Skip to Content
Technical Articles
Author's profile photo Akhil Anand

Connecting and Exposing API Endpoint from SAP Cloud Integration-(Part 2) || Connect, Expose & Test API Endpoint

Hi Folks,

This series covers all about: Connecting and Exposing API Endpoint from SAP Cloud Integration

Here is the list of blogs:

Part 1: Pre-requisites and Configuration
Part 2: Connect, Expose & Test API Endpoint

In Part 1, we discussed regarding creating Services and Instances required for API Management. In nutshell, we covered creation of initial instances required for SAP API Management and SAP BTP Server.

In this blog post, we will discuss regarding exposing Integration Flow Endpoint as an API.

Design Simple I-Flow

In Cloud Integration tenant, I have designed a simple i-flow: API Connectivity Test

It will generate Sender HTTPS endpoint. Content Modifier body is updated with some dummy message to display in response.


1. Create an API Provider

Access API Portal by selecting Configure > APIs

Hit Create button to create an API Provider.

In Overview, Enter the Name and Description of API Provider

Under Connection, Select as below:

Type: Cloud Integration,

Authentication: OAuth2ClientCredentials

For Cloud Integration Management Host, Client Id and Client Secret, follow below steps:

  • In BTP Cockpit, Go to Instances and Subscriptions in your subaccount.
  • Access Service Key Credentials for api Plan for service Process Integration Runtime. 

Copy ClientId, clientsecret and url escaping the prefix of https://

Paste the copied content below as shown:

Once done, Save.

Test Connection to check connectivity between SAP API Management and SAP BTP Server.

If everything looks fine, you are ready to use this API Provider to browse through the Integration Flows and generate an API for any chosen Integration Flow.

2. Create an API

Navigate API Portal, Design > APIs

Select Createbutton.

API 1: To Connect with SAP Cloud Integration Flow

Select radio button: API Provider. In API provider dropdown, select the provider created in above steps and hit Discover.

Select the i-flow whose endpoint is to be exposed as an API and hit Next.

PS: It will ask to Create an API Provider again. These credentials can be fetched from SAP BTP Cockpit as described in below steps:

Step1: In SAP BTP Cockpit, navigate to Instances and Subscriptions of your subaccount, open the Service Key Credentials of integration-flow plan.



This time, Copy the tokenurl, clientid and clientsecret from service key credentials:

And paste it in the dialog box as shown below and hit Done.

Enter Version: v1 (optional) and Create.

Assign the Policies

Select Policies and assign them to the API Proxy URL as shown:

In the Proxy Endpoint > PreFlow add the required Policies for demo purposes.

I added Spike Arrest and OAuth 2.0.

Spike Arrest Policy:

Oauth V2.0 Policy:

  • Spike Arrest: The SpikeArrest policy protects against traffic surges with the <Rate> element. This element throttles the number of requests processed by an API proxy and sent to a backend, protecting against performance lags and downtime.
  • OAuth 2.0: This policy helps to verify the incoming token for OAuth Authentication

Post policies update, Click Save and Deploy the API Proxy.

It will deploy the generated API Proxy URL with assigned Policies:

API 2: Create an API to Generate Token

Create an API for Generating the token using OAuth 2.0 Authentication to access SAP BTP Integration flow. Provide below details as shown:

In Policies, assign  OAuth v2.0 Policy in ProxyEndpoint > Preflow as we did earlier:

Make Sure you change the XML code OperationVerifyAccessToken to GenerateAccessToken as shown below

Code here:

<OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="">

Add oAuthToken flow under ProxyEndPoint and add the below condition string:

(proxy.pathsuffix MatchesPath "/OAuthToken" OR proxy.pathsuffix MatchesPath "/OAuthToken/**" OR proxy.pathsuffix MatchesPath "/OAuthToken(**")AND(request.verb = "POST")

Add another flow under ProxyEndPoint as DefaultFaultFlow and assign Fault Raise policy to catch any error or fault:

Also, provide the given condition string for DefaultFaultFlow:

proxy.pathsuffix MatchesPath "/OAuthToken" OR proxy.pathsuffix MatchesPath "/OAuthToken/**" OR proxy.pathsuffix MatchesPath "/OAuthToken(**"


3. Create a Product

Once APIs are created, we need to add them under a product.

Go to Product tab and select create

Enter the details (Name and Title will be suffice) for the product:

In API tab, Click Add and select the APIs we created in above steps and hit OK.

After adding the APIs, Publish the Product.

4. Create an Application

Access API Business Hub Enterprise as shown below:


On the home screen, you will find the created Product.

Select the product, Click on Subscribe > Create New Application

Enter the Application Title and Save.

The Application is created with the subscribed product as shown below:

Go Back to API Portal. Open the created Application and note somewhere in notepad Application Key and Application Secret (it will be used during API Tesing via Postman):

5. Test the API:

Open Postman to test the API.

Use Get Method and paste the API Proxy URL for API 1.

and In Authorization tab, select Type: OAuth 2.0:


Now, at right side menu, add any Token Name. Select details as below:

Grant Type: Client Credentials
Client Id: add Application Key copied above
Client Secret add Application Secret copied above
Access Token URL Enter the API Proxy Url of API 2

Screenshot below:

Now, Click on Get New Access Token and hit Proceed. Click on Use Token.

Add test payload in postman Body and click on Send



We got Status: 200 OK and a response back as configured in content modifier body in iflow.


Hope you had a good read.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Florian Kube
      Florian Kube

      Good blog and well explained. Thank you.

      Author's profile photo Akhil Anand
      Akhil Anand
      Blog Post Author

      Thanks alot

      Author's profile photo sachin khedkar
      sachin khedkar

      Thanks, Akhil for your effort to prepare and share this blog.
      Explained very well & in detail.

      Author's profile photo Akhil Anand
      Akhil Anand
      Blog Post Author

      Thank you very much Sachin

      Author's profile photo Christof Blaickner
      Christof Blaickner

      Hello Akhil Anand,

      Thanks for the blog, but I fail at the point of the "new access token generation".



      Would mean there is something wrong during at the api_connectivity_test_v1 api - where the token should be generated.

      I also saw that the second condition that you put in is wrong. Can you update how the correct condition looks like?

      Author's profile photo Daniel Wagner
      Daniel Wagner

      Is there a way to use OAuth 2 directly on the service instance? Why I'm asking this, the provided token endpoint of the cloud integration doesn't comply with the rfc6749 when it comes to the client authorization header, instead it still uses the outdated rfc2617 - which isn't OAuth 2.0 compliant.

      The problem now is, that many client-side framework libraries a OAuth 2 compliant, which raises the problem that they can't authenticate with the non-compliant SAP provided token endpoint.