SAP Community - SAP Business Technology Platform

store credentials for destination in MTA file

2026-01-08T17:12:12.805000+01:00

Hello Experts

I am using the Destination service in SAP BTP, and the destination is consumed by an SAP CAP application (Node.js).

Currently, the destination is defined in mta.yaml, and for an on-premise system (via Cloud Connector) it requires BasicAuthentication.

I want to avoid hardcoding credentials (user/password) in mta.yaml.

What is the recommended and secure way to manage credentials for destinations used by CAP applications?

Any guidance or best practices for production scenarios would be appreciated.

- name: <name>-destination
  type: org.cloudfoundry.managed-service
  requires:
    - name: srv-api
  parameters:
    service: destination
    service-plan: lite
    config:
      HTML5Runtime_enabled: true
      init_data:
        instance:
          destinations:
            - Name: <name>-srv
              URL: ~{srv-api/srv-url}
              Authentication: NoAuthentication
              Type: HTTP
              ProxyType: Internet
              HTML5.ForwardAuthToken: true
              HTML5.DynamicDestination: true
              HTML5.Timeout: 600000

            - Name: ui5
              Authentication: NoAuthentication
              ProxyType: Internet
              Type: HTTP
              URL: https://ui5.sap.com

            - Name: S4_TECH
              URL: http://<ON_PREMISE_HOST>:<PORT>
              Type: HTTP
              ProxyType: OnPremise
              Authentication: BasicAuthentication
              User: "<TECH_USER>"
              Password: "<REDACTED>"
              sap-client: "<CLIENT>"
              CloudConnectorLocationId: "<LOCATION_ID>"
              Description: "Technical destination for nightly sync"
          existing_destinations_policy: update

store credentials for destination in MTA file

2026-01-14T00:15:56.228000+01:00

Hello Experts

I am using the Destination service in SAP BTP, and the destination is consumed by an SAP CAP application (Node.js).

Currently, the destination is defined in mta.yaml, and for an on-premise system (via Cloud Connector) it requires BasicAuthentication.

I want to avoid hardcoding credentials (user/password) in mta.yaml.

What is the recommended and secure way to manage credentials for destinations used by CAP applications?

Any guidance or best practices for production scenarios would be appreciated.

- name: <name>-destination
  type: org.cloudfoundry.managed-service
  requires:
    - name: srv-api
  parameters:
    service: destination
    service-plan: lite
    config:
      HTML5Runtime_enabled: true
      init_data:
        instance:
          destinations:
            - Name: <name>-srv
              URL: ~{srv-api/srv-url}
              Authentication: NoAuthentication
              Type: HTTP
              ProxyType: Internet
              HTML5.ForwardAuthToken: true
              HTML5.DynamicDestination: true
              HTML5.Timeout: 600000

            - Name: ui5
              Authentication: NoAuthentication
              ProxyType: Internet
              Type: HTTP
              URL: https://ui5.sap.com

            - Name: S4_TECH
              URL: http://<ON_PREMISE_HOST>:<PORT>
              Type: HTTP
              ProxyType: OnPremise
              Authentication: BasicAuthentication
              User: "<TECH_USER>"
              Password: "<REDACTED>"
              sap-client: "<CLIENT>"
              CloudConnectorLocationId: "<LOCATION_ID>"
              Description: "Technical destination for nightly sync"
          existing_destinations_policy: update

JSON Payload Download Implementation in RAP Application

2026-01-15T05:43:26.518000+01:00

Hello Expert,

I am currently working on a custom RAP (RESTful ABAP Programming Model) Application in SAP S/4HANA Public Cloud. In this application, we use an API to send data to an external portal.

Now there is a new requirement when the user clicks a button, the JSON payload that is used in the ABAP program for sending data via the API should be downloaded in JSON format.

For this purpose, I have already created a custom action in the Behavior Definition, and the button is visible in the Application. My question is how to implement the download functionality so that the same JSON payload used for the API call can be downloaded by the user in JSON format and Also, please explain how to implement the JSON download functionality in the RAP application with step by step guidance.

Thank you,

Combining apps from different Work Zone Content Providers/Packages in one CDM

2026-01-17T00:21:52.768000+01:00

--- Please ignore this question --- See here https://community.sap.com/t5/technology-q-a/combining-apps-cards-from-multiple-content-providers-packages-in-one-cdm/qaq-p/14308986 ---

Dear experts in this space and dear broader SAP community,

I am trying to combine apps from different Work Zone Content Providers/Packages in one CDM (Common Data Model) definition of another Content Provider. Example - One Content Package/Provider is providing some cards/apps to my Work Zone tenant, and I would like to consume these cards/apps in a Work Space CDM definition of another Content Provider.

