Integration Suite Authentication

dr_vera_r · ‎2026 Apr 08

Hi,

I have completed the Integration Suite Mission with the trial account and then continued setup the real integration of our api within our respective subaccount. Everything is setup and now I am not able to authenticate against the API. Our API has an API-Key mechanism and I want to disable all auth or simplify the auth on the SAP side of things. In the mission there was a booster setting everything up. In reality this is not really documented in an obvious way.

I am now running into the following error testing the api:

<!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1></body></html>

How can I assign the ESBMessaging.send Role? I tried setting up a service instance but cannot get the OAuth flow to work since I cannot create OAuth2 Credentials inside the SAP Process Integration Runtime looking the one from the mission.

JSON View of the Service Key to be created is missing token url, clientID, clientSecret....

{
    "key-type": "client_id_secret",
    "X.509": "",
    "certificate-pinning": true,
    "validity": 365,
    "key-length": 2048
}

Ideal solution would be to completely skip AUTH on this side of things since our api is secured.

AndreasMuno · ‎2026 Apr 12

Thanks for the detailed context, @dr_vera_r.

The behavior you’re seeing (HTTP 401 Unauthorized) is consistent with calling an SAP Cloud Integration (Process Integration Runtime) endpoint without the required inbound authentication.

What “ESBMessaging.send / MessagingSend” is used for

For inbound calls into SAP Cloud Integration, SAP’s documentation describes two common authentication options:

Basic authentication: use a user that has either MessagingSend (Cloud Foundry) or ESBMessaging.send (Neo) assigned in the SAP BTP cockpit. [help.sap.com]
OAuth2 Client Credentials (Cloud Foundry): use client ID, client secret, and token URL from the service key of your SAP Cloud Integration service instance. [help.sap.com]

So, even if your target API is secured via API‑Key, the inbound endpoint of the iFlow still expects one of the supported inbound auth mechanisms (Basic or OAuth2 client credentials), otherwise you’ll get 401. [help.sap.com]

How to get the missing Token URL / Client ID / Client Secret

The same SAP Help Portal guidance explains where those OAuth2 values come from:

Retrieve them from the service key of the SAP Cloud Integration service instance in the relevant subaccount (BTP cockpit → Instances and Subscriptions → Instances → select the Cloud Integration instance → Credentials → service key). [help.sap.com]

If the JSON you see for your service key doesn’t contain clientid, clientsecret, and a token URL, double‑check that:

you are looking at the service key of the SAP Cloud Integration service instance (not a different instance), and
it’s the service key under the subaccount where the Cloud Integration tenant is running. [help.sap.com]

Where OAuth2 “credentials” are maintained in the tenant (outbound use cases)

Separately (for outbound calls from an iFlow to an external system), SAP documents maintaining credentials in the tenant via:

Monitor Integrations and APIs → Manage Security → Security Material → Create → OAuth2 Client Credentials [help.sap.com]

And for third‑party providers in general, the guidance is to obtain the provider credentials and then create the corresponding Security Material type in Cloud Integration. [help.sap.com]

Note: This “Security Material” setup is typically relevant when the iFlow needs to call your API (outbound). Your current 401 looks more like an inbound authentication issue to the Cloud Integration endpoint. [help.sap.com]

About “disabling auth on the SAP side”

I didn’t find SAP Help Portal guidance that suggests running Cloud Integration inbound endpoints with no authentication. The documented patterns for calling the endpoint use Basic (MessagingSend/ESBMessaging.send) or OAuth2 client credentials.
So the practical way forward is usually to pick the simpler inbound option (often Basic for quick testing) and then move to OAuth2 client credentials if required by your setup. [help.sap.com]

Sources

Note: This response was prepared with AI‑powered assistance like SAP Joule for Consultants (J4C), see https://www.sap.com/products/artificial-intelligence/ai-assistant/sap-consulting-capability.html. It has been reviewed by an SAP subject matter expert. Please validate against the linked official documentation for your specific release.
You may want to consider getting SAP Joule for Consultants for yourself. Currently, SAP has a promotional offering for Silver, Gold and Platinum partners available in the Partner Benefits Catalog: https://partnerbenefitscatalog.sap.com/Partner-Benefits-Catalog/Customer-Engagement-%26-Post-Sales/J....

If this answer helped you, please mark the response accordingly. Thank you.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My SAP Profile

My SAP Profile