# Access Tokens

In order to access any Power BI content from an external application (sometimes referred to as *embedding*), an access token must be requested from Azure.  The details for requesting a token depend on the security configuration for the Azure tenant as well as the way in which users are to be accessing content in Power BI.

For details, visit the following link.

{% embed url="<https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow>" %}

## Application

In order to make calls to Power BI from outside Power BI, an application must be registered with Azure.  Permissions and scopes can be defined for the external application as well as the API client id and client secrets needed to access Power BI.

For details, visit the following link.

{% embed url="<https://docs.microsoft.com/en-us/power-bi/developer/embedded/register-app?tabs=customers%2CAzure>" %}

## Endpoint

To create an access token, a post request is sent to the following end point requesting access to a resource where `tenantId` is the id of the Azure tenant.

```
https://login.microsoftonline.com/{tenantId}/oauth2/token
```

One or more of the following data is posted in the request based on application requirements.

| Property       | Description                                                                                |
| -------------- | ------------------------------------------------------------------------------------------ |
| resource       | This is the Power BI API resource.  See [Resource](#resource).                             |
| client\_id     | The application's unique identifier                                                        |
| client\_secret | The secret for the API registered in the application with permission to access Power BI    |
| username       | Optional.  Used only with the `password` grant type.                                       |
| password       | Optional.  Used only with the `password` grant type.                                       |
| grant\_type    | The authentication flow used to generate the access token.  See [Grant type](#grant-type). |

### Resource

This value is always `https://analysis.windows.net/powerbi/api`

### Grant type

When using Power BI in external applications, the user accessing content is either a customer or a member of your organization.  To put this in other Power BI terms, either the *app owns the data* or the *user owns the data*. &#x20;

For more on these two different options, visit the following link.

{% embed url="<https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-analytics-power-bi>" %}

When Power BI is accessed by customers, a service principal is given access to content.  That "user" is then authenticated and given an access token using the `client_credentials` grant type.

When using Power BI with internal employees, users can use their own credentials to request an access token.  Here, the `password` grant type is used.

## Sample

All the material discussed in this section has been implemented in the [sample application](/powerbi/installation.md) that comes with the WireBootstrap for Power BI.   This sample is a good example of how to generate tokens in order to use Power BI in external applications.

### Request a Token

In the project, the `TokensController` class at `\Controllers\TokensController.cs` contains a method called `GetAccessToken` that can be called by clients to retrieve a token from Power BI.  &#x20;

The following in an excerpt from the call to this method from `\index.js` in the sample.

```javascript
const accessToken = await fetch("/tokens/GetAccessToken");
const response = await accessToken.json();
const token = response.access_token;
```

### Create a Token

On the server, `GetAccessToken` reads the values for the token request from `appsettings.json`, makes the call to Power BI, and returns the token to the client.

Below is an excerpt from `appsettings.json` with the variables needed for the call to generate a token.  Replace the brackets `[]` with the actual values needed to connect to your Azure AD application.

```json
{
  "AppTenantId": "[Your Azure Tenant ID]",
  "AuthTokenUrl": "https://login.microsoftonline.com/{AppTenantId}/oauth2/token",
  "Resource": "https://analysis.windows.net/powerbi/api",
  "ClientId": "[Client ID the Azure AD app]",
  "ClientSecret": "[Client Secret for the Azure AD app]",
  "User": "[Optional - User name if using 'password' grant type]",
  "Password": "[Optional - Password if using 'password' grant type]"
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.wirebootstrap.com/powerbi/access-tokens.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.