Security and Data Protection

Overview

Build a Doc uses a secure authentication model based on API keys and integrates with Microsoft Entra ID for portal access.

Tip

To get started, see Generate an API Key and Authenticate the Connector.

---

Authentication Methods

API Key Authentication (Connector)

The Power Platform connector uses API key authentication:

• Each API key is associated with a subscription
• Keys are passed with each request to authorise access
• Keys can be rotated or revoked via the portal

Caution

API Key Security Best Practices:

• Treat API keys like passwords
• Never expose keys in client-side code or public repositories
• Use a service account key for shared/production flows
• Rotate keys periodically
• Revoke keys immediately if compromised

Microsoft Entra ID (Portal)

The customer portal uses Microsoft Entra ID:

• Sign in with your Microsoft account
• Uses the same identity as your Microsoft 365 subscription

---

Authorisation

Subscription-Based Access

Your API key determines (see Subscription Management):

• Which features you can access
• Your usage quota (see Limits and Quotas)
• Rate limits applied to requests

Portal Roles

For detailed role permissions, see User Management and Roles and Permissions Reference.

Permission	Admin	Member	Viewer
View subscription details	✅	✅	✅
Change subscription plan	✅	❌	❌
Create API keys	✅	✅	❌
Revoke API keys	✅	⚠️*	❌
View usage reports	✅	✅	✅
Export reports	✅	✅	❌
Invite users	✅	❌	❌
Remove users	✅	❌	❌
Change user roles	✅	❌	❌
View audit logs	✅	⚠️**	❌

*Member can revoke only their own API keys **Member has limited audit log access

---

Connection Security

Power Automate Connections

• Connection credentials are stored centrally by Power Automate
• Other users cannot see your API key
• Flows using your connection run under your credentials

Shared Flows

For shared or production flows (see Connector FAQ):

• Create a dedicated service account connection
• This avoids tying flows to individual user accounts
• Simplifies key rotation and auditing

---

Data Security

In Transit

• All communications use HTTPS/TLS encryption
• API endpoints enforce secure connections

At Rest

• Document processing is stateless
• Templates and outputs are not stored by Build a Doc (see Privacy and Data Handling)
• You maintain control of your data in SharePoint/OneDrive

---

API Key Management

For an in-depth introduction, see Use the Customer Portal and Manage API Keys.

Creating Keys

1. Sign in to the Build a Doc portal
2. Navigate to API Keys section
3. Click Create New Key
4. Copy and store the key securely

Rotating Keys

1. Create a new key before revoking the old one
2. Update connections to use the new key
3. Verify flows work with the new key
4. Revoke the old key

Revoking Keys

• Revoke immediately if a key is compromised
• Revoked keys cannot be reinstated
• Flows using revoked keys will fail with 401 errors (see Error Codes)

---

Common Security Scenarios

Multi-Tenant Access

• Connections are user- and tenant-specific
• Create separate connections for different tenants
• Use dedicated keys for each tenant

Auditing

• API usage is tracked against your subscription
• View usage reports in the portal
• Monitor for unusual activity

---

Related Topics

• Authenticate the Connector
• Manage API Keys
• FAQs
• Limits and Quotas
• Privacy and Data Handling
• User Management
• Error Codes