Embed Token - Generate Token
Generates an embed token for multiple reports, datasets, and target workspaces.
- Reports and datasets don't have to be related.
- You can bind a report to a dataset during embedding.
- You can only create a report in workspaces specified by the
targetWorkspaces
parameter.
Important
This API call is only relevant to the embed for your customers scenario. To learn more about using this API, see Considerations when generating an embed token.
- When using a service principal for authentication, refer to Embed Power BI content with service principal and Considerations and limitations.
- For Power BI reports with a paginated visual, include the paginated report ID in the API call. For more information, see example.
- This API call can be called by a service principal profile. For more information see: Service principal profiles in Power BI Embedded.
All of the following, unless a requirement doesn't apply:
- Content.Create, required if a target workspace is specified in GenerateTokenRequestV2.
- Report.ReadWrite.All or Report.Read.All, required if a report is specified in GenerateTokenRequestV2.
- Report.ReadWrite.All, required if the
allowEdit
flag is specified for at least one report in GenerateTokenRequestV2. - Dataset.ReadWrite.All or Dataset.Read.All
- You can only create a report in workspaces specified by the
targetWorkspaces
parameter. - All reports and datasets must reside in a V2 workspace.
- All target workspaces must be V2 workspaces.
- Maximum 50 reports.
- Maximum 50 datasets.
- Maximum 50 target workspaces.
- For Azure Analysis Services or Analysis Services on-premises live connection reports, generating an embed token with row-level security (RLS) might not work for several minutes after a rebind.
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
Name | Type | Description |
---|---|---|
datasets |
A list of datasets |
|
datasourceIdentities |
List of identities to use when connecting to data sources with Single Sign-On (SSO) enabled. |
|
identities |
The list of identities to use for row-level security rules |
|
lifetimeInMinutes |
integer |
The maximum lifetime of the token in minutes, starting from the time it was generated. Can be used to shorten the token's expiration time, but not to extend it. The value must be a positive integer. Zero ( |
reports |
A list of reports |
|
targetWorkspaces |
The list of workspaces that the embed token will allow saving to |
Name | Type | Description |
---|---|---|
200 OK |
OK |
Example of generating an embed token for a dataset and two reports example. Only one of the reports can be edited.
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"datasets": [
{
"id": "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
}
],
"reports": [
{
"allowEdit": true,
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
},
{
"id": "759908bb-ead8-4a43-9645-7ffbf921c68d"
}
]
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
"expiration": "2018-07-29T17:58:19Z"
}
Example of generating an embed token for a paginated report which has a Power BI dataset as a datasource. The ID of the dataset must be specified in the request. The report and dataset can each have its own identity
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"datasets": [
{
"id": "cfafbeb1-8037-4d0c-896e-a46fb27ff229",
"xmlaPermissions": "ReadOnly"
}
],
"reports": [
{
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
}
],
"identities": [
{
"username": "john@contoso.com",
"roles": [
"sales"
],
"datasets": [
"cfafbeb1-8037-4d0c-896e-a46fb27ff229"
]
},
{
"username": "john@contoso.com",
"reports": [
"b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
]
}
]
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
"expiration": "2028-07-29T17:58:19Z"
}
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"reports": [
{
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
}
],
"datasourceIdentities": [
{
"datasources": [
{
"datasourceType": "Sql",
"connectionDetails": {
"server": "New-Sql-Server",
"database": "New-Sql-Database"
}
}
],
"identityBlob": "eyJ0eX....AAA="
}
]
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
"expiration": "2028-07-29T17:58:19Z"
}
Example of generating an embed token for a paginated report with multiple data source identities and a single identity blob
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"reports": [
{
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
}
],
"datasourceIdentities": [
{
"datasources": [
{
"datasourceType": "Sql",
"connectionDetails": {
"server": "New-Sql-Server",
"database": "New-Sql-Database"
}
},
{
"datasourceType": "MySql",
"connectionDetails": {
"server": "New-MySql-Server",
"database": "New-MySql-Database"
}
}
],
