Share via


Embed Token - Dashboards GenerateTokenInGroup

Generates an embed token to view the specified dashboard from the specified workspace.

Important

This API call is only relevant to the embed for your customers scenario. To learn more about using this API, see Considerations when generating an embed token.

Permissions

Required Scope

All of the following:

  • Dashboard.ReadWrite.All or Dashboard.Read.All
  • Report.ReadWrite.All or Report.Read.All
  • Dataset.ReadWrite.All or Dataset.Read.All

POST https://api.powerbi.com/v1.0/myorg/groups/{groupId}/dashboards/{dashboardId}/GenerateToken

URI Parameters

Name In Required Type Description
dashboardId
path True

string (uuid)

The dashboard ID

groupId
path True

string (uuid)

The workspace ID

Request Body

Name Type Description
accessLevel

TokenAccessLevel

The required access level for embed token generation

allowSaveAs

boolean

Whether an embedded report can be saved as a new report. The default value is false. Only applies when you generate an embed token for report embedding.

datasetId

string

The dataset ID used for report creation. Only applies when you generate an embed token for report creation.

identities

EffectiveIdentity[]

A list of identities to use for row-level security rules

lifetimeInMinutes

integer

The maximum lifetime of the token in minutes, starting from the time it was generated. Can be used to shorten the expiration time of a token, but not to extend it. The value must be a positive integer. Zero (0) is equivalent to null and will be ignored, resulting in the default expiration time.

Responses

Name Type Description
200 OK

EmbedToken

OK

Examples

Generate a dashboard embed token using an effective identity with an identity blob example
Generate a dashboard embed token with multiple identities example

Generate a dashboard embed token using an effective identity with an identity blob example

Sample request

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/dashboards/69ffaa6c-b36d-4d01-96f5-1ed67c64d4af/GenerateToken
{
  "accessLevel": "View",
  "identities": [
    {
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ],
      "identityBlob": {
        "value": "eyJ0eX....AAA="
      }
    }
  ]
}

Sample response

{
  "token": "H4sI....AAA=",
  "tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
  "expiration": "2018-07-29T17:58:19Z"
}

Generate a dashboard embed token with multiple identities example

Sample request

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/dashboards/69ffaa6c-b36d-4d01-96f5-1ed67c64d4af/GenerateToken
{
  "accessLevel": "View",
  "identities": [
    {
      "username": "john@contoso.com",
      "roles": [
        "sales"
      ],
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ]
    },
    {
      "username": "john_contoso",
      "roles": [
        "product"
      ],
      "datasets": [
        "a8b062ca-5730-468f-9df7-43c2ba76bf5e"
      ]
    }
  ]
}

Sample response

{
  "token": "H4sI....AAA=",
  "tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
  "expiration": "2018-07-29T17:58:19Z"
}

Definitions

Name Description
EffectiveIdentity

Defines the user identity and roles. For more information, see Row-level security with Power BI Embedded.

EmbedToken

A Power BI embed token

GenerateTokenRequest

Power BI Generate Token Request

IdentityBlob

A blob for specifying an identity. Only supported for datasets with a DirectQuery connection to Azure SQL

TokenAccessLevel

The required access level for embed token generation

EffectiveIdentity

Defines the user identity and roles. For more information, see Row-level security with Power BI Embedded.

Name Type Description
auditableContext

string

The EffectiveIdentity auditable context. If this parameter is provided and isn't empty, it will enable auditing of the EffectiveIdentity and its value will be set to the username in the audit record. Otherwise, the EffectiveIdentity context will be omitted from the GenerateToken audit record.

customData

string

Custom data that's used to apply row-level security rules. Supported for live connection to Azure Analysis Services models and cloud models only.

datasets

string[]

An array of datasets for which this identity applies

identityBlob

IdentityBlob

A blob that specifies an identity. Only supported for datasets with a DirectQuery connection to Azure SQL.

reports

string[]

An array of reports for which this identity applies. Only supported for paginated reports.

roles

string[]

An array of row-level security (RLS) roles within a token that applies RLS rules. An identity can contain up to 50 roles. A role can contain any character except ,, and its length must not exceed 50 characters.

username

string

The effective username within a token that applies row-level security rules. For an on-premises model, the username can contain alphanumeric or any of the following characters ., -, _, !, #, ^, ~, \\, @. For cloud models, the username can contain any ASCII character. For either model, the username length must not exceed 256 characters, and the username shouldn't contain spaces.

EmbedToken

A Power BI embed token

Name Type Description
expiration

string (date-time)

The date and time (UTC) of token expiration

token

string

The embed token

tokenId

string (uuid)

The unique token ID. Through audit logs, the token ID can be used to correlate operations that use the token with the generate operation.

GenerateTokenRequest

Power BI Generate Token Request

Name Type Description
accessLevel

TokenAccessLevel

The required access level for embed token generation

allowSaveAs

boolean

Whether an embedded report can be saved as a new report. The default value is false. Only applies when you generate an embed token for report embedding.

datasetId

string

The dataset ID used for report creation. Only applies when you generate an embed token for report creation.

identities

EffectiveIdentity[]

A list of identities to use for row-level security rules

lifetimeInMinutes

integer

The maximum lifetime of the token in minutes, starting from the time it was generated. Can be used to shorten the expiration time of a token, but not to extend it. The value must be a positive integer. Zero (0) is equivalent to null and will be ignored, resulting in the default expiration time.

IdentityBlob

A blob for specifying an identity. Only supported for datasets with a DirectQuery connection to Azure SQL

Name Type Description
value

string

An OAuth 2.0 access token for Azure SQL

TokenAccessLevel

The required access level for embed token generation

Value Description
View

Indicates that the generated embed token grants view-only permission

Edit

Indicates that the generated embed token grants view and edit permissions. Only applies when you generate an embed token for report embedding.

Create

Indicates that the generated embed token grants create permission. Only applies when you generate an embed token for report creation.