics, row-level security via Tableau user attributes is the correct pattern. The application sets the Tableau username in the JWT to a unique customer identifier; the Tableau data source filters to that identifier. No customer can see another customer's data even with URL manipulation.

Visual Integration

The embedded Tableau view renders inside an iframe in the hosting page. The default Tableau chrome (toolbar, header, loading screen) is visible unless hidden. For a seamless embedded experience:

**Hide toolbar**: Set 'toolbar="hidden"' on the 'tableau-viz' element. Control any needed toolbar functions (download, filter, etc.) through the JavaScript API rather than the built-in toolbar.

**Hide tab navigation**: If the workbook has multiple sheets, set 'hide-tabs="true"' to remove the sheet tab navigation.

**Match visual styling**: While you cannot fully control Tableau's internal rendering, you can match the surrounding application's background colour and control the embed container styling. Transparent backgrounds on the embedded viz (set in the Tableau workbook's format settings) allow the application's background to show through.

**Responsive sizing**: Use the 'device="desktop"' attribute or responsive size mode in Tableau, and set the 'tableau-viz' element to percentage width with the container managing layout. Tableau's device layouts allow defining separate designs for desktop, tablet, and phone — the correct layout renders based on the container width.

JavaScript API Interactions

The Embedding API v3 exposes methods for programmatic interaction with the embedded view:

**Applying filters programmatically**: Rather than URL parameters, apply filters via the JavaScript API after embed load. This is more flexible and allows filter changes in response to user interaction in the host application.

**Listening to events**: The 'markselectionchanged' event fires when a user clicks a mark; the host application can respond by showing related information elsewhere in the page. This creates genuine integration rather than just embedding a static view.

**Custom buttons triggering Tableau actions**: Build filter controls, date range pickers, or navigation buttons in the host application that call Tableau API methods rather than relying on Tableau's built-in UI.

Licensing Considerations

Users accessing embedded Tableau analytics must have a valid Tableau licence unless the content is public. For customer-facing analytics embedded in a SaaS product, this means either: your customers have their own Tableau licences (uncommon), you purchase Tableau licences for each customer user (expensive at scale), or you use Tableau's embedded analytics licensing.

Tableau's embedded analytics licences (available through Salesforce sales) are designed for ISVs and SaaS applications embedding Tableau for end users. The pricing model is different from standard per-user licensing and is typically metric-based (by number of end users or by customer account). For applications embedding analytics for hundreds or thousands of end users, the embedded licence model is significantly more cost-effective than standard per-user licensing.

Our Tableau consulting practice designs and implements embedded analytics solutions including authentication, row-level security, and visual integration — contact us to discuss your embedded analytics requirements.

A former Microsoft data architect audits your data foundation, identifies your top priorities, and sends you a written plan. Free. No pitch.