Showing results for 
Search instead for 
Did you mean: 

API Management security vs XSUAA security ...;Little confused about which to leverage

0 Kudos

We have developed few APIs in SAP BTP with RAP (or going forward we can use CAP) .How is the security handled .

As per my understanding there are to way .

1:) XSUAA .This will create a service key .When the 3rd party system will use this URL , They will give the Client ID and Client Secret as the Username and Password .

2:)API management :- We maintain the API in API management tool. It will give a API key .Use the API key in header to when calling the API .

Question 1:-

Is my understanding right , these are the only two ways .

Question 2:-

And which one to use .Can we have a project will use only XSUAA and we don't maintain the API in API management tool

Or is it mandatory that we use API management .???

Accepted Solutions (1)

Accepted Solutions (1)

Hi Bodhisattwa,

in SAP BTP ABAP Environment, you can expose RAP APIs for technical consumption using either Basic or Client Certificate authentication by leveraging the Communication Management.

Supported authentication methods are listed here.

Details regarding the Communication Management can be found here.

Technical consumption via the XSUAA service key of an SAP BTP ABAP Environment system or API Key are not possible.

If you consume your API Management with an API Key, you can internally (in your API Management flow) switch to either Basic or Client Certificate authentication, when forwarding the call to the SAP BTP ABAP Environment system.

Hope this clears things up a bit.

Best Regards,


Answers (0)