If i keep the credentials in script files, this can be accessable by many ways by the jsreport API.
You can store credentials in a file and read it from script. You can pass credentials through environment variables and get them from script. The credentials can be also included in the request itself and don't need to be stored.
Pass a basic authentication header with a base64 hash in ajax call on my page will give all chances of someone bad intentionated to have access to sensitive data at jsreport server.
We also support token based authentication https://jsreport.net/learn/authentication#token-based-authentication-using-an-authorization-server
Another option is to avoid exposing jsreport to the public. Run it behind your application and let the browser client be authenticated first on your server before you send request to jsreport.