Applicable to version  6.00.0210 and upwards.

The most secure way to pass credentials when viewing a dashboard embedded in your application, is to pass an authorisation token.  This token is short-lived, and does not expose any login credentials.

First, make an HTTP POST request to GetAccessToken.ashx, with the parameters "username" and "password".  This will return JSON containing token details; from that take the value of the "access_token" property.

To show a dashboard in your application, pass the access token to Dashboard.aspx, either as a query parameter (e.g. Dashboard.aspx?autoLogin=true&authtoken=…) or as a form parameter (e.g. <input type="hidden" name="authtoken" …).  The latter is more secure as the token will not be visible in the query string (e.g. in logs)

For backwards compatibility, you may continue to post a username and password directly to Dashboard.aspx.  If using this method, ensure HTTPS is in use on the DataPA application.  This method is not recommended if a single username and password is used to authenticate with DataPA (users will be able to see the password in the page source). 

(The username and password may be obfuscated as Base64 if the additional parameter "obfuscated" is set to "true".  For example, in Javascript, use the function btoa() to convert a string to Base64.)

Useful links

Passing AutoLogin=true and the username and password no longer automatically logs a user in to DataPA Enterprise. How do I fix this?