Authorize API client to access Cloud Integration API

SAP Cloud Integration Oct 20, 2023

The config is different for Neo and Cloud Foundry (CF) environment. This post is for OAuth2 with authorization type of client id and secret. We can use OAuth2 with other grant type or certificate, the config is similar.

Cloud Integration, Neo

#1 Register API Client on cockpit
Cockpit > Security > OAuth > then Clients tab > create a new Client.

looking for Subscription with "tmn"node, and select Grant of Client Credentials. As the screenshot.

#2 Assign specific roles (required by API endpoints) to the API client.
Looking for roles that required by the API endpoint. In this case, I use MessageProcessLogs and the roles for Neo are:,

Cockpit > Security > OAuth > Authorizations

Hit button Show Assignments for oauth_client_<created client id> to assign role. Looking for Application "tmn" and assign roles to it.

#3 Test it with Postman
We have client id and client secret. Now we need to get token endpoint for OAuth, go to cockpit > Security > OAuth > go to Branding tab> there is a token endpoint here.

From SAP Cloud Integration API doc, we have the endpoint such as /MessageLoggingLogs but we don't know the full URL. Basically the full url is: the url where you access CPI tenant + "/api" + the endpoint.
Or you can find it from cockpit > Applications > Subscriptions > click on the applicaiton with "tmn" > you will see the url with /api.

Hit Get New Access Token before make the call to the endpoint.

Cloud Integration, Cloud Foundry

#1 Create a Instance for API Client
Looking for roles that required by the API endpoint. In this case, I use MessageProcessLogs and the role for CF is: MonitorDataRead.

Note: we can reuse the existing Instance, but we have to maintain required roles for different API endpoints. So, add MonitorDataRead to the existing one.

Go to Cockpit > Services > Instances and Subscriptions > create a new instance of "Process Integration Runtime" with "api" plan, and then select role MonitorDataRead (this is important, don't miss it), and "Client Credentials" as grant type.

#2 Create a Service Key from the created instance.
Choose "ClientId/Secret" as the Key Type.

#3 Test with Postman:

From the previous step, we have everything from client id, secret, url (hostname) of the endpoint, and token endpoint for Postman.
Using Oauth with Postman is similar to the part of testing with Neo.


Dai (Bato) Quach

Integration Architect | SAP Integration Suite / PO Consultant | AWS Solutions Architect

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.