Hello guys, in this article I want to share one scenario which in there I used some my understand about CSRF-token, access token, send header value from outside into caller http WEBSERVICE.

First, kindly take look scenarios

Scenario 01

We have one REST API which use access token to access. We want call this API, we will have do some action below:

Configuration for Scenario 01

For simple in this article, I will use integration flow in CPI to create one REST API and call it from another integration.

Step 1 : Create integration flow with type is REST API

In this scenario, we do not use CSRF Protected.

Save and deploy this REST API

Test this API from POSTMAN, we need to check this API run OK.

As we see, this API need authorize by OAUTH2 with grant type is Client Credentials. So, we need call to token provider to get access token.

All information of token provider will be get from service key with type Process Integration Runtime.

Step 2 : Create integration flow call REST API in Step 01

In this step, we will create new integration flow will call REST API in step 01. We also focus that, REST API use access token to call, so in integration flow we need call to token provider to get access token and after that will use this access token to call REST API. All this things, we will action on integration flow.

Step 2.1 : Create integration flow with sender adapter is HTTP

We will have two ways to call REST API which use OATHAU2 for credentials. First way, we will create OAUTH2 Client Credential in CPI and use it to call direct to REST API. The second way, we will call manual to Token provider to get access token, and after that use this access token to call REST API

Step 2.2: First way – Create OAUTH2 client Credential in CPI

  • Go to Security Material in section Manage Security
  • Create button -> OAuth2 Client Credentials
  • (1) – (2) – (3) : Get from service key because this REST API created from SAP CPI for example. In fact, API owner will provide these information.
  • (4) : Send as Request Header for example in this article. In fact, base on configure of API Owner.

Next, We will use component Request Reply to call direct REST API with Authentication Type is OAuth2 Client Credentials and input name of Oauth2 client credentials above in here

Step 2.2: Second way – Use access token to call REST API

The first, we try call API which provided by Token Provider by POSTMAN to understand how to

Token provider will provide information

  • Token URL
  • client_id : in this article, get it from service key. In fact, this value partner will provide
  • client_secret : in this article get it from service key. In fact this value partner will provide
  • Content-type : x-www-form-urlencoded
  • response_type : token
  • grant_type : client_credentials

OK, let configure this on SAP CPI integration flow

Step 2.2.1: Add content modifier and add header, body

  • Add content modifier
  • Add header
    • grant_type : client_credentials
    • response_type : token
    • Content-Type : application/x-www-form-urlencoded
    • client_id
    • client_serect
  • Next, because this REST API use content-type = x-www-form-urlendcoded. So we will create body for request with syntax : Key1=Value1&Key2=Value2&Key3=Value3

Step 2.2.2: Add request reply call to REST API of token provider with http adapter to get access token

  • Configure for HTTP
  • (1) : Url of token provider
  • (2) : Method of API token provider. In this case use POST
  • (3) : Headers which we want to send from outside into to this process. In this case, It is Content-Type which defined in before component ( Content Modifier)

Step 2.2.3: Add Content modifier to get access token payload response

In this time, Run this integration from POSTMAN we will receive access token in payload response.

Step 2.2.3: Call to REST API with access token in 2.2.2

Next, use value of access token in 2.2.2 to call REST API. Because REST API use authorization with type OAUTH2, so we have to add one header with syntax :

  • Key : Authorization
  • Value : Bearer <access_token>

For example

OK, let configure on integration flow

  • Add JSON to XML converter component to convert payload JSON to XML
  • Add Content modifier to create string look like : Bearer <access_token>
  • Add content modifier component and create new header with name : Authorization
  • Add request reply component to call HTTP REST API and transfer header authorization into there
  • (1) : Endpoint of REST API
  • (2 : Method
  • (3) : Header from before step

In this time, we call integration flow from POSTMAN we will receive data from REST API success.

OK, good ! To this time, we have already configured done scenario: How to call HTTP REST API with access token which provide by Token provider with CLIENT_ID and CLIENT_SECRET. Next, we try to go deeper this scenario when REST API use more CSRF-TOKEN

Step 2.3: (Extension) – Rest API use more CSRF-TOKEN

For example in this article, go to REST API which create in step 1. At HTTP adapter sender, check into check box CSRF Protected

In this time, call this API we will receiver 403 HTTP status code Forbidden

And call from integration flow consume which created in step 2, we will receive 500 http status code

Check log in CPI, we also receiver status code 403

OK, let’s go to config

Step 2.2.1: Add more header with name x-csrf-token at component after get access token

Step 2.2.2: Add Request reply component and call to REST API with method GET and send 2 headers x-csrf-token and Authorization into there

Step 2.2.3: Add Request reply component and call to REST API with method POSTand send 2 headers x-csrf-token and Authorization into there

After this step, we have to add one more important config. If not config we still receiver 403 forbidden although send X-CSRF-TOKEN into header.

Step 2.2.4: Switch HTTP Session Reuse to On Exchange

In this step, we have to switch HTTP Session Reuse from default to On Exchange. Click anywhere outside flow, choose tab Runtime Configuration, change value of HTTP Session Reuse

OK, Now we test API from POSTMAN and receive 200 HTTP status and payload


In this article I shared step by step one scenario call external REST API with authorization by use Oauth2. Access token will be gotten from Token provider by Client ID, Client Secret, Token URL. If external REST API also use more one token called X-CSRF-TOKEN to protect API, We also can get more CSRF token and call REST API with access token. Thanks for your reading and hope this article useful. If have any advise, kindly leave your comment on this. Thanks.



  1. That’s REALLY helpful to learn CPI as beginner!!
    I’m trying to integrate with SharePoint and CPI, and getting oauth token via cpi.
    However, I did not get the token successfully.
    Wondering if you have any experience of the integration with M365 and CPI?

    Thanks in advance


  2. i have same case in which token need to be fetched from webservice and use this token along with other data in body we will get 2nd response from webservice ,will this same above described iflow will work?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.