In this hands-on guide, I’ll walk you through a proven approach to securing AS2 iFlows using SAP API Management and OAuth 2.0 — ensuring your AS2 endpoint is not just exposed, but fortified with robust, token-based access control.

We’ll implement two API proxies — one dedicated to generating OAuth 2.0 access tokens, and another for validating those tokens and securely routing client requests to your AS2 iFlow. This approach ensures that only authorized clients can trigger your AS2 integration scenarios, eliminating the need to expose sensitive endpoints or manage backend credentials manually.

Follow along as we build this secure setup step by step and transform a basic AS2 interface into a scalable, OAuth-enabled integration flow aligned with modern enterprise API security standards.

Architecture Overview

• Token Generation Proxy – Generates OAuth tokens using client_id and client_secret.

• AS2 Access Proxy – Validates access tokens and routes requests to the AS2 iFlow.

• Target Endpoint (CPI iFlow) – The actual AS2 iFlow triggered securely via API Management.

• Product & Application – Combines both proxies and enables client registration and access

Step-by-Step Implementation

Step 1: Get the AS2 Sender Adapter Endpoint

• Go to SAP Integration Suite → Monitor → Manage Integration Content.

• Select the iFlow that uses the AS2 Sender Adapter.

• Copy the endpoint URL.

Example:

https://<your-tenant>.hana.ondemand.com/http/AS2Inbound

Step 2: Create API Proxy for AS2 Access

• Go to Integration Suite → Develop → APIs → Create API.

• Choose “URL” and paste the AS2 iFlow endpoint copied in Step 1.

• Name the proxy (e.g., AS2_Access_Proxy).

• Complete the proxy creation and save it.

Step 3: Secure Backend Call to CPI 

• Go to Policies → TargetEndpoint → PreFlow.

• Open the Discover tab, select Apis and apply the SAP BTP Connectivity Template.

   

   

• After applying the template, update it with your Client ID, Client Secret, and Token URL.

This configuration ensures the API proxy can securely fetch a token and call the AS2 iFlow without exposing backend credentials.

Step 4: Add OAuth Token Validation Policy to Proxy

• Open the AS2_Access_Proxy in the API portal.

• Navigate to Policies → ProxyEndpoint → PreFlow.

• Add the following OAuth 2.0 policy to validate incoming access tokens:

<OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">  
   <ExternalAuthorization>false</ExternalAuthorization>
   <Operation>VerifyAccessToken</Operation>
   <GenerateResponse enabled="true"/>
   <SupportedGrantTypes/>
   <Tokens/>
</OAuthV2>

This ensures that only authorized client requests with valid tokens are processed.

 Step 5: Create a Token Generation Proxy

To enable secure, token-based access, clients first need a way to obtain an OAuth 2.0 access token. This proxy handles that responsibility.

• Create a new API proxy with a dummy backend (e.g., https://example.com).

• Name it something like Token_Generator_Proxy.

  

• Go to Policies → ProxyEndpoint → PreFlow.

• Add the following OAuth 2.0 policy to generate tokens using the client credentials flow:

<OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
   <ExternalAuthorization>false</ExternalAuthorization>
   <Operation>GenerateAccessToken</Operation>
   <GenerateResponse enabled="true"/>
   <SupportedGrantTypes>
      <GrantType>client_credentials</GrantType>
   </SupportedGrantTypes>
   <Tokens/>
</OAuthV2>

Why this is needed:
This proxy issues access tokens to trusted clients based on their client_id and client_secret. These tokens will then be used to authenticate future requests to the AS2 endpoint via the access proxy.

Clients can request an access token as follows:

• URL: POST /token-generator-proxy

• Headers: Content-Type: application/x-www-form-urlencoded

• Body: client_id=APP_KEY&client_secret=APP_SECRET&grant_type=client_credentials

 Step 6: Create a Product and Add Both Proxies

To bundle and expose your APIs securely, you’ll need to create a product in SAP API Management that includes both proxies.

• In integration suite , Go to Engage → Products → Create Product.

• Add the following APIs to the product:

  • Token_Generator_Proxy

  • AS2_Access_Proxy

    

• Save and publish the product.

A product groups multiple APIs together and makes them available for consumption. Only APIs that are part of a product can be accessed through a registered application in the Developer Portal.

 Step 7: Register an Application

Now that your product is published, you’ll register an application that will consume the secured APIs.

• Go to Developer Hub → My Workspace → Create Application.

• Assign the previously created product (which includes both proxies) to the application.

• After creation, make note of the following:

  • Application Key (Client ID)

  • Application Secret (Client Secret)

These credentials are used to request access tokens from the Token_Generator_Proxy. The generated tokens will be used to authorize calls to the AS2_Access_Proxy.

Conclusion:

By following this approach, you've successfully secured your AS2 iFlow using SAP API Management and OAuth 2.0 — without exposing sensitive endpoints or relying on manual credentials.

This setup ensures only authorized clients can access your AS2 interface in a clean, scalable, and secure way.

Disclaimer:
All the views and opinions in this blog are my own and are made in my personal capacity. SAP shall not be responsible or liable for any of the contents published in this blog.