Most REST API requests to Customer Data Cloud should be made securely, using an authentication mechanism. The recommended method is to use a bearer token, constructed using a unique RSA key provided on the SAP Customer Data Cloud console. Another way is to use an application key and secret (or user key and secret). This is true also for requests made on your behalf (using your API Key) by third parties.
Both methods require creating an application on the Console, that is associated with a permission group.
Watch an instructional video about signing requests using a bearer token, here.
Creating and Managing Applications
You can create multiple applications, each with its own permissions, and give groups of users access to these various applications.
To create your SAP Customer Data Cloud Applications:
Once on the Applications page, press Create New Application, give the application a name and choose the permission group to which it is associated, then click Create.
In the Create New Application window, copy the RSA Private Key, paste it into a document and save that document securely. This is used for signing requests with a bearer token.
The RSA Private Key is only available inside the pop-up modal when the application is created. We do not store the RSA secret, if you do not copy it prior to closing the window, it will be necessary to generate a new key-pair. See Asymmetric Keys for more information.
Once the app is created you can view the Apps userKey and secret by clicking the Edit icon, which will take you to the apps Edit Application page.
You can disseminate the user key and secret to give users the privileges associated with this app. Users will use the key and secret in requests to SAP Customer Data Cloud.
To revoke access to the application:
When using a user key and secret: simply delete the application. All attempts to use this key and secret will fail.
When using the RSA key: generate a new key. This immediately invalidates the old key.
Adding An Application Key
You can add existing applications similar to creating a new application. Simply click the Add Existing Application button and enter the userKey associated with the application, select a Permissions group to the application and press Add. If the import was successful you will get a notification (with the name of the application as it exists in the parent account):
It is important to note that the data associated with applications are per API key and will show blank if attempting to Edit them while viewing the Admin tab from a different API key.
When creating a new application in the Console, an asymmetric RSA key-pair is assigned to the application. Copy the private key and store it securely.
The private key is only available inside the pop-up modal when the application is created, and must be copied and saved at that time. Otherwise, you will need to generate a new key-pair.
You can sign an API request to SAP Customer Data Cloud using an HTTP bearer token. This replaces the application / user key and secret signature method. To do so, you should create a JWT based on the following structure, then hash the JWT using the RSA key to create a bearer token, and sign the API request using that token, following the steps below:
In the above example, the secret is the secret associated with the userKey, not the account secret located in the Console homepage.
Auditing user's IP address from REST calls
If you are using Customer Data Cloud APIs from behind a firewall or CDN the IP address captured from the request will from your CDN or firewall, and not the IP address of the user's browser. If you still need to capture the user's true IP address in this scenario you need to add a header to your API calls and Customer Data Cloud will place this data into the httpReq.Headers in the Audit Log. You do this by including a custom header in the request that must be named:
An example of how to add this header to the request using our PHP SDK is below.