How Secure is credentials stored in Power query for API requests


We are using an API as data source for PBI. The API uses POST method to authenticate with username and password in the body of the initial request, which retrieves a token. The token is then used in the header of subsequent API calls to get data ( using GET).

How secure is this approach as credentials are hardcoded?

Could you recomend any solutions on how to better handle these credentials ?

Any idea on this topic, much appreciated.


Have a look here:

Thanks. This post raised by me only.

However I didnt understand " if you load it as an expression (rather than a partition) it will not be stored in the Power BI model."

Could you please explain bit more in details?

How to load data as an experssion? as per my understanding once we load the data in Power Query, we could convert in to function or experssion and can disable data laod. But still if any one has got access to Power BI model, they will be able to get credentials which are in the file and not encrypted. Thanks.

Well, I interpret the response from lbendlin as follows:

  1. Store the credentials in a file on SharePoint with very limited access.
  2. Create a, zero-parameter, custom function that retrieves those values.
  3. Invoke the custom function in the place requiring these values.

The custom function itself returns a function value. When invoked from the query that needs these inputs, the function’s logic runs inside that same partition. And at that time, requires access to the source file.

Be sure to test that though and report back so others can learn from it.
I hope this is helpful