We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/1nbuc/mcp-integration-suite'
If you have feedback or need assistance with the MCP directory API, please join our Discord server
<!-- loiod9ca0ac0b8704381a3fef0bcbb553b3f -->
# Client Certificate Authentication for API Clients
The API client authenticates itself with a client certificate when calling the Cloud Integration OData API. At runtime, the system checks if a service key is available that contains the client certificate provided by the sender. If a service key is available, the system then checks if the associated service instance has a role specified that grants permissions to call the API resource.
<a name="loiod9ca0ac0b8704381a3fef0bcbb553b3f__context_jwy_4st_5hb"/>
## Context
> ### Tip:
> This authentication method is considered a secure option for HTTP inbound connections.
As client certificate, you can either use an own \(*external*\) certificate or one generated by SAP, see [Service Key Types](service-key-types-0fc1446.md).
For more information, check out [Client Certificate Authentication \(Inbound\)](client-certificate-authentication-inbound-4ec6192.md) \(explains the concepts and how this authentication option works\).
<a name="loiod9ca0ac0b8704381a3fef0bcbb553b3f__steps_kwy_4st_5hb"/>
## Procedure
1. Look up the role to be used to authorize the API client to access the related Cloud Integration resource using the API.
See: [Tasks and Permissions for Cloud Integration](../60-Security/tasks-and-permissions-for-cloud-integration-556d557.md)
2. In SAP BTP cockpit, select the subaccount that hosts your SAP Integration Suite virtual environment and create a service instance and service key.
Proceed as described under [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md).
For this use case, specify the service instance and service key parameters as follows:
****
<table>
<tr>
<th valign="top">
</th>
<th valign="top" colspan="3">
Service Instance
</th>
<th valign="top" colspan="4">
Service Key
</th>
</tr>
<tr>
<th valign="top">
Option \(Certificate Type\)
</th>
<th valign="top">
Plan
</th>
<th valign="top">
Roles
</th>
<th valign="top">
Grant-types
</th>
<th valign="top">
Key Type
</th>
<th valign="top">
External Certificate
</th>
<th valign="top">
Validity
</th>
<th valign="top">
Key Size
</th>
</tr>
<tr>
<td valign="top">
SAP certificate
</td>
<td valign="top">
*api*
</td>
<td valign="top">
Select role according to the API resource to access.
See: [Tasks and Permissions for Cloud Integration](../60-Security/tasks-and-permissions-for-cloud-integration-556d557.md)
</td>
<td valign="top">
*Client Credentials*
</td>
<td valign="top">
*Certificate*
</td>
<td valign="top">
n.a.
</td>
<td valign="top">
Specify validity in days.
</td>
<td valign="top">
Specify key size.
</td>
</tr>
<tr>
<td valign="top">
External certificate
</td>
<td valign="top">
*api*
</td>
<td valign="top">
Select role according to the API resource to access.
See: [Tasks and Permissions for Cloud Integration](../60-Security/tasks-and-permissions-for-cloud-integration-556d557.md)
</td>
<td valign="top">
*Client Credentials*
</td>
<td valign="top">
*External Certificate*
</td>
<td valign="top">
Add PEM-encoded X.509 certificate.
</td>
<td valign="top">
n.a.
</td>
<td valign="top">
n.a.
</td>
</tr>
</table>
<a name="loiod9ca0ac0b8704381a3fef0bcbb553b3f__postreq_fkj_h2t_1tb"/>
## Next Steps
Configure the request from the API client to the Cloud Integration OData API, see [HTTP Calls and URI Components](../50-Development/http-calls-and-uri-components-ca75e12.md).
With the request, the API client has to pass on a certificate chain that contains a root certificate supported by the load balancer, see [Load Balancer Root Certificates Supported by SAP](load-balancer-root-certificates-supported-by-sap-4509f60.md). Otherwise, the load balancer doesn't pass on the client certificate to SAP Integration Suite .
- When you use an SAP-generated client certificate \(with *Key Type* set to *Certificate*\), the service key contains a certificate chain and a private key, see [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md). The certificate chain contains already a root certificate supported by the load balancer.
You can use these values to configure the request.
> ### Note:
> To enable the related HTTP client to support this authentication option, you need to format the certificate \(including the certificate chain\) and the key accordingly. In particular, make sure to replace all `\n` in the SAP-generated certificate or key by line breaks.
>
> A suitable certificate, for example, would then look like the following:
>
> ```
> -----BEGIN CERTIFICATE-----
> MIIFtDCCA5ygAwIBAgIQCUFIj6cfjiSfZi/ZvVU6IDANBgkqhkiG9w0BAQsFADB5
> ................................................................
> ................................................................
> ................................................................+
> LvHPhNDM3rMsLu06agF4JTbO8ANYtWQTx0PVrZKJu+8fcIaUp7MVBIVZ
> -----END CERTIFICATE-----
> ```
- When you use an external certificate \(with *Key Type* set to *External Certificate*\), the service key displays only the public key certificate provided by you, see [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md). To configure the request, use the key pair exported from the application used to generate the client certificate.