Skip to Content
Technical Articles
Author's profile photo Divya Mary

OAuth Setup for Cloud Integration in Cloud Foundry Environment

Cloud Integration capability of SAP Cloud Platform Integration Suite supports end-to-end process integration across cloud-based and on-premise applications (cloud-cloud and cloud-on-premise integration) making cloud integration simple and reliable.

Follow this tutorial to set up SAP Cloud Integration Suite in trial environment and create product details REST API as an integration flow.


In the tutorial Request Product Details with an Integration Scenario steps to create the service instance and keys for Process Integration Runtime service is captured.  The service keys will provide you with client id and secret. client id can be used as user name and secret can be used as password if you would like to connect to your integration flows of Cloud Integration via Basic Authentication.  Alternatively you can leverage the client id , secret and token URL from the service keys file to get the OAuth access token and then connect to your integration flow of Cloud Integration via OAuth access token approach.  In this blog, steps to invoke an integration flow from Cloud Integration via OAuth access token in Cloud Foundry environment has been showcased.

  • Logon to your SAP Cloud Platform trial
  • Service Instances and Keys are created at Cloud Foundry Spaces level. Navigate to your Cloud Foundry Space where Process Integration Runtime service instance keys has been created. In the SAP Cloud Platform trial a default space named dev is automatically created when you will enable the trial environment. Refer step 1 of this tutorial for creating service instance and key for Cloud Integration.

  • Navigate to Services -> Service Instances to view all your created Services instances. Select the service instance for the Process Integration Runtime

  • Select the service keys and then select View from the icons with three vertical dots.

  • From the keys file, copy the value for clientid, clientsecret and tokenurl. The value of clientid and clientsecret can be used as client identifier and secret while fetching the OAuth access token. The value of the tokenurl can be used as your OAuth token issuer URL.

For testing the flow, any test console / client like Postman can be used. In this blog, postman has been used.

  • In the postman, copy tokenurl from your service instance -> keys file and append ?grant_type=client_credentials . Select POST method. In Authorization tab, select Basic Auth from drop down. Enter clientid and clientsecret from service instance -> keys file as Username and Password in Postman.

  • Select Send to get an OAuth access token to invoke your Cloud Integration flow with OAuth access token. Copy value of the access_token attribute from the response.

  • Follow this tutorial to create an integration flow that exposes a product details information as a REST API. To get your integration flow endpoint, navigate to your Integration Suite account. Logon to your SAP Cloud Platform trial. Select Subscription and search and select Integration Suite. Click on Go to Application

  • It will launch the Integration Suite launch pad in a new browser tab. Select Design, Develop and Operate Integrate Scenarios. 

  • From the Cloud Integration workspace. Navigate to the Monitor view. In the Monitor view, under the Manage Integration Content section, choose Start to access all the started artifacts that you have deployed. You will also see the integration flow that you have deployed here.

  • Select your integration flow and in the Endpoints tab you can notice your REST API your for your integration flow. This URL can be used to invoke your integration flow as a REST API from any REST client like postman.

  • In the postman, enter the endpoint of your integration flow. Then, select the POST operation from the dropdown list. Select the Authorization tab and choose Bearer Token in the Type dropdown list. In the token field enter the value of the received access_token from the OAuth token issuer endpoint.

  • Select the Body tab and choose raw radio button. In the form below, enter
  "productIdentifier": "HT-2000"
  • Choose Send to invoke your integration flow using OAuth authentication


With this you have connected to your integration flow using OAuth client credentials grant type approach.

More blogs on SAP Cloud Platform Integration Suite available in SAP Community.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Muhammad Iqbal
      Muhammad Iqbal


      Thanks for the nice and informative blogs for the beginners.

      Can you please let me know how to use the OAuth token for different users?

      Since the endpoint will be the same to get the token but how to get a different client id and secret?

      Is there anyway to do that without creating multiple multiple instances?

      Would be nice to have such a blog where multiple users can use the OAUTH URL with different client secret and client id?



      Author's profile photo Divya Mary
      Divya Mary
      Blog Post Author

      Hi Muhammad,

      Thanks for the kind words on the blog.

      To get different client id and secret, you will have to create separate service instances. The OAuth token URL will remain the same in this case and by creating separate service instances you can get your separate client id and secret.

      Thanks and Best Regards,


      Author's profile photo David Nguyen
      David Nguyen

      Thanks Divya! Is there a way to shorten the access token?


      Thanks again,


      Author's profile photo Muhammad Iqbal
      Muhammad Iqbal

      Many thanks for the confirmation Divya.

      Your blogs are very nice and informative.

      Would be nice to have a blog around HANA DB connectivity with SAP CPI to upsert and get the data.

      I have managed to create multiple instances and they are generating different client and secret but need to know if there is any limit in create multiple service instance?

      Is this a standard process to create multiple instance to give different client id and secret to different users/clients?

      Is there any other way to generate different client id / secret?

