The auth gap Power BI can’t cross on its own
Power BI’s built-in Web connector and dataflow connections support Basic Authentication — a username and password sent with each request. That’s fine for legacy APIs, but most modern data sources require something more sophisticated: OAuth2 client credentials, bearer tokens from a token endpoint, or custom API keys with specific header formats.
The usual workarounds are painful. You can pre-generate a long-lived bearer token, paste it into Power BI as a password, and hope it doesn’t expire at 2 AM before a board report runs. You can embed an API key directly in a query, which means it lives in a .pbix file that gets emailed around. Or you can build a custom connector, which requires a developer, a certification process, and ongoing maintenance.
RequestRocket gives you a fourth option: put a proxy in front of the API that accepts Basic Auth from Power BI and handles all the real authentication itself.
How auth translation works
Every request through RequestRocket involves two credentials:
- A proxy credential — what the caller (Power BI) uses to authenticate to RequestRocket.
- A target credential — what RequestRocket uses to authenticate to the upstream API.
These are configured independently. Power BI connects with Basic Auth using a username and password you control. RequestRocket accepts that, validates it, then forwards the request to the upstream API using whichever authentication method the API actually requires — OAuth2, bearer token, API key, or anything else the platform supports.
Power BI never sees the real API credentials. The real credentials never leave RequestRocket’s encrypted vault.
Setting it up
Step 1: Create a Basic Auth proxy credential
This is what Power BI will use. Choose a username and a strong random password — these are not your API credentials, just the shared secret between Power BI and the proxy:
POST /clients/{clientId}/credentials
{
"credentialType": "proxy",
"credentialAuthType": "basic",
"credentialName": "powerbi-salesforce-connector",
"credentialRegion": "us-east-1",
"credentialSecret": {
"username": "powerbi-reports",
"password": "a-long-random-secret-string"
}
}Step 2: Create a target credential for the upstream API
This is the credential RequestRocket uses to call the real API. The example below uses OAuth2 client credentials — a common pattern for machine-to-machine API access. RequestRocket fetches and refreshes tokens automatically:
POST /clients/{clientId}/credentials
{
"credentialType": "target",
"credentialAuthType": "oauth2",
"credentialName": "salesforce-api",
"credentialRegion": "us-east-1",
"credentialSecret": {
"grantType": "client_credentials",
"appClientId": "your-salesforce-client-id",
"clientSecret": "your-salesforce-client-secret",
"accessTokenURL": "https://login.salesforce.com/services/oauth2/token",
"addToHeader": true
}
}If the upstream uses a static bearer token or API key instead, the target credential shape changes — but the proxy credential and Power BI configuration stay exactly the same:
{
"credentialType": "target",
"credentialAuthType": "bearer",
"credentialName": "internal-api",
"credentialRegion": "us-east-1",
"credentialSecret": {
"token": "sk-xxxxxxxxxxxxxxxx",
"addToHeader": true
}
}Step 3: Create a proxy
Wire the proxy credential, target, and target credential together:
POST /clients/{clientId}/proxies
{
"proxyName": "salesforce-powerbi",
"proxyRegion": "us-east-1",
"proxyProxyCredentialId": "<basic-credential-id>",
"proxyTargetId": "<target-id>",
"proxyTargetCredentialId": "<oauth2-credential-id>",
"proxyDefaultRuleEffect": "allow"
}Step 4: Connect Power BI
In Power BI Desktop or the Service, use the Web connector with the proxy’s regional endpoint as the base URL. When prompted for authentication, choose Basic and enter the username and password from Step 1. That’s the only credential Power BI needs to know about.
OAuth2 APIs that Power BI couldn’t reach before
Before auth translation, connecting Power BI to an OAuth2-protected API required either a custom connector or a fragile workaround with a manually generated token. With RequestRocket, any API that uses the OAuth2 client credentials grant is now directly accessible from Power BI — the proxy fetches and refreshes tokens in the background, and Power BI sees a stable Basic Auth interface throughout.
The same applies to APIs that use custom token endpoints: RequestRocket’s customToken credential type can call any token endpoint, extract the token from any response shape, and manage expiry automatically.
What you gain beyond connecting
Auth translation solves the immediate connection problem. But the proxy gives you a set of controls that make the integration production-grade:
No credentials in code or dataset files. The only credential in Power BI is a Basic Auth username and password that you own and control. The real API key or OAuth2 client secret is never written into a query, a .pbix file, a pipeline definition, or a CI environment variable.
Rotation without reconfiguring Power BI. When an API key rotates or an OAuth2 client secret needs to be cycled, update the target credential in RequestRocket. Power BI doesn’t change. Datasets don’t need to be republished. Reports keep running.
Monitoring on every request. Every request Power BI makes through the proxy is logged. The telemetry API gives you aggregated request counts, response times, and error rates by minute or hour. If a scheduled refresh starts failing at midnight, the request log shows you exactly what status code the upstream returned — without any additional instrumentation.
Rate limiting at the proxy. If you have multiple Power BI reports or workspaces hitting the same upstream API, you can configure proxyMaxRequestsPerMinute and proxyMaxRequestsPerDay on the proxy to ensure you don’t exceed the upstream’s rate limits across concurrent scheduled refreshes.
Audit trail. The request log records which proxy credential authenticated each request, when it was received, when the upstream responded, and what status code it returned. If there’s ever a question about which report triggered a spike in API usage, the log has the answer.
Next steps
The setup described here takes a few API calls and works with any upstream API that RequestRocket supports as a target. Read the RequestRocket documentation for the full credential and proxy reference, or start for free and connect your first Power BI data source today.