Similar things can be done using the Work Zone Content Manager allowing to combine apps/cards from different Content Providers/Packages into one Work Page. Nevertheless, I couldn't figure out how to do this within a CDM definition. Prefixing the app ID with the other Content Provider ID (see below) did not do the job (e.g., content.provider_app.id). Any help or input is highly appreciated.

My goal is to have a CDM, that contains a Work Page, that references apps from multiple other Content Packages/Providers.

@matthias_schmalz @gregorw @jmargieh - Maybe you have already done something similar?

Thanks in advance and all the best,
Martin

{
    "_version": "3.2.0",
    "identification": {
      "id": "combined-workpage",
      "entityType": "workpage",
      "title": "{{Title}}"
    },
    "payload": {
      "workpageConfig": {
        "title": "Combined Work Page"
      },
      "rows": [
        {
          "id": "row-1",
          "rowConfig": {},
          "columns": [
            {
              "id": "col-11",
              "columnConfig": {},
              "cells": [
                {
                  "id": "cell-11",
                  "cellConfig": {},
                  "widgets": [
                    {
                      "id": "widg-11",
                      "viz": {
                        "appId": "other.package_cards.forecast.app",
                        "vizId": "other.package_cards.forecast.viz" 
                      }
                    },
                    {
                      "id": "widg-12",
                      "viz": {
                        "appId": "applocalprovider",
                        "vizId": "applocalprovider-display"
                      }
                    }
                  ]
                }
              ]
            }
          ]
        }
      ]
    },
    "texts": [
      {
        "locale": "",
        "textDictionary": {
          "Title": "User Page"
        }
      }
    ]
  },

Combining apps/cards from multiple Content Providers/Packages in one CDM (Common Data Model)

2026-01-17T00:29:32.723000+01:00

Dear experts in this space and dear broader SAP community,

My goal is to have a CDM, that contains a Work Page, that references apps from multiple other Content Packages/Providers.

@matthias_schmalz @gregorw @jmargieh - Maybe you have already done something similar?

Thanks in advance and all the best,
Martin

{
    "_version": "3.2.0",
    "identification": {
      "id": "combined-workpage",
      "entityType": "workpage",
      "title": "{{Title}}"
    },
    "payload": {
      "workpageConfig": {
        "title": "Combined Work Page"
      },
      "rows": [
        {
          "id": "row-1",
          "rowConfig": {},
          "columns": [
            {
              "id": "col-11",
              "columnConfig": {},
              "cells": [
                {
                  "id": "cell-11",
                  "cellConfig": {},
                  "widgets": [
                    {
                      "id": "widg-11",
                      "viz": {
                        "appId": "other.package_cards.forecast.app",
                        "vizId": "other.package_cards.forecast.viz" 
                      }
                    },
                    {
                      "id": "widg-12",
                      "viz": {
                        "appId": "applocalprovider",
                        "vizId": "applocalprovider-display"
                      }
                    }
                  ]
                }
              ]
            }
          ]
        }
      ]
    },
    "texts": [
      {
        "locale": "",
        "textDictionary": {
          "Title": "User Page"
        }
      }
    ]
  },

Shopify Admin Access Token Limits & Approach to Generate Offline Token via Developer Dashboard

2026-01-20T07:32:28.166000+01:00

Background
Shopify has introduced limitations on Admin API access tokens at the store level, and at the same time legacy custom apps are being deprecated (no new legacy apps after Jan 1, 2026).

For integrations such as SAP CPI / SAP BTP / SAP Commerce / SAP Concur, we often need a non-expiring (offline) Admin API access token for backend-to-backend communication.

This post explains a parallel and supported approach to generate an offline Admin API access token using the Shopify Developer Dashboard, instead of relying on store-level custom apps.

Why This Approach?

Avoids store-level admin token limitations
Works with offline access (non-expiring token)
Suitable for SAP integrations (CPI, BTP, ECC, S/4HANA, etc.)
Uses Shopify Dev Dashboard apps, not legacy custom apps

Step-by-Step: Generate Offline Admin API Access Token

1.Create App in Shopify Developer Dashboard

Log in to the Shopify Developer Dashboard
Create a new app
Select the target store during app setup

2.Configure App Version & Scopes

Navigate to Versions
Create a new version (example: v0.1)
Select all required Admin API Scopes (permissions)
Copy the scopes into Notepad (you’ll need them later)

3.Enable Legacy Install Flow

This is important for offline token generation.

