Skip to Content
Technical Articles
Author's profile photo Mani P S

Manual testing of APIs in SAP BTP, ABAP Environment using Postman



As a developer working with Web APIs (OData V2 or OData V4) in SAP BTP, ABAP Environment, I often want a quick way to test these APIs manually before consuming them. I recently learnt how these could be tested manually using Postman (more details on postman + download link).

Broadly, the steps I performed were –

  1. Logon to the SAP BTP, ABAP Environment system
  2. Open the service URL in a browser with the developer tools of the browser open
  3. Get the cURL (bash) raw text from the network tab
  4. Import this into postman
  5. Fetch X-CSRF token
  6. Use this token to test the API

In this blog post, I mention the steps needed to test an OData V2 or OData V4 Web API using Postman.

Get the cURL (bash) script


The logon to ABAP systems happens via the browser and uses cookies. We need these cookies to be imported in order to enable postman to authenticate when trying to access the API end points.

This is done using the curl command.

1. After logon to the SAP BTP, ABAP Environment system, open the service binding for the API you’d like to test

2. Click on the service URL link in the service binding of the WebAPI (OData V2 or OData V4)


3. Complete the logon (if not already done)

4. You should see the service metadata in the browser. Refresh this tab of the browser with the developer tools of the browser open (Right click and click inspect, then navigate to the network tab or use the appropriate keyboard shortcut for your device and browser)

5. Right click on the “…sap-client…” call and select copy->copy as cURL (bash) from the context menu

Import the curl script to postman


Next, we need the request along with necessary cookies for logon to be imported into postman.

Now that we have the script, open postman (here I show the desktop client, but the steps should be similar for the web client as well)

6. Open your workspace in postman and click on import.

7. Paste the curl command copied in step 5 in the “Paste raw text” section under the “Raw text” tab.

8. Click continue.

9. Verify the URL under “name” and click import.

Now the request along with cookies needed for logon should be imported into postman. You could verify this under the headers tab of the generated request

Fetch token for authentication and use this for testing


CSRF Tokens are used by the ABAP system on BTP to prevent CSRF attacks. The CSRF Token is a secret code generated by the server for a specific user. This would be difficult for an attacker to determine or predict. Since the token can’t be predicted easily, the attacker can’t construct a request with all necessary parameters needed by the server to successfully process such a request.

Here, the step intends to fetch the CSRF token of the same user that is logged on to the system.

10. Under the header tab of the request, add the headers for content type and X-CSRF-Token as follows and click send

"Content-Type": "application/x-www-form-urlencoded",


Under the headers for the response, a CSRF token should be returned. Let’s say this returned token was ABCD123==.

11. Replace the X-CSRF-Token header of the request with this token (ABCD123==) that is returned, and you should now be able to test different calls.

12. In the following screenshot, I show an example of a POST request that is being tested manually.

Point to note:

In case you get an unauthorized error after performing these steps it is likely due to timeout/expiration of the token or a problem with the cookies. You could re-import the request with the cookies as per above steps to resolve the issue.


Would love to hear your feedback and experiences in the comments section.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Daniel Mieg
      Daniel Mieg

      Hi Mani,


      thank you for the great blog.


      Here is a small (follow-up) tip regarding the x-csrf-token:

      When fetching the x-csrf-token, you can use environment variables to save the token. To do this, you need to create an "environment" and use this snippet in the "Tests" tab of the request to save the token:

      var xcsrf = postman.getResponseHeader("x-csrf-token");
      postman.setEnvironmentVariable('x-csrf-token', xcsrf);

      Then, in the following requests you can use this token in the request header with:



      With this setup you can avoid to copy the token manually.


      Best regards



      Author's profile photo Manisha Mohanrao Badade
      Manisha Mohanrao Badade

      Hello Mani,


      Thanks for this blog. I have a question. To have updated cookies, do we need to import this curl every time? How should the IIcs team handle this cookies generation automatically? Do you know in this area?

      Author's profile photo Ahamed Kalikul Jaman
      Ahamed Kalikul Jaman

      Hello All,

      It works with GET API not with POST API..Is there any different approach for POST API?



      Author's profile photo Mani P S
      Mani P S
      Blog Post Author

      Hi Ahamed,

      The sample shown is from a POST request so the approach should be the same. I'd probably check to see if the body of the request contains the right information and troubleshoot based on the actual error message.

      Best Regards,

      Author's profile photo Ahamed Kalikul Jaman
      Ahamed Kalikul Jaman

      Hi Mani,

      Thanks for your reply.

      The exception is raised because of the content type = "application/x-www-form-urlencoded". Can we use any other content type. I used 'application/atom+xml;type=entry' but still the above is taken automatically.