We have embedded Power BI reports in a new browser window using Power BI Client library at https://www.npmjs.com/package/powerbi-client using Javascript and following the tutorial referece (https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-sample-for-your-organization?tabs=net-core)

After user logs out of application, PowerBI URL was still returning the FABRIC data with valid access token

URL : https://wabi-us-north-central-g-primary-redirect.analysis.windows.net/explore/reports/131f8072-f66d-48bb-b66f-904b2d147e20/conceptualschema?userPreferredLocale=en-US

After logout, the embed token was still valid and allowed users to make calls to above URL, which is recorded as an issue after our Applicaiton Penetration testing.

It would be useful to have a Power BI API which can invalidate Embed Token