Skip to Content
Author's profile photo Sven Huberti

OAuth with SAP API Management (HCP) – Part 2

In Part1 of our OAuth client credential flow tutorial, we created a token endpoint and created a resource to be protected by an OAuth verification policy.

Referring to our diagram below, we did implement steps 1 and 2, and we’ll implement the remaining steps in this tutorial.

3- Create an API product

The “API product” is a SAP API Management term, and implements the ability to create logical bundles of APIs.
You can enhance these bundles with quotas: for instance a premium set of APIS – ie. API Product – has a quota of 1000 requests per minute. A “free” set of APIs may be limited to 1000 request per month.
You can also set an OAuth scope on the API product level, to restrict access to your APIs.

To create the API Product, log into your HCP tenant and navigate to your API Management Service.
Go the the API proxy page, and click on the “PRODUCT” tab.

Now click on “Create” and create a new product that includes our previously created “OAuthTestProxy” API.
Give it the name “OAuthTestProduct“.

Your API product should look like this:

This product is now available to Application Developers. They access and subscribe to this API product using the Developer Portal.

4- Create an application

Log into your Developer Portal and click on the “OAuthTestProduct”.

The details to the API product are displayed. Click on the “Subscribe” link at the bottom of your screen. Select “New Application”.

Enter a name for your Application, such as “OAuthTestApplication“.
The “Callback URL” is not needed but this would be used for a three-legged OAuth authorization scenario.
Click on “Save”.

As you can see, you now have an application key and an application secret, that you can use to generate an OAuth access token.

5- Get an access token

Now that we have all elements in place, we can test our use case.
First of all, we need to get a token from our token endpoint.

This is done by making a call to the token endpoint, by specifying the client id and client secret of the application.

This is done through a “POST” method, and the body being sent as x-www-form-urlencoded.
Create a new request in POSTMAN, and set its settings as follows:
Method: POST
URL: https://your_APIM_Service/v1/OAuthService/GenerateToken
   client_id: set it to the Application key
   client_secret: set it to the Application secret
   grant_type: client_credentials

Once the request is in place, you may want to save it for next tests since the token will expire.

Notice that the response carries an element called “access_token“. This is the string we want to use when calling an OAuth-protected resource.

6- Call the protected resource

This is the last step of our tutorial: we will make a call to our protected resource.
To do so , let’s create a new request in Postman.

Method: GET
URL: https://your_APIM_Service/v1/OAuthTest/Test1
Key: Authorization
Value: “Bearer ” + the access token from the previous request
Example: “Bearer KJD2uiKJ98Hkjhh2773d”

Be careful that the “Authorization” value is set to “Bearer” followed by a space and the access_token.

As you can see, we are getting the response we specified for the “Test1” resource.
If you change the access token, you will be forbidden the access.


As you could see throughout this tutorial, it’s quite easy to use OAuth within SAP API Management.
Furthermore, you get a specification-compliant OAuth v2 endpoint to facilitate the implementation of any scenario you may have.
The “credential flow” is only one aspect of OAuth, but thanks to the flexibility of SAP API Management, you can implement any OAuth flow that will suit your needs.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Amber Badam
      Amber Badam

      Great blog. Thanks for sharing

      Author's profile photo Former Member
      Former Member

      Thanks. I have now got clear understanding of the OAuth policy. This blog and the exercise I have done have answered my questions. Thank you again.

      Author's profile photo Sven Huberti
      Sven Huberti
      Blog Post Author

      Thanks for your comment!

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi Sven Huberti ,

      thanks for the useful blogs! Is the authorization code grant also supported?



      Author's profile photo Sven Huberti
      Sven Huberti
      Blog Post Author

      Hi Wolfgang,

      SAP API Management supports all 4 oauth flows, including authorization grant.

      My colleague Andreas Krause has written ablog about the three-leeged authorization flow with Facebook. I can only recommend to read through that too:




      Author's profile photo Rajesh Kumar
      Rajesh Kumar

      Hi Sven - I have a requirement to call the API by generating the token implictly

      that is when the application send the request, My API should generate the token implictly using the

      OAuthToken Endpoint and use the same to call the Actual API and send the response back..

