tableau · mattcfilbert · May 21, 2026 · May 6, 2026 · May 8, 2026 · May 20, 2026
diff --git a/docs/docs/configuration/mcp-config/oauth.md b/docs/docs/configuration/mcp-config/oauth.md
@@ -511,3 +511,8 @@ The MCP server supports three OAuth 2.1 grant types:
 - `/Callback`: OAuth callback handler (authorization code only)
 - `/oauth2/token`: Token exchange and refresh (all grant types)
 - `/oauth2/revoke`: Token revocation
+
+For MCP client-facing token and consent cleanup, see the
+[`reset-consent`](../../tools/token-management/reset-consent.md) and
+[`revoke-access-token`](../../tools/token-management/revoke-access-token.md) tools. For full cleanup,
+call `reset-consent` before `revoke-access-token`.
diff --git a/docs/docs/tools/token-management/_category_.json b/docs/docs/tools/token-management/_category_.json
@@ -0,0 +1,8 @@
+{
+  "label": "Token Management",
+  "position": 7,
+  "link": {
+    "type": "generated-index",
+    "description": "Tools for managing OAuth token and consent state for the current MCP session."
+  }
+}
diff --git a/docs/docs/tools/token-management/reset-consent.md b/docs/docs/tools/token-management/reset-consent.md
@@ -0,0 +1,38 @@
+---
+sidebar_position: 1
+---
+
+# Reset Consent
+
+Resets saved OAuth consent for the current user on the Tableau authorization server.
+
+Use `reset-consent` when you need to clear previously granted OAuth consent so the next OAuth
+authorization flow prompts the user for consent again. This is the canonical documentation page to
+link to when a consent experience needs to tell users how to reset previously granted access for MCP.
+
+For full OAuth cleanup, call `reset-consent` before
+[`revoke-access-token`](revoke-access-token.md). `reset-consent` needs the current valid bearer token;
+revoking the token first invalidates the credential needed to reset consent.
+
+## Arguments
+
+This tool requires no input. It operates on the authentication context already associated with the
+MCP request. Raw access tokens, refresh tokens, JWE tokens, and bearer values are never exposed to
+the model.
+
+## Supported Auth Modes
+
+- **Bearer authentication with Tableau authorization server mode**: supported. The tool calls
+  `/oauth2/resetConsent` on the configured OAuth issuer using the current bearer token.
+
+## Unsupported Modes And Limitations
+
+- **Embedded authorization server mode**: disabled. The embedded authorization server does not use
+  the same consent model.
+- **Passthrough authentication and other non-Bearer auth modes**: not supported. Session credentials
+  are managed externally.
+
+## Side Effects
+
+The current session remains valid, but the next OAuth authorization flow re-prompts the user for
+consent.
diff --git a/docs/docs/tools/token-management/revoke-access-token.md b/docs/docs/tools/token-management/revoke-access-token.md
@@ -0,0 +1,39 @@
+---
+sidebar_position: 2
+---
+
+# Revoke Access Token
+
+Revokes the access token used to authenticate the current MCP session.
+
+Use `revoke-access-token` when signing a user out of the MCP session, revoking access after
+suspicious activity, or performing clean session teardown from an MCP client or orchestration layer.
+
+For full OAuth cleanup, call [`reset-consent`](reset-consent.md) before `revoke-access-token`.
+Revocation invalidates the token required to authenticate the consent reset request.
+
+## Arguments
+
+This tool requires no input. It operates on the authentication context already associated with the
+MCP request. Raw access tokens, refresh tokens, JWE tokens, and bearer values are never exposed to
+the model.
+
+## Supported Auth Modes
+
+- **Bearer authentication with Tableau authorization server mode**: supported. The tool submits the
+  current Tableau access token to the issuer's `/oauth2/revoke` endpoint.
+- **X-Tableau-Auth in embedded authorization server mode**: supported. The tool submits the current
+  MCP JWE access token to the embedded revocation endpoint, which handles Tableau signout and refresh
+  token cleanup.
+
+## Unsupported Modes And Limitations
+
+- **Passthrough authentication**: not supported. Session credentials are managed externally.
+- Revocation can fail if the authorization server rejects the request, or if the token is already
+  expired or invalid.
+
+## Side Effects
+
+The current session or token is revoked. Subsequent Tableau API calls in the same session may fail.
+After calling this tool, clients should disconnect from the MCP server and reconnect if they need a
+new authenticated session.