Creating an API for iFlow: A Step-by-Step Guide. Part 2

In one of my previous posts, I provided the steps required to create the API for iFlow.

Creating an API for iFlow: A Step-by-Step Guide
This guide aims to outline the steps required to create an API for iFlow and subsequently run the iFlow through the API. Step # 1. Develop an iFlow Begin by creating a simple iFlow. Deploy any changes made. Step # 2. Setting Up API Providers Navigate to the API section on the

At the end of that post, I mentioned an insecurity issue that needed addressing. In this post, I'll delve into fixing that issue.


You've successfully created the API that triggers iFlow. To trigger this API, you only need its URL, without requiring the client to provide any additional security details. Now, we'll require the client to provide the OAuth2 token, which should have been generated within the custom API hosted on the same BTP tenant, along with the client credentials (client ID and client secret).

You can find step-by-step instructions for creating the API to generate the OAuth2 token within the BTP client by following the link below:

Building an OAuth2 Token Generator API with SAP BTP APIM
In this post, I will provide a sequence of steps required to develop an API that generates an OAuth2 token, which can be utilized by other APIs within the same BTP instance for authorization purposes. Let’s dive in. Requirement To develop an API capable of generating an OAuth2 token and

To summarize, we'll have one API for generating the OAuth2 token and another for triggering iFlow.

Step 1. Assign a policy for API

Add a new policy to your API that triggers iFlow. This policy's purpose will be to verify the OAuth2 token generated within the other API hosted on the same BTP tenant.

Below is the XML snippet for the policy:

Step 2. Additional checks

Ensure that you have assigned your APIs to the same Product.

See Important Concepts of API Management

As an additional step, ensure that the Product containing your APIs is assigned to the Application in the API Business Hub Enterprise.

Step 3. Testing

Using your preferred client software, create a new request with the API that triggers iFlow and provide the following details for authorization:

If you are using the Postman app, ensure that you have activated the OAuth2.0 type of authorization for your API (Step #1), provided the API URL that generates the OAuth2 token in your BTP tenant (Step #2), and utilized the client id and client secret generated for your application in the API Business Hub Enterprise.

Read more