"identityBlob": "eyJ0eX....AAA="
}
]
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
"expiration": "2028-07-29T17:58:19Z"
}
Example of generating an embed token for a paginated report with multiple data source identities and multiple identity blobs
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"reports": [
{
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
}
],
"datasourceIdentities": [
{
"datasources": [
{
"datasourceType": "Sql",
"connectionDetails": {
"server": "New-Sql-Server",
"database": "New-Sql-Database"
}
}
],
"identityBlob": "eyJ0eX....AAA="
},
{
"datasources": [
{
"datasourceType": "MySql",
"connectionDetails": {
"server": "New-MySql-Server",
"database": "New-MySql-Database"
}
}
],
"identityBlob": "eyJ0dW....AAA="
}
]
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
"expiration": "2028-07-29T17:58:19Z"
}
Example of generating an embed token for a Power BI report with a dataset which is connected with DirectQuery to another Power BI dataset. All related dataset IDs must be specified in the request with 'xmlaPermissions' set to 'ReadOnly'. IdentityBlobs for all SSO-enabled data sources must be provided in the 'datasourceIdentities' array
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"datasets": [
{
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd",
"xmlaPermissions": "ReadOnly"
},
{
"id": "cfafbeb1-8037-4d0c-896e-a46fb27ff229",
"xmlaPermissions": "ReadOnly"
}
],
"reports": [
{
"id": "f904e89a-7ebe-4aa0-8647-e409063b4850"
}
],
"datasourceIdentities": [
{
"datasources": [
{
"datasourceType": "Sql",
"connectionDetails": {
"server": "Best-Sql-Server",
"database": "Database3"
}
}
],
"identityBlob": "eyJ0eX....AAA="
}
]
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "ab4d49ae-c054-4c29-af52-93b5c80619ff",
"expiration": "2022-06-10T12:41:11Z"
}
Example of generating an embed token for a Power BI report with a paginated visual. The paginated report ID ('...4850') of the paginated visual must be included in the 'reports' section of the request.
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"datasets": [
{
"id": "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
}
],
"reports": [
{
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
},
{
"id": "f904e89a-7ebe-4aa0-8647-e409063b4850"
}
]
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
"expiration": "2018-07-29T17:58:19Z"
}
Example of generating an embed token for two datasets with RLS identities and a single report with read-only permissions. The embed token lets you view the report, which is dynamically bound to two different datasets.
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"datasets": [
{
"id": "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
},
{
"id": "e75afc47-1150-45e0-aba7-4eb04e4876e5"
}
],
"reports": [
{
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
}
],
"identities": [
{
"username": "john@contoso.com",
"roles": [
"sales"
],
"datasets": [
"cfafbeb1-8037-4d0c-896e-a46fb27ff229"
]
},
{
"username": "iris@contoso.com",
"roles": [
"executive"
],
"datasets": [
"e75afc47-1150-45e0-aba7-4eb04e4876e5"
]
}
]
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "4b76f5ed-5a06-4150-8d1b-60f8e4c186f4",
"expiration": "2028-07-29T17:58:19Z"
}
Sample request
POST https://api.powerbi.com/v1.0/myorg/GenerateToken
{
"datasets": [
{
"id": "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
}
],
"reports": [
{
"id": "b2e49b01-2356-4456-bfb9-3f4c2bc4ddbd"
}
],
"identities": [
{
"username": "john@contoso.com",
"roles": [
"sales"
],
"datasets": [
"cfafbeb1-8037-4d0c-896e-a46fb27ff229"
]
}
],
"lifetimeInMinutes": 10
}
Sample response
{
"token": "H4sI....AAA=",
"tokenId": "4b76f5ed-5a06-4150-8d1b-60f8e4c186f4",
"expiration": "2028-07-29T17:58:19Z"
}
Name | Description |
---|---|
Datasource |
The Power BI data source connection details. See examples in Get Datasources or Get Datasources In Group. |
Datasource |
Effective identity for connecting DirectQuery data sources with single sign-on (SSO) enabled. |
Datasource |
An object that uniquely identifies a single data source by its connection details. |
Effective |
Defines the user identity and roles. For more information, see Row-level security with Power BI Embedded. |
Embed |
A Power BI embed token |
Generate |
Power BI Generate Token Request V2 |
Generate |
A dataset object in GenerateTokenRequestV2 |
Generate |
A report object in GenerateTokenRequestV2 |
Generate |
A workspace object in GenerateTokenRequestV2 |
Identity |
A blob for specifying an identity. Only supported for datasets with a DirectQuery connection to Azure SQL |
Xmla |
XMLA Permissions |
The Power BI data source connection details. See examples in Get Datasources or Get Datasources In Group.