      Though your block states how to get the access token, but I would like how can I combine the two requests here in API.. i.e. one call for Oauth Token and Another Call for Actual API Call..

      Your pointers on this will be helpful to me.


      Thanks & Regards



      Author's profile photo Sven Huberti
      Sven Huberti
      Blog Post Author

      Hi Rajesh,

      this can be done through a Verify OAuth token in the pre-flow. If this is succesfull, the call is simply hitting the backend API. Otherwise, you get an Invalid Oaurth token error.




      Author's profile photo Alex Star
      Alex Star

      HI Sven,

      Great article! However, there is a small typo in the text:  

      grant-type: client_credentials   . The correct text should have underscore instead of dash:  

      grant_type: client_credentials

      You have correct value on the screenshot 🙂


      Thank you,

      Alex Star

      Author's profile photo Sven Huberti
      Sven Huberti
      Blog Post Author

      Hi Alex!

      thanks! I corrected it!


      Author's profile photo Rajesh Kumar
      Rajesh Kumar

      Hi Sven Huberti  - When I tried to get the Token by passing API Key and Client Secret

      I am getting the below error message.

      {"ErrorCode" : "invalid_client", "Error" :"ClientId is Invalid"}

      Do I need to set up anything at Tenant level or Am I missing anything here ?

      Thanks in advance for your help


      Rajesh Pasupula

      Author's profile photo Sven Huberti
      Sven Huberti
      Blog Post Author

      Hi Rajesh,

      it's always difficult to help over blog comments. As far as I know, you do not need anything special on your tenant.

      Are you sure that you copied/pasted the correct values, and did not omit any character? The error message is pretty clear, so maybe the issue is so very obvious you did not spot it...



      Author's profile photo Rajesh Kumar
      Rajesh Kumar

      Thanks, Sven for your prompt response.

      I was passing additional Header parameters as part of the request and after removing those header parameters it worked fine.

      Rajesh Pasupula

      Author's profile photo RAFAEL ASSAYAG

      Congratulations! Excellent blog!


      Currently, I am facing a challenge: How to add "Custom Attributes" to an access_token?


      What do you recommend to read? Does it exist some good tutorial for it?




      Author's profile photo Sven Huberti
      Sven Huberti
      Blog Post Author

      Hi Rafael,

      thanks for your comment!

      I am not an implementation specialist, hence I had to check how adding a custom attribute was possible. This is actually well documented here:

      Hope it helps!


      Author's profile photo Pablo Salinas
      Pablo Salinas

      When publishing the product I get the following error:

      Unable to publish Product

      [Request ID: 5885c4c8-3edc-4ca2-b390-1f591c529978]

      Could it be a permissions issue?

      Author's profile photo Logan Fox
      Logan Fox

      Great blog, quick question.  In my test,I had to pass the client id and secret using basic authentication in Postman.  If I try to pass those values as per your example using www-form-urlencoded I get a 401 error.  Has the implementation changed in APIM since this blog was first written?

      Author's profile photo Sven Huberti
      Sven Huberti
      Blog Post Author

      Hi Logan,

      I wrote this more than 4 years ago. So yes, things may have changed a litte. 🙂

      I did a quick test and I was able to both pass the client_id and client_secret as base64 encoded authorization header (basic auth) and in the body - in my new CF API Management service.

      Maybe Shruthi M Arjun or Dhawal Joshi can shed some light on this - I am not doing much with API Management anymore.

      Anyway: thanks a lot for your comment! Very helpful to the community!


      Author's profile photo Krishan Nagendra
      Krishan Nagendra

      ​Hello Sven

      We have developed OData services in ECC and created API from SAP APIM.  We followed the blogs and were able to generate OAuth2 and make calls to OData in ECC with Bearer Tokens.

      What we are observing is after few calls made, we are seeing 401 errors and further calls stops and later works.

      Kindly request what settings / configuration we are missing, whether any configuration needs to be enabled in ECC -OData to accept OAuth2 authentication?  Appreciate your inputs.