Skip to Content

OAuth with SAP API Management (HCP) – Part 2

In Part1 of our OAuth client credential flow tutorial, we created a token endpoint and created a resource to be protected by an OAuth verification policy.

Referring to our diagram below, we did implement steps 1 and 2, and we’ll implement the remaining steps in this tutorial.

3- Create an API product

The “API product” is a SAP API Management term, and implements the ability to create logical bundles of APIs.
You can enhance these bundles with quotas: for instance a premium set of APIS – ie. API Product – has a quota of 1000 requests per minute. A “free” set of APIs may be limited to 1000 request per month.
You can also set an OAuth scope on the API product level, to restrict access to your APIs.

To create the API Product, log into your HCP tenant and navigate to your API Management Service.
Go the the API proxy page, and click on the “PRODUCT” tab.

Now click on “Create” and create a new product that includes our previously created “OAuthTestProxy” API.
Give it the name “OAuthTestProduct“.

Your API product should look like this:

This product is now available to Application Developers. They access and subscribe to this API product using the Developer Portal.

4- Create an application

Log into your Developer Portal and click on the “OAuthTestProduct”.

The details to the API product are displayed. Click on the “Subscribe” link at the bottom of your screen. Select “New Application”.

Enter a name for your Application, such as “OAuthTestApplication“.
The “Callback URL” is not needed but this would be used for a three-legged OAuth authorization scenario.
Click on “Save”.

As you can see, you now have an application key and an application secret, that you can use to generate an OAuth access token.

5- Get an access token

Now that we have all elements in place, we can test our use case.
First of all, we need to get a token from our token endpoint.

This is done by making a call to the token endpoint, by specifying the client id and client secret of the application.

This is done through a “POST” method, and the body being sent as x-www-form-urlencoded.
Create a new request in POSTMAN, and set its settings as follows:
Method: POST
URL: https://your_APIM_Service/v1/OAuthService/GenerateToken
   client_id: set it to the Application key
   client_secret: set it to the Application secret
   grant_type: client_credentials

Once the request is in place, you may want to save it for next tests since the token will expire.

Notice that the response carries an element called “access_token“. This is the string we want to use when calling an OAuth-protected resource.

6- Call the protected resource

This is the last step of our tutorial: we will make a call to our protected resource.
To do so , let’s create a new request in Postman.

Method: GET
URL: https://your_APIM_Service/v1/OAuthTest/Test1
Key: Authorization
Value: “Bearer ” + the access token from the previous request
Example: “Bearer KJD2uiKJ98Hkjhh2773d”

Be careful that the “Authorization” value is set to “Bearer” followed by a space and the access_token.

As you can see, we are getting the response we specified for the “Test1” resource.
If you change the access token, you will be forbidden the access.


As you could see throughout this tutorial, it’s quite easy to use OAuth within SAP API Management.
Furthermore, you get a specification-compliant OAuth v2 endpoint to facilitate the implementation of any scenario you may have.
The “credential flow” is only one aspect of OAuth, but thanks to the flexibility of SAP API Management, you can implement any OAuth flow that will suit your needs.


You must be Logged on to comment or reply to a post.
  • Thanks. I have now got clear understanding of the OAuth policy. This blog and the exercise I have done have answered my questions. Thank you again.

  • Hi Sven - I have a requirement to call the API by generating the token implictly

    that is when the application send the request, My API should generate the token implictly using the

    OAuthToken Endpoint and use the same to call the Actual API and send the response back..

    Though your block states how to get the access token, but I would like how can I combine the two requests here in API.. i.e. one call for Oauth Token and Another Call for Actual API Call..

    Your pointers on this will be helpful to me.


    Thanks & Regards



    • Hi Rajesh,

      this can be done through a Verify OAuth token in the pre-flow. If this is succesfull, the call is simply hitting the backend API. Otherwise, you get an Invalid Oaurth token error.




  • HI Sven,

    Great article! However, there is a small typo in the text:  

    grant-type: client_credentials   . The correct text should have underscore instead of dash:  

    grant_type: client_credentials

    You have correct value on the screenshot 🙂


    Thank you,

    Alex Star

  • Hi Sven Huberti  - When I tried to get the Token by passing API Key and Client Secret

    I am getting the below error message.

    {"ErrorCode" : "invalid_client", "Error" :"ClientId is Invalid"}

    Do I need to set up anything at Tenant level or Am I missing anything here ?

    Thanks in advance for your help


    Rajesh Pasupula

    • Hi Rajesh,

      it's always difficult to help over blog comments. As far as I know, you do not need anything special on your tenant.

      Are you sure that you copied/pasted the correct values, and did not omit any character? The error message is pretty clear, so maybe the issue is so very obvious you did not spot it...



      • Thanks, Sven for your prompt response.

        I was passing additional Header parameters as part of the request and after removing those header parameters it worked fine.

        Rajesh Pasupula

  • Congratulations! Excellent blog!


    Currently, I am facing a challenge: How to add "Custom Attributes" to an access_token?


    What do you recommend to read? Does it exist some good tutorial for it?




  • When publishing the product I get the following error:

    Unable to publish Product

    [Request ID: 5885c4c8-3edc-4ca2-b390-1f591c529978]

    Could it be a permissions issue?

  • Great blog, quick question.  In my test,I had to pass the client id and secret using basic authentication in Postman.  If I try to pass those values as per your example using www-form-urlencoded I get a 401 error.  Has the implementation changed in APIM since this blog was first written?

    • Hi Logan,

      I wrote this more than 4 years ago. So yes, things may have changed a litte. 🙂

      I did a quick test and I was able to both pass the client_id and client_secret as base64 encoded authorization header (basic auth) and in the body - in my new CF API Management service.

      Maybe Shruthi M Arjun or Dhawal Joshi can shed some light on this - I am not doing much with API Management anymore.

      Anyway: thanks a lot for your comment! Very helpful to the community!


  • ​Hello Sven

    We have developed OData services in ECC and created API from SAP APIM.  We followed the blogs and were able to generate OAuth2 and make calls to OData in ECC with Bearer Tokens.

    What we are observing is after few calls made, we are seeing 401 errors and further calls stops and later works.

    Kindly request what settings / configuration we are missing, whether any configuration needs to be enabled in ECC -OData to accept OAuth2 authentication?  Appreciate your inputs.