top of page

How to Securely Connect Power BI to Employment Hero with RequestRocket

  • Writer: RequestRocket
    RequestRocket
  • Oct 5
  • 4 min read

Introduction to Power BI and Employment Hero Integration


Power BI’s out-of-the-box “Web” connector accepts Basic credentials. However, connecting to Payroll platforms like Employment Hero (KeyPay) is problematic because their service offers an API key that is overly permissive. This means, anyone with an API key has full access to read and write data to your payroll system.


In an ideal world we want to give people access to certain parts of our payroll system - not cart blanch "we trust you with everything" access, especially if you manage multiple payrolls and you only need analytics across one of them.


Fortunately, RequestRocket provides a solution. Our service allows you to implement fine grain control over access to payroll data.


Follow the workflow below, and you will have a live Employment Hero dataset refreshing in Power BI in about 10 minutes without exposing every business you work with to excessive risks.


Prerequisites


Before you begin, ensure you have the following:


Item

Notes

One or more Employment Hero organisations

You will need to obtain an API key from Employment Hero

RequestRocket account

Gives you custom authentication and proxy routing.

Power BI Desktop

Any edition works; a Power BI Pro licence is required to schedule refreshes.


Step 1: Obtain an API Key from Employment Hero


To obtain an API Key from Employment Hero, follow these steps:

  • Log in to Employment Hero Payroll: Access your Employment Hero Payroll account.

  • Navigate to Account Settings: Click on your name in the top right corner of the interface, then select "My Account."

  • Access API Key Generation: On the "Account Details" or "Security" page (depending on the platform version), locate the section for API Key.

  • Generate/Copy the API Key: If an API key has not been generated, click "Generate API Key." A key will be created.

    • If a key already exists, it will be displayed in the "API Key" field. Double-click to select the text and copy it or click the "Copy" icon if available.

  • Store the API Key Securely: Keep the generated or copied API key in a safe and secure location, as it grants access to your account's data via the API.


Step 2: Create an Basic Auth Target Credential in RequestRocket


  1. Go to Credentials → New → Name: Target Credentials.

  2. Set Type: target | Auth type: Basic.

  3. Populate the Secret section as follows:

    1. Username: (your API Key)

    2. Password: (any password you like)

  4. Click Create, then choose Authenticate. Xero will open, ask for consent, and redirect back. You should see Authentication Successful.


Step 3: Create a Target for the API



Step 4: Create a Basic Credential for Power BI


  • Go to Proxy Credentials → New → Name: API Credential

  • Auth type: Basic.

  • Enter any username you like and let RequestRocket generate a secure password.


Make sure to copy these values somewhere safe. Power BI and the on-prem gateway will use them.


Step 5: Build the Proxy that Ties Everything Together


  1. Go to Proxies → New →

    1. Name: Payroll Proxy

    2. Enable toggle Active.

    3. Set Proxy Credential: API Credential

    4. Set Target: API Target

    5. Set Target Credential: Target Credential

    6. Leave everything else as default for now

  2. Click Create. Note the Base URL that appears, for example, https://ap-southeast-2.requestrocket.com/api/e910b056-bb22-4e34-a1fe-c1234567899s.


Step 6: List Your Businesses (First Request)


Let's add some security to our proxy by limiting API requests to a specific business


  1. In Power BI (or Postman), set GET to `{proxyBaseUrl}/business`.

  2. Choose Basic Auth and enter the username and password from step 4.

  3. Send the call and find the business ID for the business you want to limit our API to.


Step 7: Pin the Business via the Proxy Target


It's crucial not to skip this step to manage security of your connections. In the target Edit page, update the target Base url to be :

Now all of our requests to the proxy will be forced to interact with a single business. But we can go one step further.


Step 8: Restrict usage to GET requests


To ensure your developer can't make breaking changes to your payroll data, lets navigate back to the proxy Edit page and create a rule. You'll need to hit the edit button first.


In the Authorization Rules section - create a new rule which denies all HTTP methods except for "GET".


Create a rule that denies anything other than a GET request.
Create a rule that denies anything other than a GET request.


Your Authorization Rules should look like this.
Your Authorization Rules should look like this.

At this point, we have everything we need to make authenticated calls From Power BI → Via RequestRocket → To Payroll.


Step 9: Bring Any Data into Power BI


You can query any endpoint, such as the Accounts list.


  1. Go to Get data → Web again, this time using:

    {proxyBaseUrl}/employee/unstructured

  2. Authenticate with your Basic credentials (i.e., Username and Password).

  3. Power Query will display your results.


You can repeat this process with other endpoints by simply changing the path.


Conclusion


RequestRocket allows you to replace the authentication of any target system with the authentication method you prefer, in addition to adding a layer of security that the target system doesn't offer. In this tutorial, we've demonstrated how to directly consume the Employment Hero API into Power BI without the need for expensive middleware. This approach is not limited to Employment Hero; it applies to any system where you want to secure your credentials instead of exposing them in code.

Comments

bottom of page