Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
ranbeermakin
Resolver III
Resolver III

Calling Power BI Embedded token service securely from another application

Hi there,

 

I'm able to generate my Power BI embed tokens successfully. But I'm worried about it's security, let me explain my scenario.

 

I have an application hosted on app.com, and my service to get token hosted on abc.com. When user logins to app.com, I call my service (hosted on abc.com) to get token and then render my Power BI report.

 

I see one major issue here. The code to get token is in javascript in app.com. So the user can see what code i'm calling, copy the ajax request URL and say bye bye to my app.

And behind the back the user might be pinging my service URL to get tokens and rendering report without even entering my application.

 

Can we avoid this scenario?

How to ensure only authenticated users can access my service hosted on abc.com? 

How to use my app.com authentication for authenticating my service?

In the above scenario, calls to service hosted on abc.com should fail if the user is not logged in to app.com

 

In my case app.com is shopify.com.

 

Sorry to ask a basic question.

 

@Eric_Zhang?

 

Thanks,

Ranbeer 

1 ACCEPTED SOLUTION
v-chuncz-msft
Community Support
Community Support

@ranbeermakin,

 

You may take a look at link below.

https://stackoverflow.com/questions/31611072/how-to-secure-the-javascript-api-access-token

Community Support Team _ Sam Zha
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

3 REPLIES 3
v-chuncz-msft
Community Support
Community Support

@ranbeermakin,

 

You may take a look at link below.

https://stackoverflow.com/questions/31611072/how-to-secure-the-javascript-api-access-token

Community Support Team _ Sam Zha
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Thanks,

CORS I have setup. I'm evaluating Proxying the request.

 

Thanks.

Did you ever get a solution to this that avoids putting tokens in Javascript?

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.