Skip to Content
Technical Articles
Author's profile photo Sandeep Malhotra

SAP CAP JWT Token Flow in code

Objective – To understand when JWT token is generated and passed to the req object in CAP service ( req.headers.authorization)

XSUAA is responsible for Authentication and generating the JWT Token. However, Approuter forwards the JWT Token to the service. Once  the user get authenticated with XSUAA  by App-router. App-Router will pass JWT Token to the ODATA service

Assumption – Audience has basic understanding of SAP BTP , Cloud-Foundry

Following are the basic components used

 Component Usage
Odata Service To print JWT token
XSUAA Generate JWT Token
Approuter Read the JWT Token and pass it to  ODATA service


Github Public Repository Link 



Following different branches are created to understand the use of XSUAA , Approuter


Branch Name
App without XSUAA service
App with XSUAA service but without Approuter
App with XSUAA service and Approuter


  • Create a directory
mkdir cap-test-jwt
  •  Create the project inside the directory
cds init
  • Create a service in the service folder and its handler too

Only function import is added the service which returns the JWT token as a string

@path: '/test'
service TestService {
    function getJWTToken() returns String


const cds = require('@sap/cds');
module.exports = async function () {
    this.on("getJWTToken", async (req) => {
        //  As Approuter module and XSUAA service is added
        //  That is why JWT Token is returned after user got authenticated by Approuter from UAA service
        let sToken = "";
        if (req.headers.authorization) {
            sToken = req.headers.authorization;
        return sToken;



  • Deploy the service to the CF by running the script defined in package.json file


npm run deploy​


  • Run the Service


Till now , neither XSUAA service nor App-router is added.  Therefore , req.headers.authorization will be undefined


  • Add XSUAA service
cds add xsuaa


  • Run the service after deployment ( Refer steps of deployment and running described previously)


Till now , no App-router is added but XSUAA service is added .  Again , req.headers.authorization will be undefined


  • Add App-router service
cds add approuter


  • Run the service with approuter URL after deployment ( Refer steps of deployment and running described previously)


Once approuter is added, req.headers.authorization will have the JWT Token .


Last but not least , code can run locally by creating the Default-Env.json file .

cf de cap-test-jwt-srv


In the App folder also copy the default-env.json but add the destination in order to route the call to local running service at the top most property

  "destinations": [
      "name": "srv-api",
      "url": "http://localhost:4004",
      "forwardAuthToken": true



Hope this helps the readers.
Happy Coding !!
Further Reading link




Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.