Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
Objective - To understand when JWT token is generated and passed to the req object in CAP service ( req.headers.authorization)

XSUAA is responsible for Authentication and generating the JWT Token. However, Approuter forwards the JWT Token to the service. Once  the user get authenticated with XSUAA  by App-router. App-Router will pass JWT Token to the ODATA service

Assumption - Audience has basic understanding of SAP BTP , Cloud-Foundry

Following are the basic components used

 Component Usage
Odata Service To print JWT token
XSUAA Generate JWT Token
Approuter Read the JWT Token and pass it to  ODATA service


Github Public Repository Link 



Following different branches are created to understand the use of XSUAA , Approuter


Branch Name



App without XSUAA service


App with XSUAA service but without Approuter


App with XSUAA service and Approuter


  • Create a directory

mkdir cap-test-jwt

  •  Create the project inside the directory

cds init

  • Create a service in the service folder and its handler too

Only function import is added the service which returns the JWT token as a string

@path: '/test'
service TestService {
function getJWTToken() returns String

const cds = require('@sap/cds');
module.exports = async function () {
this.on("getJWTToken", async (req) => {
// As Approuter module and XSUAA service is added
// That is why JWT Token is returned after user got authenticated by Approuter from UAA service
let sToken = "";
if (req.headers.authorization) {
sToken = req.headers.authorization;
return sToken;



  • Deploy the service to the CF by running the script defined in package.json file

npm run deploy​


  • Run the Service



Till now , neither XSUAA service nor App-router is added.  Therefore , req.headers.authorization will be undefined


  • Add XSUAA service

cds add xsuaa


  • Run the service after deployment ( Refer steps of deployment and running described previously)


Till now , no App-router is added but XSUAA service is added .  Again , req.headers.authorization will be undefined


  • Add App-router service

cds add approuter


  • Run the service with approuter URL after deployment ( Refer steps of deployment and running described previously)


Once approuter is added, req.headers.authorization will have the JWT Token .


Last but not least , code can run locally by creating the Default-Env.json file .
cf de cap-test-jwt-srv


In the App folder also copy the default-env.json but add the destination in order to route the call to local running service at the top most property
  "destinations": [
"name": "srv-api",
"url": "http://localhost:4004",
"forwardAuthToken": true


Hope this helps the readers.

Happy Coding !!

Further Reading link



Labels in this area