Power Query: Access REST APIs Secured by Basic Auth and API Key
Many REST APIs have security layers requiring either a unique API key, username/password authentication, or both to grant access.
Using Power Query to access a secure REST API may be confusing if a username and password are required in combination with an API key. When accessing web content, a prompt is displayed with various authentication options including Anonymous, Windows, Basic, Web API, and Organizational Account. The obvious choice is not necessarily the correct choice.
Use Anonymous Access, Not Basic
Instead of Basic authentication, use Anonymous access with an authorization header.
The Basic authentication option is a common first choice because of its name, but it results in an Expression.Error when used with a custom Authorization header.
Expression.Error: The 'Authorization' header is only supported when connecting anonymously.
These headers can be used with all authentication types: Accept, Accept-Charset, Accept-Encoding,
Accept-Language, Cache-Control, Content-Type, If-Modified-Since, Prefer, Range, Referer
Power Query’s authentication dialog and HTTP Authorization headers are separate mechanisms. When Basic authentication is selected in the credential dialog, Power Query appears to generate and manage the Authorization header internally, which would explain why a custom Authorization header cannot be supplied. Using Anonymous credentials avoids this conflict, allowing the query to specify the Authorization header explicitly, along with any other required request headers, such as API key headers.
Establish Anonymous Access
The following steps switch an existing data source to Anonymous access. If the data source does not yet exist, similar steps apply during its creation.
- From the Power Query
Homeribbon, selectData source settings. - The Data source settings screen is displayed. Select the relevant data source and click the
Edit Permissionsbutton. - The Edit Permissions screen is displayed. Under the
Credentialsheading, click theEdit…button. - The Access Web content screen is displayed. Click
Anonymousfollowed by theSavebutton. - Returning to the Edit Permissions screen, the Credentials section now displays
Type: Anonymous. Click theOKbutton to close the Edit Permissions window. - On the Data source settings screen, click the
Closebutton to return to the main Power Query screen.
Create Authorization and API Key Headers
With anonymous access configured, the Authorization and API key headers can be added to the query connection.
Create a few custom parameters to store common data for multiple API queries. This makes future maintenance easier if these values change.
PARAM_API_BASE_URLcontains the base URL of the REST API endpoints.PARAM_API_USERNAMEcontains the username or alias for authentication.PARAM_API_USER_PASSWORDcontains the password for the associated username/alias.PARAM_API_KEY_VALUEcontains the assigned API key value needed to access the API.
The authorization header is expected in the format Basic username:password, where username:password is Base64 encoded (including the :). For example, if username is test and password is 1234, then the authorization header is Authorization = "Basic dGVzdDoxMjM0". Use the Text.ToBinary and Binary.ToText functions to handle the Base64 encoding.
In this example, the RelativePath to the API endpoint is /project/testprj which is appended to the PARAM_API_BASE_URL to get the full URL. The path must be changed to the relative path of the target API endpoint including any expected parameters.
The name of the API key, #"APIKeyName" in this example, must be changed to the actual name expected by the target API endpoint for the API key header.
Source
= Json.Document(
Web.Contents(
PARAM_API_BASE_URL,
[
RelativePath = "/project/testprj",
Headers = [
Authorization = "Basic "
& Binary.ToText(
Text.ToBinary(PARAM_API_USERNAME & ":" & PARAM_API_USER_PASSWORD),
BinaryEncoding.Base64
),
#"APIKeyName" = PARAM_API_KEY_VALUE
]
]
)
)
Summary
To access a secure REST API with Power Query, where Authorization and API key headers are required, use Anonymous access instead of Basic authentication. Set up Anonymous access, then add the required Authorization and API key headers. The Authorization header must be Base64 encoded; update the API endpoint path, key name, and key value as needed.