In the version settings:

Set “Use legacy install flow” = True

4.Set Redirect URL
Under Allowed redirection URL(s), add:

https://localhost/

5.Release the App Version
Click Release

This makes the version active and installable

6. Get Client Credentials
Go to Settings and copy:

Client ID

Client Secret

Generate Admin API Authorization Code
7. Construct Authorization URL
Replace the placeholders with your actual values:

https://{SHOP_NAME}.myshopify.com/admin/oauth/authorize?client_id={CLIENT_ID}&scope={SCOPES}&redirect_uri=https://localhost/&response_type=code

Notes:

{SHOP_NAME} → Shopify store name

{CLIENT_ID} → From Developer Dashboard

{SCOPES} → Paste all scopes copied earlier (comma-separated)

8. Install App & Capture Code
Open the constructed URL in a browser

Click Install

You’ll be redirected to a broken localhost page or redirected page (expected behavior)

In the browser address bar, copy the value after:

code=

Important:

Authorization code expires in 60 seconds

If the page doesn’t load:

Press Enter once

Immediately copy the full URL

Extract the code parameter

Exchange Code for Offline Admin Access Token
9. Call Shopify Token API (POST)
Endpoint:

https://{STORE_NAME}.myshopify.com/admin/oauth/access_token
Headers:

Content-Type: application/json

Body (JSON):

{
"client_id": "CLIENT_ID_FROM_DEV_DASHBOARD",
"client_secret": "CLIENT_SECRET_FROM_DEV_DASHBOARD",
"code": "CODE_FROM_BROWSER"
}
10. Result
Shopify returns an offline Admin API access token

Token does NOT expire
Can be safely stored and used in SAP integrations

Now you will have Access token where you can use it in header param (X-Shopify-Access-Token) and graphql API ( https://StoreName.myshopify.com/admin/api/2025-01/graphql.json) and graphql query 🙂

Key Takeaways

Shopify store-level admin tokens now have limitations
Legacy custom apps are being phased out
Developer Dashboard apps + legacy install flow provide a reliable workaround
This method is ideal for SAP CPI / SAP BTP / backend integrations
Offline Admin API token is permanent unless revoked

Azure name and family name routing

2026-01-20T09:13:52.518000+01:00

Hi,

We have apps deployed to cloud foundy on a global account.
We have apps both in a space and in the HTML 5 repo.
We sometimes use a dedicated approuter and sometimes we deploy our own.

We have app users that connect using an Azure trust configuration in the subaccount.
We also have platform users using SAP's default IDP to login with an S-user.
This means that when a user wants to use an app or login to BTP cockpit he needs to choose which authentication to use, SAP's default identity provider or the Azure connection.

I was asked to allow users to login without having to make this selection.
I setup and IAS trust configuration and inside the IAS I defined the Azure IDP and routing based on email hostname.
Now users are greated by the IAS login and when they input their azure email it redirects them to login using azure and when platform users use their email they login directly through IAS versus the users' creds I defined in the IAS.

The problem:
All our apps get data about the currently logged in user(to the app) via the approuter's /userinfo.
Now after setting up the IAS and the routing, if i log in as an Azure user i see in the devtools im not getting name and family name in the /userinfo any more, only email information.
I tried all orts of manipulations in the IAS but i cant see to get it to display name and family name like it does with a direct azure trust configuration.
Is there any IAS configuration solution to this issue or must we modify all our apps?

Forms Service by Adobe (BTP): Persistent "No client with requested id" Error after Configuration

2026-01-20T20:49:08.473000+01:00

Hello SAP Community,

I am seeking assistance with a persistent authentication issue while setting up SAP Forms Service by Adobe in the BTP Cloud Foundry environment.

Despite following the standard setup documentation, I am unable to access the Template Store UI. I consistently receive the following error: No client with requested id: sb-ads-xsappname!b65488

What I have configured so far:

Entitlements: Added "Forms Service by Adobe" and "Forms Service by Adobe API" (free plans).
Subscription: Successfully subscribed to "Forms Service by Adobe" (default plan).
Instance: Created a service instance for "Forms Service by Adobe API" in my space.
Role Collections: Created and assigned a Role Collection containing ADSAdmin and TemplateStoreAdmin.
Direct Access: I have tried accessing the UI via the "Go to Application" link and via the direct URL found in the destination configuration.

Steps taken to resolve the issue (but failed):

Verified that the Application Identifier in the Role Collection matches the subscription.
Unsubscribed and re-subscribed to force a new OAuth registration.
Cleared browser cache and used Incognito/Guest modes.
Waited for propagation (over 30 minutes).

It seems the XSUAA service is still looking for a specific client ID (!b65488) that perhaps isn't being correctly mapped or registered in the Trust Configuration.

