Skip to Content

How to protect OData API Key in SAPUI5 App?

Apr 16 at 01:00 PM


avatar image

Hi Community

I am working with a couple of API's that authenticate via the help of an API Key used to retrieve a token used for subsequent API queries (SuccessFactors LMS OData and SAP LiveLink). I can request the token and make queries via ajax request in a SAPUI5 app and destinations configured in the Cloud Platform.

My concern is that these keys are at the moment stored in the SAPUI5 app, and attached to the ajax requests as headers, when retrieving the token. I would prefer not to have them stored in this way, as to my knowledge there is no way of hiding this information from the client.

I have been investigating a few ideas, but can't find any information or documentation to support these ideas as feasible.

1. I was wondering if the API key can be added to the destination in the Cloud Platform Cockpit, so that they are automatically sent along as headers each time the destination is used in the SAPUI5 app.

2. Could it be stored in the neo-app.json file? As the access to this file can be restricted.

Or is there only truly one option, of having a server side solution for the retrieval of the API Token? Something I would prefer to avoid to reduce load times and architectural dependencies.

I hope somebody has faced this issue before and has a good solution they can share :)

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Gregor Wolf
Apr 16 at 02:46 PM

Are you talking about a UI5 application running only in the browser? Then this keys should not be persisted there. I think the SF LMS OData API which I found documented here is more intended to be consumed by a middleware i.e. Node.js oder Java Application that runs on SCP and that can securely store the API Keys.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Gregor,

Yes, we are looking at UI5 applications running only in the browser.

I was hopping the the keys could be persisted in the destination used by the application. But if this is not possible, then yes I think the fallback would be a Java Application on SCP that could provide the Token for the application to make the request or the raw data.

Ivan Mirisola
Apr 18 at 09:51 PM

Hi Adam,

Would it suffice to enter the data on the manifest.json file?

By doing so, you would hide the APIKey from the HTML source (AJAX call) while calling "mainService". SAPUI5 framework would inject the APIKey at runtime. Nonetheless, if you inspect the resources downloaded from the server, you would still manage to "see" the APIKey. It would be the same if you try to hide it under a destination property.

If protecting the APIKey is a must, then perhaps it would make more sense having another type of validation (like IP addresses, usernames, etc.) together with the APIKey - something only you would know the combination. So, even if someone discovers your APIKey, the request would not work.

You could investigate the usage of OAuth instead of APIKey in case no other aspects of the request will suffice.

Here is the snippet:

"dataSources": {
	"mainService": {
		"uri": "/Northwind/V2/Northwind/Northwind.svc/",
		"type": "OData",
		"settings": {
			"localUri": "localService/metadata.xml",
			"metadataUrlParams": {
				"sap-documentation": "heading"
			"headers" : {
				"APIKey" : "LeQAyRqelY5mW6GhgxgK4DY9il73I0aB"


Show 2 Share
10 |10000 characters needed characters left characters exceeded

Dear Ivan,

that is really a bad advise from the security point of view. You make something that must be kept secret available for every user of the app.

Best regards


Hi Gregor,

Thanks for pointing that out to me. You are correct. This is no means to protect the API Key.
In fact, there are no means to protect an API Key in a JavaScript based application whatsoever.

The only way to protect the API Key would be to hide under another server-side service. Client-side calls will always be "visible" to the public. Therefore they must not contain any sensitive information such as passwords or keys - which is also clearly stated in my answer.

I'd like to remind that my real advise was to replace the API Key with OAuth - which uses a different method of authentication to APIs - where users will provide authentication to the API provider themselves and upon success the application retrieves a temporary token.


Gerard Fandos Garcia May 30 at 02:14 PM

Hi Adam,

I got the same problem developing a SAPU5I app on the SCP. Did you find a way to hide that API key? Maybe using a destination? I've been searching a lot these days and I didn't find anything that could help me with that.

Thank you,


Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Gerard,

We ended up creating a Java servlet to handle the token generation.

Regards Adam