Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
The JWT policies of SAP Cloud Platform API Management enables you to generate, verify and decode the JWT token.  In the Blog Series : JSON Web Tokens (JWT) verification using SAP Cloud Platform API Management we have covered the modeling and configuration of JWT verification  policies for various Identity providers like SAP Cloud Platform XS UAAOkta , Azure Active Directory .

SAP Customer Data Cloud (Gigya) securely identifies consumers across devices and channels, manages permissions and consent across entire lifecycles and transforms data into unified customer profiles. SAP Customer Data Data Cloud supports JWT token based authentication. In this part of the blog series, we have covered the steps for Configuring the JWT token verification policy for SAP Customer Data Cloud ( Gigya).


Configuration on your SAP Customer Data Cloud account

  • Logon to your SAP Customer Data Cloud account and navigate to the sites page.

  • Note down your  API key of the site configured on your SAP Customer Data Cloud account.  Take a note of the data center of your site. The endpoint of the SAP Customer Data Cloud APIs would vary based on the data center. Refer the guide on finding your data center for more details.

  • accounts.getJWTPublicKey REST API returns the JWKS keys information that is used in signing of the id_token returned from accounts.getJWT API endpoint. As a public endpoint, this API requires no parameters, including a secret or userKey/secret pair, and only the API key of the site is required. accounts.getJWTPublicKey REST API endpoint would be the JWKS_URL that can be used in the SAP Cloud Platform API Management policies.

  • Construct your accounts.getJWTPublicKey endpoint based on your site data centers and the API Key of your site by replacing the placeholder {datacenter_of_your_registered_site} and {your_site_api_key}


  • Construct your JWT issuer by replacing {your_site_api_key} with API Key value of the site copied in the previous steps{your_site_api_key}/

  • For getting the JWT token from SAP Customer Data Cloud account, you will also need to create an application for your site and get your own user key and secret. Navigate to Admin center and select your application and copy your User key and Secret of your applications.

Configure OAuth Issuer and JWKS URI in SAP Cloud Platform API Management

  • Navigate to API Portal service of your SAP Cloud Platform API Management.

  • Navigate to Develop tab and select the API Proxy to you have modeled the JWT token verification policies. Refer part 1 of this blog series to model the JWT verification policies for your API Proxy.

  • From the selected API Proxy details view, click Policies to open Policy Designer.


  • Click Edit on the policy designer, to enter edit mode.


  • Select the policy readJWKS policy and replace the URL element with the JWKS_URL constructed in the previous section.

  • Select the policy verifyJWT policy and replace the URL element with the issuer constructed in the previous section.


  • Select Update to persist all the policy changes.


  • Click Save to persist all the API Proxy changes.

Finally testing the JWT token verification flows

  • accounts.getJWT REST API can be used to obtain the id_token containing the users's data in JWT format. For the getJWT REST call, API Key of your site, your user key and secret that you had copied from your SAP Customer Data Cloud account is required. You will also need the UID of the users's who are registered for your site.  Steps to register users to your SAP Customer Data Cloud site is covered in this help documentation.

  • To get the UID of registered user, select your registered site in SAP Customer Data Cloud account and navigate to the Identity Access tab.

  • Select the users, which you would like to use for your testing.

  • From the details view of registered user, you would be able copy the UID value.

  • Use the API Key of your site, user key, secret and UID of your registered user to get a JWT access token by calling accounts.getJWT REST API. Details is covered in this documentation.

  • Call your API Proxy endpoint passing in your OAuth access token, received in id_token field of the accounts.getJWT REST API response,  in a  HTTP header named authorization in the format Bearer {oauth_access_token}.

  • In case of successful JWT token validation, the response from your target server would be returned.

  • Passing invalid access token or an empty access token will result in error with HTTP status code set to 401.


Refer Blog Series : JSON Web Tokens (JWT) verification using SAP Cloud Platform API Management for more blogs on JWT verification policies.
1 Comment