System Details:

Environment: Cloud Foundry
Region: US10
Identity Provider: Default and Custom

Has anyone encountered this specific mismatch before? Is there a way to force a refresh of the OAuth2 clients in the subaccount, or is this a backend issue that requires an SAP Support ticket?

Thank you for your help!

Issue with Phone Verification for SAP BTP Trial

2026-01-29T12:37:06.116000+01:00

Hello, I am trying to activate my SAP BTP Trial account, but I cannot complete the phone verification step. I did not receive the SMS confirmation code, and the system shows the message: “We did not send a code because you are not authorized to request phone calls. Please contact the system administrator.”

Since this is a student account, I do not have a system administrator to contact. Could you please advise how I can resolve this issue or how to get support for phone verification?

Thank you in advance for your help!

How to Implement Schema Separation for Multitenancy with PostgreSQL on SAP BTP?

2026-02-02T12:31:10.726000+01:00

Hi everyone,

I am currently following the SAP Discovery Center mission "Develop a multitenant SaaS application on SAP BTP using CAP", and I have a question regarding the use of PostgreSQL on SAP BTP (hyperscaler option) as a shared database in a SaaS environment.

The architecture guidelines for data separation in multitenant SaaS applications using CAP recommend the schema separation approach because of its flexibility and cost-effectiveness.

With SAP HANA Cloud, this can be achieved using HDI containers. What technique or recommended approach exists in this case to implement tenant-based schema separation with PostgreSQL on SAP BTP?

Thanks in advance

Unable to Verify Telephone Number

2026-02-03T15:32:34.010000+01:00

Hey, could you please help me with the verification? I'm encountering the same error every time.

SAP BTP and clean core.

2026-02-08T16:28:09.524000+01:00

Let’s discuss.

What does “Clean Core” really mean in your organisation today — zero custom code, or controlled extensibility via BTP?
Where do Clean Core programs fail most often: technical design, governance, or business buy-in?
Is Clean Core achievable without a strong BTP strategy — or is BTP effectively mandatory now?

Sap BTP innovation

2026-02-08T16:41:34.131000+01:00

I M interested to hear from experts, what you think about these .

1. Are teams using BTP as a strategic platform, or has it become just another integration and extension toolbox

2. Which BTP capability delivers the most real value today: Integration Suite, CAP, Event Mesh, or AI services

3. How are you preventing BTP from becoming the new custom-code dumping ground?

Cannot deploy CAP application in SAP BTP Trial – stuck at "Deploying the Application"

2026-02-10T08:37:31.119000+01:00

Hello,

I am following this SAP Learning course using a SAP BTP Trial account:

https://learning.sap.com/courses/develop-extensions-with-cap-following-the-sap-btp-developer-s-guide/deploying-the-application-1

I am currently stuck at the "Deploying the Application" step.

When I try to deploy the application, the deployment fails and does not complete successfully.

My environment:

- SAP BTP Trial account

- SAP Business Application Studio

- CAP project

I followed the tutorial steps, but I still get errors during deployment.

Is this issue related to Trial account limitations, outdated tutorial steps, or environment settings?

Could you please advise how to resolve this issue or how to troubleshoot it?

Thank you in advance.

Proper End-to-End Steps to Consume SAP Business Accelerator Hub APIs in SAP Integration Suite (OAuth

2026-02-10T12:29:13.028000+01:00

I’m trying to integrate SAP Integration Suite (CPI) with APIs from SAP Business Accelerator Hub.

I initially used API keys via HTTP headers, but ran into 401/403 errors, which made it unclear:

when API keys are sufficient, and
when OAuth 2.0 is mandatory.

I’m also confused about the exact BTP services and steps required to obtain OAuth client credentials for real SAP S/4HANA Cloud APIs, especially compared to sandbox APIs that seem to work with API keys only.

I’m looking for a clear end-to-end explanation of:

When to use API Key vs OAuth 2.0
How sandbox APIs behave (read-only / mock data)
Exact BTP steps to obtain OAuth credentials for S/4HANA Cloud APIs
How to configure CPI correctly to consume these APIs

issue VSCODE connect to ABAP on BTP

2026-02-12T18:01:16.737000+01:00

Hi Guys, we have an abap system on BTP, its okay the connection to develop Fiori apps using BAS

We are facing issues to develop locallly using VSCODE, i have error 401 when im trying to add Sap System abap on BTP:

Okay, its authorization issue, but i dont have place to import service key here.

Any Idea how to solve it?

How to get the security related incidents alert from BTP Applications

2026-02-17T20:08:33.113000+01:00

Team,

We need to know how to get the alerts from BTP applications if security related incidents happens.

