Skip to Content
Author's profile photo Muhammad Altaf

Testing REST APIs in XSA Applications Without UI Layer

REST APIs are extremely useful for accessing and modifying data within XSA Multi-Target Applications. When it comes to checking whether the API you’ve designed is working properly or not, things becomes a little difficult if you are not familiar with web security protocols. In this blog, I am going to briefly describe OAuth 2.0, the security protocol used by XSA for user authentication and authorization (UAA), and cover details on how you can make HTTP requests to different modules within an XSA application.

The steps described in this blog are needed only if the XSA application has user authentication configured in the application router. If not, you can simply send an HTTP request from any source and you should be allowed access without any authorization checks. Also, if you are only dealing with HTTP GET requests, you can use any browser to test the API. When you open the URL for the API, you should be redirected to the UAA service which logs you in and takes care of authorization on its own afterwards.

OAuth 2.0

OAuth2 is the security protocol used by XSA. It allows scope-based access to resources as opposed to basic authentication which allows access to all resources for all users. In scope-based authorization, you must have certain scopes granted to you for you to access certain resources. OAuth2 is an industry standard for authorization. For more detailed information, you can visit this link.

Let’s start with understanding the three major roles involved in OAuth2: user, external client, and the (XSA) application which contains the authentication server and protected resources. A user is a person trying to access resources relevant to them from the application using an external client. The external client is registered on the application’s authentication server so that it can request access to those resources. The authentication server handles incoming requests from external clients and responds with appropriate authorization grants and access tokens. These tokens are then used by the external clients to access the protected resources.

Four major grant types are used to request an access token, namely Authorization Code, Implicit, Password, and Client Credentials. The one most relevant to this blog is Client Credentials which only involves the external client and the application. How it works is that you send a request to the authentication server with client credentials (client id and client secret), which you receive when you register your client with the server, and requested scopes. The server responds back with an access token (in the form of a JSON Web Token) which includes the requested scopes. The client can then use this access token to request resources from the application. The diagram below outlines the Client Credentials workflow. If you want details on the other three grant types, please visit this page.


Postman is a tool that you can use to test HTTP communication. It allows you to store session variables, cookies, and authorization information from your HTTP requests and use them in subsequent requests – pretty similar to how a web browser works.

I am going to demonstrate how to use Postman to connect to an XSA application and send HTTP requests to REST APIs contained in that application. First, you need to obtain a valid access token from the UAA service in the XSA application. Open the Postman desktop app and create a new basic request. You should see an empty request page like the one in the image below.

Under authorization, change TYPE to Oauth 2.0. In the panel that shows up to the right, click on Get New Access Token. This should open the GET NEW ACCESS TOKEN form. Change Grant Type to Client Credentials. The updated form should look like the following.

You need to fill out all information required in this form to obtain a valid access token. For token name, you can put anything you wish. To get the rest of the information (client id, etc.), open the command prompt from Windows and log in to XSA using xs login. Make sure you are in the development space. Execute xs env <app> where <app> is the name of the application router module. This should output all environment variables for services and applications bound to the application router. The one we are interested in is the instance of the xsuaa service which is responsible for user authorization. The output for this should look similar to the image shown below.

The Client ID and Client Secret should be included in the environment variables. Copy and paste these into the Postman form. For Access Token URL, use the URL included in the environment variables and append “/oauth/token” to the end of it. Scope is optional, if you provide none, you would be assigned uaa.resource by default. Click Request Token. Postman should then show you the access token it receives (as a base64 string) along with the scopes granted as shown below. Click Use Token before closing the dialog.

Congratulations! You have successfully obtained the access token which you can now use to access resources from the XSA application!! Keep in mind that when you are accessing resources using this method, you should use the direct URLs for those resources as opposed to the URL of the application router which redirects you to the requested resource. Also, the access token expires after a certain time period, so you would need to request a new token from time to time.

