7 Policies Included in SAP API Management Security

SAP API Management already provides an additional security layer to your infrastructure. However, this isn’t where security stops when it comes to APIs.


In addition to out-of-the-box security in SAP API Management, it’s possible to implement security on an API proxy level. In other words, you can use security policies (see figure below) in your API proxy to implement API-specific security.




Let’s take a brief look at each of the security policies:


1 Basic Authentication

The classic basic authentication works with username and password. More specifically, the policy allows you to store user credentials in a variable or extract it from a header. In both cases, it uses Base64 for the encoding or decoding. Basic authentication is especially important if you want to create an authorization header for access to a backend server or to a service that requires basic authentication.


Basic authentication is not implemented for the API proxy. It just helps you deal with scenarios in which basic authentication is required.


2 JSON Threat Protection

Sometimes, the security risk lies within the content itself. JSON threat protection helps you reduce the risk of such content-level attacks for JSON by defining specific limitations to JSON structures.


3 OAuth

SAP API Management allows you to deal with OAuth 2.0. The handling of OAuth and OAuth tokens from within your API proxy is supported by three policies:

  • OAuth v2.0
  • OAuth v2.0 Get
  • OAuth v2.0 Set

4 Regular Expression Protection

As mentioned before, sometimes the threat to your security lies in the content you have to deal with. Regular expression protection helps you identify those threats.


Using the regular expression policy, you can extract information from messages and then use regular expressions on the content that are defined in the policy. If the expressions match, that is, come back true, a threat is to be expected.



SAP API Management allows you to use Security Assertion Markup Language (SAML). The handling of SAML and SAML assertions from within your API proxy is supported by two policies:

  • SAML assertion generation
  • SAML assertion validation

6 Verify API Key

You may know that the verify API key policy allows you to require an API key for the usage of your API. In SAP API Management, the API key is generated in the developer portal as soon as a developer subscribes to an associated product. In the verify API key policy, you can define where this API key needs to be stored so that it’s considered (e.g., in the header information or a variable).


7 XML Threat Protection

This is another policy that allows you to reduce the threat through content-level attacks. XML threat protection allows you to minimize any risks posed by XML content by using the following approach:

  • Validation: Validate against an XML schema.
  • Evaluation: Look for keywords or patterns that are considered dangerous.
  • Detection: Before a message gets parsed, detect corrupt or malformed messages.


There are many security considerations when utilizing APIs. With SAP API Management, there are seven security policies provided for you to take advantage of. Which ones do you use in your business?


Editor’s note: This post has been adapted from a section of the book SAP API Management by Carsten Bönnen, Harsh Jegadeesan, Divya Mary, and Shilpa Vij


SAP API Management
SAP API Management

Unpack your API toolkit with this guide to SAP Cloud Platform API Management. Learn how to use the API Designer to create enterprise APIs and discover how to manage their lifecycle. Walk through key processes that optimize your APIs and keep them running smoothly: traffic management, mediation, security, and monetization. Get expert guidance on building applications, generating integration flows, and running analytics. Master API management from end to end!

Learn More

SAP PRESS is the world's leading SAP publisher, with books on ABAP, SAP S/4HANA, SAP CX, intelligent technologies, SAP Business Technology Platform, and more!