Using Cloud Integration APIs with Tools on Cloud Foundry: Creating a Service Key

There are resources on this topic, but it was hard to understand for me at the first sight, and there were questions about how to use tools like CPI Explorer in the CF environment.

This is my attempt to create a clear post for referring basis teams. Also, you can find more detailed documentation at the bottom of the article.

I like text with pictures! So, let’s start.


Services > Instances and Subscriptions > Create

  • Process Integration Runtime
  • api

Give it a cli-friendly name, click “Next”.

“password” lets you use client_id and client_secret as basic auth. But it doesn’t work with “api” plan. (For “integration-flow” plan, you can give it to clients that call HTTP endpoints in the flows.)

If you choose JSON here is a list of available roles, you can edit the text and paste it. You can switch between Form and JSON views, they keep the same values.

{ "grant-types": [ "client_credentials", "password" ], "redirect-uris": [], "roles": [ "WorkspacePackagesTransport", "WorkspacePackagesRead", "QueuesActivate", "AccessAllAccessPoliciesArtifacts", "AccessPoliciesEdit", "AccessPoliciesRead", "AuthGroup_Administrator", "AuthGroup_BusinessExpert", "AuthGroup_ContentPublisher", "AuthGroup_IntegrationDeveloper", "AuthGroup_ReadOnly", "AuthGroup_TenantPartnerDirectoryConfigurator", "CatalogPackageArtifactsRead", "CatalogPackagesCopy", "CatalogPackagesRead", "CredentialsEdit", "DataStorePayloadsRead", "DataStoresAndQueuesConfig", "DataStoresAndQueuesDelete", "DataStoresAndQueuesRead", "HealthCheckMonitoringDataRead", "MessagePayloadsRead", "MessageProcessingLocksDelete", "MessageProcessingLocksRead", "MonitoringArtifactsDeploy", "MonitoringDataRead", "QueuesRetry", "SecurityMaterialDownload", "SecurityMaterialEdit", "TraceConfigurationEdit", "TraceConfigurationRead", "WorkspaceArtifactLocksDelete", "WorkspaceArtifactLocksRead", "WorkspaceArtifactsDeploy", "WorkspacePackagesConfigure", "WorkspacePackagesEdit" ]

Just click “Create”

Wait for a while.

When you click on the instance, a pane on the right appears. Click “Create” under Service Keys.

Just give it a name and click “Create”

You will need client_id, client_secret, and tokenurl.

Get “tokenurl” at the bottom:

That is all.

Example client: CPI Explorer

Tenant management hostname is the same with “url” in the JSON, or the URL where integration developers work.

Enter client_secret:


Related SAP documentation

Setting Up OAuth Inbound Authentication with Client Credentials Grant for API Clients, Cloud Foundry Environment

If you are using another Identity Provider:
Setting Up Basic Inbound Authentication of an IdP User for API Clients, Cloud Foundry Environment

Creating OAuth Client Credentials for Cloud Foundry Environment

Managing User Roles, Cloud Foundry Environment

List of all permissions:

Related blog posts

Technical / Service user Cloud Platform Integration for Inbound Communication

Integration Suite – Accessing Cloud Integration Runtime

Self-Service Enablement of Cloud Integration Service on Cloud Foundry Environment