Name | Type | Description |
---|---|---|
account |
string |
The connection account |
classInfo |
string |
The connection class information |
database |
string |
The connection database |
domain |
string |
The connection domain |
emailAddress |
string |
The connection email address |
kind |
string |
The connection kind |
loginServer |
string |
The connection login server |
path |
string |
The connection path |
server |
string |
The connection server |
url |
string |
The connection URL |
Effective identity for connecting DirectQuery data sources with single sign-on (SSO) enabled.
Name | Type | Description |
---|---|---|
datasources |
An array of data sources that this identity applies to. |
|
identityBlob |
string |
A blob for specifying the identity. |
An object that uniquely identifies a single data source by its connection details.
Name | Type | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
connectionDetails |
The data source connection details. You can obtain the connection details using Get Datasources for paginated reports and Get Datasources for powerbi reports APIs. |
||||||||||||||||||||||||||||||||||||||||||||||||||||
datasourceType |
string |
The type of the data source.
|
Defines the user identity and roles. For more information, see Row-level security with Power BI Embedded.
Name | Type | Description |
---|---|---|
auditableContext |
string |
The EffectiveIdentity auditable context. If this parameter is provided and isn't empty, it will enable auditing of the EffectiveIdentity and its value will be set to the username in the audit record. Otherwise, the EffectiveIdentity context will be omitted from the GenerateToken audit record. |
customData |
string |
Custom data that's used to apply row-level security rules. Supported for live connection to Azure Analysis Services models and cloud models only. |
datasets |
string[] |
An array of datasets for which this identity applies |
identityBlob |
A blob that specifies an identity. Only supported for datasets with a DirectQuery connection to Azure SQL. |
|
reports |
string[] |
An array of reports for which this identity applies. Only supported for paginated reports. |
roles |
string[] |
An array of row-level security (RLS) roles within a token that applies RLS rules. An identity can contain up to 50 roles. A role can contain any character except |
username |
string |
The effective username within a token that applies row-level security rules. For an on-premises model, the username can contain alphanumeric or any of the following characters |
A Power BI embed token
Name | Type | Description |
---|---|---|
expiration |
string |
The date and time (UTC) of token expiration |
token |
string |
The embed token |
tokenId |
string |
The unique token ID. Through audit logs, the token ID can be used to correlate operations that use the token with the generate operation. |
Power BI Generate Token Request V2
Name | Type | Description |
---|---|---|
datasets |
A list of datasets |
|
datasourceIdentities |
List of identities to use when connecting to data sources with Single Sign-On (SSO) enabled. |
|
identities |
The list of identities to use for row-level security rules |
|
lifetimeInMinutes |
integer |
The maximum lifetime of the token in minutes, starting from the time it was generated. Can be used to shorten the token's expiration time, but not to extend it. The value must be a positive integer. Zero ( |
reports |
A list of reports |
|
targetWorkspaces |
The list of workspaces that the embed token will allow saving to |
A dataset object in GenerateTokenRequestV2
Name | Type | Description |
---|---|---|
id |
string |
The dataset ID |
xmlaPermissions |
XMLA Permissions |
A report object in GenerateTokenRequestV2
Name | Type | Description |
---|---|---|
allowEdit |
boolean |
Whether the generated embed token supports report editing |
id |
string |
The report ID |
A workspace object in GenerateTokenRequestV2
Name | Type | Description |
---|---|---|
id |
string |
The workspace ID |
A blob for specifying an identity. Only supported for datasets with a DirectQuery connection to Azure SQL
Name | Type | Description |
---|---|---|
value |
string |
An OAuth 2.0 access token for Azure SQL |
XMLA Permissions
Name | Type | Description |
---|---|---|
Off |
string |
Indicates that the generated embed token doesn't grant access permissions to the dataset's XMLA endpoint. |
ReadOnly |
string |
Indicates that the generated embed token grants Read access permissions to the dataset's XMLA endpoint. |