Authentication and Calling Conventions

The following describes the conventions that must be observed when calling the Conigma REST API.

Authentication

Authentication takes place using SAP user IDs and the API coding is executed in the context of the users used here. If the logon is to take place on a client other than the standard client of the corresponding SAP system, the desired client can be delivered as the query parameter "sap-client" in the URL. It is also possible to explicitly specify the desired logon language. To do this, use the query parameter "langu" and the SAP internal (one-character) language key.

Example:

Basic Authentication is used for authentication. Thus, each request sent to the API must contain a corresponding base64 encoded header field with the user name and password. For this reason, it is important that communication between the API client and the server-side endpoint is always via the HTTPS protocol, otherwise the credentials can easily be read and decoded by an attacker on the network. For more information about Basic Authentication, see the following external articles: Basic Authentication.

CSRF/XSRF Token

To avoid unauthorized access using cached credentials, all HTTP requests for the POST, PUT, and DELETE HTTP methods must contain a CSRF/XSRF token. This is returned in the header for previous authorized GET requests. If a POST, PUT or DELETE request is to be executed without a preceding GET request, the endpoint PING can be used to obtain a valid CSRF/XSRF token.