      I just need to know if there is any other way to give authorization to the users/clients without creating multiple S-User to send the message to SAP CPI with ESBMessaging.send?

      Hope you will help.

      Many thanks,


      Author's profile photo Lucas Millbrodt
      Lucas Millbrodt


      thank you for the tutorial. I'd have a question whether it would be possible to modify the Client Secret to a custom value or a specified length.


      Best Regards



      Author's profile photo Mark Chuen Teck CHING
      Mark Chuen Teck CHING

      Hi Divya,


      Must the HANA database reside in the same subaccount as the CPI tenant for it to be accessible?



      Best Regards,


      Author's profile photo Indu Khurana
      Indu Khurana

      Hello Divya,

      Thank you for another wonderful and informative blog, I search for your blog specifically when I'm stuck. 🙂

      I have a question regarding service key, In your blog you have created a service key for instance of Process Integration runtime .I generated token by following your process and invoked integration flow and and the connection works fine end to end.

      While trying API management, I tried creating service key for an instance created for API in 'Process Integration runtime' Service. I used the Client, ID, secret to generate token for API instance, But when I use that token for calling Integration flow in CPI, it fails with error:

      <error_description>Jwt token with audience [uaa, it!b44075, it!b44075.IntegrationOperationServer, it!b44075.GenerationAndBuild, it!b44075.NodeManager, it!b44075.WebToolingWorkspace, sb-2b42235d-cf11-4e76-b4d9-95d0d78e4a66!b55028|it!b44075] is not issued for these clientIds: [sb-it-rt-a582a263trial!b44075, it-rt-a582a263trial!b44075].</error_description>
      1. Which token should be used while calling Integration flows?
      2. Should we be creating token/ service key for API instance in PIR service?
      3. What is the correct way to call API?


      Author's profile photo Maitree Sodsee
      Maitree Sodsee

      Dear  Divya Mary


      I got error " with statusCode: 401" unauthorized on CPI forward massage type to SAP Digital manufacturing cloud. What should i do ?




      Thank you.

      Maitree Sodsee

      Author's profile photo Thomas Neuhaus
      Thomas Neuhaus

      Hello Divya

      Thank you for this blog. I do the same with SAP S/4HANA Cloud System and get this Error: Couldn’t create OAuth 2.0 client: OAuth 2.0 Client Profile is invalid.

      Any Idea form them? The Test with Postman is successful.

      I have his parameter on the S/4HANA Cloud System

      Auth. Endpoint

      Token Endpoint


      User Auth. is like in the Postman, User und Password


      Regards Thomas

      Author's profile photo David Da Silva
      David Da Silva

      I also get this error, how did you resolve this?

      Author's profile photo Vijayashankar Konam
      Vijayashankar Konam

      Hello Divya,

      It looks like the screens have changed and the Process Integration Runtime instance is no more available in the CloudFoundry cockpit anymore. Could you please direct me to the area or the correct instance that we need to create to enable OAuth authetnication to CPI iFlows?




      Author's profile photo Florian Wallburg
      Florian Wallburg

      Hi Divya Mary

      the service seems to be deprecated. Do you know the successor for this service

      to accomplish OAuth?

      Best regards,


      Author's profile photo Indrasish Banerjee
      Indrasish Banerjee

      No, it isn't deprecated. If the Process Integration Runtime service does not show up; you have to subscribe to it in the Entitlement section of your BTP Subaccount. After successful subscription in entitlement it will show up in your "Cloudfoundry spaces".

      Author's profile photo Jesus Alvarez
      Jesus Alvarez

      Hi Divya Mary

      Thank you very much for this content, it really helps a lot to improve access management for external clients.

      I need help to improve the management of Token access by different Clients. Currently I did the step by step that you indicate in this blog,

      I have 3 different integrations that are started by HTTPS request, each for a different external customer. And I want to deliver each a different OAuth Client.

      In the Proccess Integration Runtime installation, in Service Key I have created 3 accesses, one for each client. But I note that their content are the same. For the 3 Services Keys, clientid, clientsecret are the same. I require each client to have unique credentials.

      It would be helpful to have information or documentation on how to achieve this requirement. Thanks


      Best Regards



      Author's profile photo Christopher Linke
      Christopher Linke

      Hi Jesus Alvarez

      have you tried to create a new instance for "Process Integration Runtime" and then create a new Service Key?

      Author's profile photo Jesus Alvarez
      Jesus Alvarez

      Hi Christopher Linke  ,  Yeah, when creating an instance of "Process Integration Runtime" for each client. This generated a different client id.

      Thank you


      Author's profile photo Indrasish Banerjee
      Indrasish Banerjee

      Hi Divya. Thanks for this wonderful post. But yet after following all the steps I am getting 401 Unauthorized error. I am getting the following response from CPI.

          <error_description>An Authentication object was not found in the SecurityContext</error_description>

      Can you please guide me on how to solve this issue? This seems to be working properly when I configured the same for another tenant.