To demonstrate how you would use the access token in a subsequent request, I am going to send a POST request to a Python module within my XSA application. You can find the code for this application at this link. In Postman, change the request type to POST. Enter the request URL to be Make sure the Access Token in filled in. The request should look as follows at this point.

Under the Body tab, choose raw from the radio buttons. Select JSON (application/json) from the dropdown list that appears.

Copy and paste the following text.

    "productID": "22335142",
    "category": "Notebooks",
    "price": "45.22"

You are now ready to send the request. Click the blue Send button in the top right. The response should be as follows.


You can also obtain an access token programmatically and send HTTP requests accordingly. I am going to demonstrate this using Python3. The following code snippet shows how to obtain an access token using the OAuth2 Client Credentials workflow. First, you create a client using your Client ID, followed by a client session using the OAuth2Session object. Eventually, you can call the fetch_token function on your session object to obtain the access token. This token contains the default scope for your application. Just a note that I have turned SSL verification off (verify=False) since I am using local self-signed certificates for my XSA application.

from oauthlib.oauth2 import BackendApplicationClient
from requests_oauthlib import OAuth2Session

CLIENT_ID = ''	#your client id goes here
CLIENT_SECRET = ''		#your client secret goes here
TOKEN_URL = ''		#this would be different for you

client = BackendApplicationClient(client_id=CLIENT_ID)
oauth = OAuth2Session(client=client)
token = oauth.fetch_token(token_url=TOKEN_URL, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, verify=False)

That’s it! It’s really that simple!! For an example of how you can use the access token in subsequent requests, I am going to send the same POST request from the Postman section above but using Python this time. The code would be as follows.

import requests
import json

access_token = #your access token goes here		
URL = ''
headers = {'Authorization': 'Bearer %s' % access_token,
           'Content-Type': 'application/json'}
body = json.dumps({'productID': '88997785',
                   'category': 'Notebooks',
                   'price': '88.98'})

r =, headers=headers, data=body, verify=False)

The response should be (‘88997785’, ‘Notebooks’, 88.98, ‘Product 88997785 inserted successfully’)!


The last tool I am going to talk about is CURL, which you can use from a terminal or command prompt to send HTTP requests. If you are using CURL just for testing APIs, you do not need to worry about obtaining the OAuth2 access token yourself. You can request that token directly from the XS command line interface using the xs oauth-token command. This should return a valid access token with all the scopes you need. You can use this token in the header of your subsequent CURL requests to access resources in your XSA application. The image below demonstrates how this works within the command prompt.

The body.txt and headers.txt files should look as follows.


Hopefully this blog has helped you better understand how to work with user authorization in XSA applications. If you still have any questions with regards to obtaining an access token and using it, feel free to comment below!

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Michael Zwick
      Michael Zwick


      great post this was useful for me to understand the internal logic for authorisation at the xs uaa. In addition to this, I want to add the possibility to use the grant type password credentials in postman. As Username and password you can use the credentials of an xsa user.

      With this method you get an oauth token, which has the scopes of this user. So you can test the defined scopes and roles for each user, which were defined in the xs-security.json or directly in the mta.yaml .

      You should add in your post, that you are checking for the default scopes in your python code, instead of defining a scope/role model for your application.

      Author's profile photo kishore chillamcherla
      kishore chillamcherla

      Hi Altaf


      Thank you for the great post.


      Currently i am looking to post a value to external REST API from HANA using XSA or any other service, could you let me know what could be the best way to POST some hard coded values to an external REST API,

      currently i am passing the values as following from POSTMAN.


      Basic Auth:

      User - UserNAme

      Password - Password123

      JSON body:

      { "command": "Import",

      "calendarSeq": "2254353535349",

      "stageTypeSeq": "3543546464358697",

      "traceLevel": "status",

      "userId": "Administrator",

      "runMode": "all",

      "batchName": "BOne1",

      "module": "TransactionalData",

      "stageTables": ["TransactionAndCredit"],

      "runStats": "false"