As enterprises integrate with a growing number of APIs across cloud and on-premise systems, securing those interfaces becomes critical. One of the most straightforward and widely used methods for securing APIs is API Key Authentication. SAP Cloud Platform Integration (CPI) supports API key usage to authenticate and authorize access to APIs in a secure and manageable way.
This article explains what API Key Authentication is, when to use it, and how to implement it in CPI integration flows.
An API key is a unique identifier — usually a long alphanumeric string — issued by an API provider to authenticate requests. When a client sends a request to an API endpoint, it includes the API key in the header or as a query parameter. The server verifies the key and grants access if it is valid.
However, API keys are not inherently secure if transmitted without encryption. Therefore, they should always be used over HTTPS.
Get the API key from the service provider. It may come with usage limits and scopes, so ensure it matches your intended use.
Most APIs require the API key to be passed in the Authorization or a custom header like x-api-key.
Use a Content Modifier Step to set the header:
Add a Content Modifier before the HTTP Receiver.
Go to the Headers tab.
Add a new header:
Authorization or x-api-key (as specified by the API).Bearer YOUR_API_KEY or just the key string.Header Name: x-api-key
Header Value: Abcd1234EFGH5678ijkl
Alternatively, pass the key as a query parameter if the API supports it.
Configure the HTTP Receiver Adapter:
API keys are sensitive credentials and must be protected:
When exposing APIs via CPI (using the HTTPS Sender adapter), you can validate incoming API keys:
401 Unauthorized status if the key is invalid.Example Groovy Script:
def headers = message.getHeaders()
def incomingKey = headers.get("x-api-key")
def expectedKey = "Abcd1234EFGH5678ijkl"
if (!incomingKey || incomingKey != expectedKey) {
throw new com.sap.gateway.ip.core.customdev.util.MessageProcessingException(
message, "Unauthorized access: Invalid API Key")
}
return message
API Key Authentication is a simple and effective way to secure communication between SAP CPI and external APIs. While it doesn’t offer the complexity of OAuth 2.0, it’s ideal for straightforward use cases and lightweight integrations. By following best practices and securing API keys properly, you can ensure safe and controlled access to APIs across your enterprise landscape.