Skip to Content
Technical Articles

Configure a Technical Authentication to trigger SAP Cloud Platform Workflow Instances in the Cloud Foundry Environment

In this third part, you’ll learn how to configure a Technical Authentication to trigger Workflow Instances in the Cloud Foundry environment through other applications. This is a team work, big thanks to Javier GarcĂ­a for working this out with me 🙂

Find here the previous part of this blog post about deploying a Workflow Project and configuring a Mail Destination for Mail Tasks.

After deploying your Workflow project, go to the Service Keys within your Workflow Service in the Cockpit. Here you’ll find relevant info about your Workflow API Endpoints, URL, clientid, clientsecret, etc.

You can check in your command prompt / terminal the access token with this command:

On Windows:

curl ^-X POST ^<url>/oauth/token?grant_type=client_credentials ^-u "clientid:clientsecret”

On Mac:

curl \
<url>/oauth/token?grant_type=client_credentials \
-u '<clientid>:<clientsecret>'

Your clientid is your user and your clientsecret is your password to authenticate and get the access token.

To start a Workflow Instance using technical authentication, you must prepare a JSON object (JSON file) that specifies the list of authorizations you want to grant to the OAuth2 client that is provided through the service instance, like:

{ "authorities": [ "WORKFLOW_INSTANCE_START", "MESSAGE_SEND" ] }

In my case I named the file config.json:

What you need to do now is to login to Cloud Foundry via the command prompt/terminal (CLI), point to the folder path where you have that JSON object and send this command line:

cf update-service <your workflow service instance name> -c <yourfile.json>

This is how it looks:

Now you have grant permissions to start workflow instances from other applications.

To do it, you must POST the payload you want to send to your workflow endpoint: <workflow_rest_url>/v1/workflow-instances by putting the access token and content-type as application/json in your headers, like this:

URL = “”
HEADERS = {'Authorization': “Bearer <access token>”, "Content-Type":"application/json"}


This is an example testing it out with Postman, getting the access token using the clientid and clientsecret as my username and password (it works with both: GET / POST):

And triggering the workflow instance, using the access token as Authorization and posting a simple payload:


Here it goes an example of how to set up this configuration in a server app creating a Python function:

def triggerWorkflow():
  s = requests.session()

  URL = "<url>/oauth/token?grant_type=client_credentials" #you get this url from the Service Key
  HEADERS = {'Authorization': "Basic <base64 cliendid and clientsecret credentials>"} #you get these credentials from the Service Key
  r = s.get(url=URL,headers=HEADERS)
  access_token = r.json()['access_token']  
  token = "Bearer {}".format(access_token)
  URL = "<workflow_rest_url>/v1/workflow-instances" #you get this workflow_rest_url from the Service Key

  HEADERS = {'Authorization': token, "Content-Type":"application/json"}

  JSON = {
  "definitionId": "<your workflow definitionId>",
  "context": {
    "product": "Camera",
    "price": 100
  r =,headers=HEADERS, json=JSON)

  return r.status_code


You can find more info about the Workflow Service in the Cloud Foundry environment in this documentation, and about the Workflow APIs resources here.

In conclusion, you can now trigger Workflow Instances through other applications using a Technical Authentication. This will allow you to integrate your workflow with many other technologies 🙂

Be the first to leave a comment
You must be Logged on to comment or reply to a post.