Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert
This blog is part of a series of tutorials explaining the usage of SAP Cloud Platform Backend service in detail.

This post explains how to configure security for Backend service.


At the current point in time, SAP Cloud Platform Backend service supports only a very limited set of authorization mechanisms:

  1. OAuth authentication flow

  2. nothing else

Reason is the targeted usage by frontend applications rather than human testers.
Since Basic Authentication is - currently - not supported, it is necessary to do some configuration steps to enable OAuth

  1. Create xsuaa instance

  2. Create service key

This blog is not necessary if you use the Backend service cockpit to call your APIs.
Configuring security is only required if you want to call your APIs from external application or tool like e.g. REST client


Configure security in Cloud account

We need a couple of preparation steps, to be done in our cloud account, before we can request an authorization token: For that purpose there's the service offering "Authorization & Trust Management" in the SAP Cloud Platform.

Below section describes how to create a service instance in your Cloud Foundry space.
If you're new to SAP Cloud Platform trial account and Cloud Foundry and if you followed my tutorials in detail, then you probably don't have a space yet.
The good news: Especially for YOU, I created a tutorial, describing how to enable Cloud Foundry and assign quota in your trial account.

1. Create xsuaa service instance

Go to your BETA-enabled subaccount, I mean that subaccount which you use to open your SAP Cloud Platform Backend service subscription.
Go into your space

Make sure that you choose a space which is located in the same subaccount like your Backend service subscription.

In the left navigation pane, expand “Services >” and click on “Service Marketplace”
Here you can see all the services that are offered in your cloud account:


Click on the tile “Authorization & Trust Managem…”
Then click on “Instances” in the left pane
Afterwards you can click on the “New Instance” button

In the creation dialog, make sure your "service plan" is chosen as “application”:

In the next wizard page, “Specify Parameters”, enter the following JSON snippet in the text field:
"xsappname": "myAppName",
"tenant-mode" : "dedicated",
"foreign-scope-references": [

The value for property "xsappname" has to be unique

The syntax for foreign scope lets XSUAA resolve the scope based on the variable.
Here's an alternative, using the hard-coded name of the foreign scope:

"xsappname": "myAppName",
"tenant-mode" : "dedicated",
"foreign-scope-references": [

The reference name of the foreign scope can be found in the details page of the Backend service, then expand the "Security" menu entry and view the "Role Templates" (see here)


The next wizard page allows to bind to an existing application.
You can ignore and press next.
Finally, enter a name of your choice for the new instance

Press “Finish”.
Your instance of xsuaa service is created in your space.
Now proceed with service key creation.

2. Create Service Key

Creating a service key is required because we want to call the Backend service API from externally.
Means, not from an app deployed in the Cloud Foundry Space, but from a REST client on our local Laptop. That's why a service key needs to be explicitly created and properties need to be noted.
See documentation

Click on your newly created instance of xsuaa service

Ignore the “Referencing Apps” screen, click on “Service Keys” in the left navigation pane.
Then you can hit the button “Create Service Key”

In the creation popup, you can give an name of your choice, then press “Save”

The result is presented to your delighted eyes:

We’ve created a service instance of the xsuaa service and we’ve created a service key for it.
In the service key details we see 3 values which we'll need later
Thus, we take a note of those 3 property values (I've marked them in the screenshot above)

In my example (slightly obfuscated):
"clientid": "sb-baas_access!t12345",
"clientsecret": "2abcdefghijklmnopqrstuvwxy=",
"url": ""

If you don't see a property like the "url", the last one, you might need to maximize your browser window or use a different browser

clientid and clientsecret are used like user credentials by the client when it connects to the XSUAA instance.

Again, we need the client credentials because we want to connect to XSUAA instance from outside, from local REST client tool.
If we would write a web application and deploy it to SAP Cloud Platform, then we would bind it to an XSUAA instance and the client credentials would be assigned automatically under the hood


In this blog, we've created a service instance of xsuaa service with the parameters required for SAP Cloud Platform Backend service, subscribed in your trial account.

Furthermore, we've created a service key for the xsuaa service instance, required for the client authentication to the oauth endpoint

After these 2 preparation steps, you're able to call your Backend service APIs from an external application, like e.g. a REST client.