MCP Integration Suite Server

oauth-authentication-with-client-credentials-grant-inbound-b9df724.md•7.66 kB

# OAuth Authentication with Client Credentials Grant \(Inbound\) You can configure OAuth Client Credentials Grant authentication for inbound calls from sender systems or API clients to the integration platform. <a name="loiob9df72445c644c76b9ab76cad6015b5f__section_wpm_s3l_zsb"/> ## How It Works - Inbound Authentication for a Sender Calling an Integration Flow The sender \(client\) application is granted access to the associated worker node through OAuth authentication, Client Credentials Grant. Using this variant, the authentication workflow is established at runtime in the following way: 1. In a first call, the sender requests an access token from the SAP BTP token server. There are the following options for the sender to authenticate itself against the token server: - Using client credentials - Using a client certificate \(either generated by SAP or by a custom tool\) 2. In a second call, the sender uses the access token to call the integration flow endpoint. If the access token is accepted and the authorization check is successful, the integration flow can be processed. ![By providing client credentials or a client certificate, the sender can request an access token. Consequently, the Token Server will provide the access. The sender can now use the access token to call the integration flow endpoint. The inegration flow will be processed, if the access token is accepted and the authorization check was successful.](images/CF_Inbound_OAuth_Client_Credentials_ea3899e.png) > ### Tip: > For detailed information on how to set up this option, see [OAuth with Client Credentials Grant for Integration Flow Processing](oauth-with-client-credentials-grant-for-integration-flow-processing-6c052ce.md). > > Let's summarize the required steps and settings: > > - To define the way how the sender can call the integration flow endpoint, you create a service instance \(service plan *integration-flow*\) and a service key using SAP BTP cockpit. > > When defining the service instance, you specify the role that is to be used to authorize the sender to call integration flow endpoint. You can either specify the predefined role `ESBMessaging.send` or a custom role. Furthermore, the role has to correspond to the one specified in the sender adapter of the integration flow that is addressed by the call. > > - For the service instance, you furthermore create a service key. In the service key, you define how the sender is to be authenticated against the token server \(either using client credentials or a client certificate\). > > Depending on the chosen option, the service key generated for the service instance contains values for various properties. To establish the call from the sender to the token server, the values for the following properties are required: > > - If you've chosen the option to use client credentials: `clientid`, `clientsecret`, `tokenurl`. > > - If you've chosen the option to use a client certificate: `clientid`, `certificate`, `key`, and `tokenurl`. > > > The `tokenurl` value is the address of the token server. > > These values are required in to set up the call to get the access token from the token server. > > > When you've configured service instance and service key accordingly, the authorization workflow mentioned earlier uses the relevant information at runtime in the following way: > > 1. The sender uses the service key data to call the token server and get the access token. > > 2. The sender uses the access token to call the integration flow endpoint. > > If the access token is accepted, the system checks the role specified for the associated service instance. If this role is identical to the one specified in the sender adapter of the integration flow endpoint \(addressed by the request\), the integration flow can be processed. <a name="loiob9df72445c644c76b9ab76cad6015b5f__section_ckg_jvs_1tb"/> ## How It Works - Inbound Authentication for an API Client Calling the OData API The API client is granted access to the Cloud Integration API resource through OAuth authentication, Client Credentials Grant. Using this variant, the authentication workflow is established at runtime in the following way: 1. In a first call, the API client requests an access token from the SAP BTP token server. There are the following options for the API client to authenticate itself against the token server: - Using client credentials - Using a client certificate \(either generated by SAP or by a custom tool\) 2. In a second call, the API client uses the access token to call the Cloud Integration API resource. If the access token is accepted and the authorization check is successful, the API client can access the Cloud Integration API resource. ![](images/CF_Inbound_API_OAuth_cd86bda.png)![By providing client credentials or a client certificate, the API client requests an access token from the SAP BTP token server. Consequently, the token server will provide the access. Then, the API client uses the access token to call the Cloud Integration API resource. The API client can access the Cloud Integration API resource, if the access token is accepted and the authorization check was successful.]()![](images/CF_Inbound_API_OAuth_cd86bda.png) > ### Tip: > For detailed information on how to set up this option, see [OAuth with Client Credentials Grant for API Clients](oauth-with-client-credentials-grant-for-api-clients-20e26a8.md). > > Let's summarize the required steps and settings: > > - To define the way how the API client can call the Cloud Integration API resource, using SAP BTP cockpit, you create a service instance \(service plan *api*\) and associate it with a role that is to be used to authorize the API client to call the OData API. Which role you assign, depends on the Cloud Integration resource you like to access through the API. For more information, see [API Details](../50-Development/api-details-014d6ad.md). Furthermore, you generate a service key for the service instance. > > - For the service instance, you furthermore create a service key. In the service key, you define how the API client is to be authenticated against the token server \(either using client credentials or a client certificate\). > > Depending on the chosen option, the service key generated for the service instance contains values for various properties. To establish the call from the API client to the token server, the values for the following properties are required: > > - If you've chosen the option to use client credentials: `clientid`, `clientsecret`, `tokenurl`. > > - If you've chosen the option to use a client certificate: `clientid`, `certificate`, `key`, and `tokenurl`. > > > The `tokenurl` value is the address of the token server. > > These values are required in to set up the call to get the access token from the token server. > > > When you've configured service instance and service key accordingly, the authorization workflow from above uses the relevant information at runtime in the following way: > > 1. The API client uses the service key data to call the token server and get the access token. > > 2. The API client uses the access token to call the Cloud Integration API. > > If the access token is accepted, the system checks the role specified for the associated service instance. If this role complies with the set of roles required to access the addressed Cloud Integration API resource, the call is accomplished successfully.

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/1nbuc/mcp-integration-suite'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

oauth-authentication-with-client-credentials-grant-inbound-b9df724.md•7.66 kB