You could see the accesstoken in client end either via postMessage or via Javascript API. By default the accesstoken would expire in one hour.
As to the security concern, when embedding a report via the REST API, before the access token is generated, it actually requires you to login in a pop-up window, you'll have to type your account and password.
↧
Re: How Embedding Power BI report in custom application is secured?
↧