Most app builders know that when we create a connection from Power Apps to an external data source, those credentials are stored securely in the cloud. In essence, this is all we really need to know, but if you're interested in understanding more about how this works technically, the following video from Phil Topness with Shyam Sunder offers an excellent insight.

https://www.youtube.com/watch?v=N-ScKw_ltN4

The following screenshot from Shyam's presentation provides a great overview.

In summary, the first thing that's useful is to define some of the components that we're already familiar with.

• Connector - a connector is a formal definition of a REST API. It enables app builders to consume REST APIs from Power Apps.
• Connection - a connection is a runtime instance of a connector. When Power Apps initiates a connection to an external data source, the app generates a "Connection ID". This is an ID value that uniquely identifies a "session".
  

Central to this architecture is the "APIM Gateway". The underlying connectivity to most data sources relies on OAuth authentication - an authentication standard that's used for single sign-on (SSO). This removes the need to pass username/password credentials for each request to a web resource/data source.

Let's suppose we build an app that uses the Gmail connector. The app authenticates with Google's identity provider. Google returns a cryptographically signed token which is used to authenticate subsequent requests to Google services. The "APIM Gateway" stores the token in a token store, and manages the renewal of expired tokens.

The role of the "APIM Gateway" is to call the Restful API endpoint to carry out operations/return data, and it performs the task of proxying return records back to the client app.

For a more in depth and better explanation of how this process works, I recommend watching the video.