Finance & Analytics
Live Xero Data in Power BI Without Storing It Anywhere
Power BI can't speak Xero's language — but RequestRocket can. Accept Basic Auth from Power BI, translate it to Xero OAuth2, inject the tenant ID automatically, and restrict access to read-only reports. No data warehouse. No ETL. No intermediate copies of your financial data.
The Challenge
Xero Speaks OAuth2. Power BI Only Speaks Basic Auth.
Power BI's built-in Web connector supports Basic Authentication — a username and password sent with each request. That's the only option. The Xero Accounting API requires OAuth2 access tokens and, critically, a Xero-tenant-id header on every request to identify which organisation's data to return. Power BI cannot add custom HTTP headers and cannot manage an OAuth2 token lifecycle. The traditional answer is a staging layer: pull Xero data nightly into a database or data warehouse that Power BI can query. That introduces stale data, additional infrastructure, more systems to maintain, and — for a finance team — another location where sensitive accounting data is stored and must be governed.
Power BI Cannot Send the Required Header
Xero rejects any API call that omits Xero-tenant-id. Power BI's Basic Auth connector has no mechanism to inject custom HTTP headers. Without it, every request returns a 403 regardless of whether the OAuth2 token is valid.
OAuth2 Token Lifecycle Cannot Live in a Dataset
Pre-generating a Xero access token and pasting it into Power BI as a password breaks the moment the token expires. Xero tokens are short-lived; rotating them requires code, a scheduled job, or a developer on call when the board report runs at 6 AM.
Shared Broad Credentials Are a Security Risk
A credential with full Xero API access stored in a Power BI dataset is a liability. Reports users have no business need to write invoices, create contacts, or modify chart-of-accounts entries. The credential scope should match the use case.
Every Intermediate Store Is Another Compliance Surface
Finance data in a data warehouse requires its own access controls, retention policy, encryption, and audit trail — often as much governance work as the original integration, for data that is already governed in Xero.
The Solution
Proxy the Xero API: Inject the Header, Restrict the Scope, Skip the Warehouse
The team placed a RequestRocket proxy in front of the Xero Accounting API. The proxy accepts Basic Auth from Power BI, exchanges it for a valid Xero OAuth2 access token, and injects Xero-tenant-id on every forwarded request — a header that is configured once and never visible to Power BI. Authorization rules restrict the proxy credential to GET requests on Xero Reports paths only, enforcing read-only access at the proxy layer before any request reaches Xero. Power BI connects to live data directly. The ETL pipeline and the staging database were decommissioned.
"We deleted the ETL pipeline and the staging database on the same day. Power BI now queries Xero directly, and the finance team gets live data instead of last night's snapshot."
How it works
- 1
Create a target in RequestRocket pointing at https://api.xero.com. Store a target credential with credentialAuthType 'oauth2' and grantType 'client_credentials', setting accessTokenURL to https://identity.xero.com/connect/token and providing the Xero app's appClientId and clientSecret. Set additionalHeaders to { "Xero-tenant-id": "<your-tenant-id>" } on the credential secret so the tenant ID is injected automatically on every forwarded request.
- 2
Create a Basic Auth proxy credential with a username and password of your choice. This is what Power BI authenticates with — it is not a Xero credential and does not need to change when Xero credentials are rotated.
- 3
Create a proxy wiring the Basic Auth proxy credential to the Xero target and OAuth2 target credential. Set proxyDefaultRuleEffect to 'deny' so all requests are blocked unless an explicit rule permits them.
- 4
Add an allow rule restricting access to read-only reporting paths: effect 'allow', methods ['GET'], path pattern ^/api\.xro/2\.0/Reports/.*, presence must_exist. Add additional GET allow rules for any other Xero endpoints the reports need (e.g. /api.xro/2.0/Accounts, /api.xro/2.0/Invoices) using the same pattern.
- 5
In Power BI Desktop or the Service, use the Web connector pointed at the proxy's regional endpoint with the Xero path appended. When prompted for authentication, select Basic and enter the proxy credential username and password. Power BI never sees the Xero OAuth2 credential or the tenant ID.
The Results
Measurable Impact
No intermediate data store needed
Power BI queries the Xero API live through the proxy. There is no data warehouse, no staging database, and no nightly refresh job to maintain. Financial reports reflect the current state of Xero at the time of each refresh.
Xero-tenant-id injected automatically
The tenant ID is set once in the target credential and injected on every request forwarded to Xero. Power BI does not manage it, and it cannot be accidentally omitted or incorrectly set.
Access restricted to read-only reporting paths
Authorization rules allow only GET requests on Xero Reports paths. Even if Power BI attempted a write operation, the proxy denies it before the request reaches Xero. The default-deny policy means new Xero endpoints are blocked until explicitly allowed.
Full audit trail on every Xero API call
Every Power BI refresh that queries Xero through the proxy is recorded with the proxy credential identity, endpoint path, HTTP status, and timestamp — providing a complete access log for finance compliance requirements.
FAQ
Frequently Asked Questions
Add outbound API security
without changing code
Start on your own or talk to our team about improving the security of every API call you make.