Regards,

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

Can't create package in ZLOCAL in shared instance SAP BTP Free Trail

2026-02-18T13:42:03.440000+01:00

Ignore the question - I found solution, I just have updated my ADT tool to last version and issue is gone.

Hi, Colleagues,

I have just executed booster 'Prepare Account for ABAP Trail' and logged into system via Eclipse. I can't create subpackage under ZLOCAL. The button 'Finish' is disabled and when I try to hit the button 'Next', I just stay on the same screen and no errors are got.

Trail in US region:

I see others packages are adding, but I can't create. Any help, colleagues?

Instance for Data Attribute Recommendation cannot be created

2026-02-18T14:42:19.386000+01:00

Hello, wanted to try out Data Attribute Recommendation in SAP Hana Trial account. In December it was working fine, but when I tried again in February, Instance creation is stuck. Creating service Data Attribute Recommendation takes a long time, about a day, after which an error occurs that the wait time has been exceeded.

Steps to recreate:

Created SAP Hana trial.
Created AWS US-east subaccount.
Used either Booster to set up account for Data Attribute Recommendation or created service manually (tried with different Runtime Environments, and each time subaccount was deleted and created anew)
After near a day long wait, error occurs about waiting time being exceeded

Resolving Missing HDI Build Plugin in Multi-Tenant SAP HANA Deployment

2026-02-21T06:34:24.005000+01:00

In a multi-tenant SAP HANA Cloud application using HDI containers for tenant isolation, the error "Could not find the 'com.sap.hana.di.schedulerjob' build plugin" occurs when new release artifacts require additional DI (Data Integration) plugins not present in consumer tenant containers.[1][2][3]

Scenario
Your production multi-tenant application serves live consumer tenants, each isolated in dedicated HDI containers for security and data segregation. A recent release introduced new HANA artifacts (e.g., tables, views) needing extra build plugins like `com.sap.hana.di.schedulerjob` for scheduler job support during HDI deployment or updates via tools like `cds deploy --to hana`.

Root Cause
Consumer tenant HDI containers lack the required DI plugins and admin privileges for library configuration, blocking Retriever deployments that trigger database updates. Standard CAP multitenancy provisions containers but doesn't auto-configure release-specific plugins across all tenants.

Resolution Steps
1. Grant Script Execution Rights: As database admin (e.g., SYSTEM user), assign `EXECUTE` privileges on target consumer containers to a dedicated script user (e.g., `<NEW_CONTAINER_ADMIN>`):
```
GRANT EXECUTE ON <container_name> TO <NEW_CONTAINER_ADMIN>;
```

2. Execute Privilege and Library Setup Scripts (connect as `<NEW_CONTAINER_ADMIN>` to the target container):
```sql
CREATE LOCAL TEMPORARY COLUMN TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;
INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME)
SELECT '<NEW_CONTAINER_ADMIN>', PRIVILEGE_NAME, OBJECT_NAME
FROM _SYS_DI.T_DEFAULT_CONTAINER_ROLE_ADMIN_PRIVILEGES;
CALL <container_name>#DI.GRANT_CONTAINER_API_PRIVILEGES(#PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
DROP TABLE #PRIVILEGES;
CALL <container_name>#DI.CONFIGURE_LIBRARIES(_SYS_DI.T_DEFAULT_LIBRARIES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
```
- The `?` placeholders capture output parameters (e.g., success flags, error details) – bind variables like `VARCHAR(100)` for each.
- `_SYS_DI.T_DEFAULT_CONTAINER_ROLE_ADMIN_PRIVILEGES` provides standard admin privileges.
- `_SYS_DI.T_DEFAULT_LIBRARIES` enables core plugins including schedulerjob for build-time artifact deployment.[3]

3. Trigger Retriever Deployment: Run your update process (e.g., `cds deploy` or CI/CD pipeline) to apply new artifacts. Tenant containers now support the missing plugin.

Key Learnings for Blog
- Proactive Plugin Check: Before releases, verify required DI plugins via `CALL <container>#DI.GET_CONTAINER_INFO()` and document in CI/CD.
- Automation Opportunity: Integrate these scripts into SaaS provisioning callbacks (e.g., via SAP Service Manager) for on-subscribe upgrades.
- Best Practice: Use separate HDI containers per tenant; reuse HANA instances across apps but isolate via Service Manager instances to avoid data loss on unsubscription.
- Monitoring: Post-fix, confirm via `_SYS_DI.T_CONTAINER_LIBRARIES` that `com.sap.hana.di.schedulerjob` is active.

This manual fix ensures zero-downtime updates in live multi-tenant environments while maintaining isolation. Test in dev tenants first.