Skip to Content

How to protect OData API Key in SAPUI5 App?

4 days ago


avatar image

Hi Community

I am working with a couple of API's that authenticate via the help of an API Key used to retrieve a token used for subsequent API queries (SuccessFactors LMS OData and SAP LiveLink). I can request the token and make queries via ajax request in a SAPUI5 app and destinations configured in the Cloud Platform.

My concern is that these keys are at the moment stored in the SAPUI5 app, and attached to the ajax requests as headers, when retrieving the token. I would prefer not to have them stored in this way, as to my knowledge there is no way of hiding this information from the client.

I have been investigating a few ideas, but can't find any information or documentation to support these ideas as feasible.

1. I was wondering if the API key can be added to the destination in the Cloud Platform Cockpit, so that they are automatically sent along as headers each time the destination is used in the SAPUI5 app.

2. Could it be stored in the neo-app.json file? As the access to this file can be restricted.

Or is there only truly one option, of having a server side solution for the retrieval of the API Token? Something I would prefer to avoid to reduce load times and architectural dependencies.

I hope somebody has faced this issue before and has a good solution they can share :)

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Gregor Wolf
4 days ago

Are you talking about a UI5 application running only in the browser? Then this keys should not be persisted there. I think the SF LMS OData API which I found documented here is more intended to be consumed by a middleware i.e. Node.js oder Java Application that runs on SCP and that can securely store the API Keys.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Gregor,

Yes, we are looking at UI5 applications running only in the browser.

I was hopping the the keys could be persisted in the destination used by the application. But if this is not possible, then yes I think the fallback would be a Java Application on SCP that could provide the Token for the application to make the request or the raw data.

Ivan Mirisola
2 days ago

Hi Adam,

Would it suffice to enter the data on the manifest.json file?

By doing so, you would hide the APIKey from the HTML source (AJAX call) while calling "mainService". SAPUI5 framework would inject the APIKey at runtime. Nonetheless, if you inspect the resources downloaded from the server, you would still manage to "see" the APIKey. It would be the same if you try to hide it under a destination property.

If protecting the APIKey is a must, then perhaps it would make more sense having another type of validation (like IP addresses, usernames, etc.) together with the APIKey - something only you would know the combination. So, even if someone discovers your APIKey, the request would not work.

You could investigate the usage of OAuth instead of APIKey in case no other aspects of the request will suffice.

Here is the snippet:

"dataSources": {
	"mainService": {
		"uri": "/Northwind/V2/Northwind/Northwind.svc/",
		"type": "OData",
		"settings": {
			"localUri": "localService/metadata.xml",
			"metadataUrlParams": {
				"sap-documentation": "heading"
			"headers" : {
				"APIKey" : "LeQAyRqelY5mW6GhgxgK4DY9il73I0aB"


10 |10000 characters needed characters left characters exceeded