Enterprise
Schedule Free DemoSupportBlogDemos
Try it Free
Search results
Suggest a FeaturePDF

How to generate the authentication token by using the Embed Secret Key API

You can generate the authentication token for a user in Bold Reports® by using the Embed Secret Key API. To do this, pass the following parameters in the request body.

username - The user’s email address.

grant_type - The type of credentials used to authorize the request for an authentication token. The valid value is embed_secret.

embed_nonce - A random string value that restricts attackers from hacking. For example 5ff24040-cd74-42cf-a168-57f8cb7dafed.

timestamp - The current time as a UNIX timestamp. For example: 1583934776

embed_signature - By using the username, embed_nonce, timestamp and the embed secret key(which can be generated from Bold Reports® Report server Embed settings), the embed_signature value can be generated using the HMACSHA256 algorithm.

Here is a sample C# code to illustrate the approach.

Add the following assemblies to the namespace:

  • System.Collections.Generic
  • System.Net.Http
  • Newtonsoft.Json
  • System.Security.Cryptography
  • System.Net

Refer to the Newtonsoft.Json assembly from the Nuget package.

.NET,.NET Core, and .NET Framework

public class Token
{
    public string access_token { get; set; }

    public string token_type { get; set; }

    public string expires_in { get; set; }

    public string email { get; set; }

    public string error { get; set; }

    public string error_description { get; set; }

}

private static string tokenurl = "/reporting/api/site/site1/token";
private static string boldReportsUrl = "https://demo.example.com"; // Provide your Bold Reports<sup>®</sup> URL
private static string username = "[email protected]"; // Provide your Email ID
private static string nonce = Guid.NewGuid().ToString();
private static string timeStamp = DateTimeToUnixTimeStamp(DateTime.UtcNow).ToString();
private static string secretCode = "lettffAEI0FtKDGdrDekEv7WUbHwOwO"; // Provide your embed secret key value from the Bold Reports<sup>®</sup> Report Server Embed Settings.

public static void Main(string[] args)
{
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; // This is required while running the Bold Reports<sup>®</sup> from Azure App Service
    GetToken();
}

public static Token GetToken()
{
    var client = new HttpClient();
    client.BaseAddress = new Uri(boldReportsUrl);
    client.DefaultRequestHeaders.Accept.Clear();
    client.DefaultRequestHeaders.ConnectionClose = true;
    string embedMessage = "embed_nonce=" + nonce + "&user_email=" + username + "&timestamp=" + timeStamp;
    string signature = SignURL(embedMessage.ToLower(), secretCode);

    var content = new FormUrlEncodedContent(new[]
    {
       new KeyValuePair<string, string>("grant_type", "embed_secret"),
       new KeyValuePair<string, string>("username", username),
       new KeyValuePair<string, string>("embed_nonce", nonce),
       new KeyValuePair<string, string>("embed_signature", signature),
       new KeyValuePair<string, string>("timestamp", timeStamp)
    });

    var result = client.PostAsync(tokenurl, content).Result;

    string resultContent = result.Content.ReadAsStringAsync().Result;

    if (JsonConvert.DeserializeObject<Token>(resultContent)?.error == "authorization_failed")
    {
        Console.WriteLine("authorization_failed: " + JsonConvert.DeserializeObject<Token>(resultContent)?.error_description);
        Console.ReadLine();
        Environment.Exit(-1);
    }

    return JsonConvert.DeserializeObject<Token>(resultContent);
}

public static double DateTimeToUnixTimeStamp(DateTime dateTime)
{
    DateTime unixStart = new DateTime(1970, 1, 1, 0, 0, 0, 0, System.DateTimeKind.Utc);
    long unixTimeStampInTicks = (dateTime.ToUniversalTime() - unixStart).Ticks;
    return unixTimeStampInTicks / TimeSpan.TicksPerSecond;
}

public static string SignURL(string embedMessage, string secretcode)
{
    var encoding = new UTF8Encoding();
    var keyBytes = encoding.GetBytes(secretcode);
    var messageBytes = encoding.GetBytes(embedMessage);
    using (var hmacsha1 = new HMACSHA256(keyBytes))
        {
            var hashMessage = hmacsha1.ComputeHash(messageBytes);
            return Convert.ToBase64String(hashMessage);
        }
}

NODE JS

// ESM style (add "type": "module" to package.json or use .mjs extension)
import crypto from 'crypto';
import fetch from 'node-fetch'; // npm install node-fetch@2 (for Node < 18) or use native fetch in Node 18+

// ────────────────────────────────────────────────
// Configuration: Bold Reports Server
const BOLD_REPORTS_URL   = 'https://demo.example.com';           // Your Bold Reports server URL
const SITE_IDENTIFIER    = 'site1';                             // Multi-tenant site name
const USER_EMAIL         = '[email protected]';                  // Must exist in Bold Reports
const EMBED_SECRET_KEY   = 'lettffAEI0FtKDGdrDekEv7WUbHwOwO';   // From Embed Settings → Embed Secret Key
// ────────────────────────────────────────────────

function getUnixTimestampSeconds() {
  return Math.floor(Date.now() / 1000).toString();
}

function generateNonce() {
  return crypto.randomUUID?.() ?? crypto.randomBytes(16).toString('hex');
}

function createEmbedSignature(message, secret) {
  const hmac = crypto.createHmac('sha256', Buffer.from(secret, 'utf8'));
  hmac.update(message, 'utf8');
  return hmac.digest('base64');
}

async function generateEmbedToken() {
  const nonce     = generateNonce();
  const timestamp = getUnixTimestampSeconds();

  // Construct message exactly as per Bold Reports docs
  const embedMessage = `embed_nonce=${nonce}&user_email=${USER_EMAIL}&timestamp=${timestamp}`;

  const signature = createEmbedSignature(embedMessage, EMBED_SECRET_KEY);

  const tokenEndpoint = `${BOLD_REPORTS_URL}/reporting/api/site/${SITE_IDENTIFIER}/token`;

  const body = new URLSearchParams({
    grant_type:      'embed_secret',
    username:        USER_EMAIL,
    embed_nonce:     nonce,
    embed_signature: signature,
    timestamp,
  });

  try {
    const response = await fetch(tokenEndpoint, {
      method:  'POST',
      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
      body:    body.toString(),
      // Optional: timeout after 10s
      signal:  AbortSignal.timeout(10000),
    });

    if (!response.ok) {
      const errorText = await response.text();
      throw new Error(`Token request failed: HTTP ${response.status} - ${errorText}`);
    }

    const data = await response.json();

    if (data.error === 'authorization_failed') {
      throw new Error(`Authorization failed: ${data.error_description || 'Unknown reason'}`);
    }

    if (!data.access_token) {
      throw new Error('No access_token returned in response');
    }

    console.log('Embed Token generated successfully:');
    console.log(JSON.stringify(data, null, 2));



    return data.access_token;
  } catch (err) {
    console.error('Failed to generate embed token:');
    console.error(err.message);
    if (err.cause) console.error('Cause:', err.cause);
    process.exitCode = 1;
  }
}


generateEmbedToken();

After the token is generated, use it by attaching it to the request header (Authorization) for all subsequent API calls to authenticate the requests.

See Also

CONTENTS
Having trouble getting help?
Contact Support
CONTENTS
Having trouble getting help?
Contact Support