Webhooks are simple APIs to push real-time information from one application to another. They are represented by HTTP-URLs which are used to catch events from (cloud) applications. The data format is typically JSON.
This article explains how to process webhooks with SAP Cloud Platform Integration (CPI): As webhooks often are not using any authentication methods, we can not push the HTTP Posts directly to SAP CPI as either Basic (User/Password) or Certificate-based authentication is allowed only. Here´s where API Management comes into play!
API Management allows you to generate a sender-specific access key and accept incoming calls with this key only without additional authentication. About API keys: An API key is a long series of random characters that is difficult to guess. User/password are typically much smaller in length, can use common words and can be subject to brute force and dictionary attacks. API keys are therefore safer in general as they have a significant greater entropy and are much harder for attackers to compromise.
SAP Cloud Platform API Management is part of the Trial Program, so using your Trial Account you can evaluate this feature.
- CPI (you need to have an existing SAP Cloud Platform Integration tenant as there is no trial for CPI so far):
- Create iFlow with a service endpoint
- Select Basic Authentication (Role Based)
- Access API Management:
- Cockpit: https://account.hanatrial.ondemand.com/cockpit#/acc/<your-user>trial/service/apimgmt/overview
- Access API Portal (for API Provisioning)
- Access Developer Portal (for API Consumption)
- API Portal
- Create API Provider (the endpoint of your CPI flow)
- Create API (pointing to API Provider)
- Add Policies for Preflow: checkKey (to verify access key) & setHeader (to set basic authentication)
- Create Product (and add API)
- Developer Portal
- Create Application (for Product)
- Application (access) Key is generated
- (1) Create and Deploy your iFlow in SAP CPI
- (2) SAP Cloud Platform Cockpit
- (3) Access API Portal: Create API
Create API Provider: Use Tenant Runtime Host and Basic Authentication
- The URL is the path you provided when creating the CPI iFlow – just add /http in front as the channel is HTTP.
- The API Base Path will be the service part of the Webhook exposed on the Host Alias above.
- Btw: URL and API Base Path can be completely different of course
- Add Security Policy “Verify API Key” (checkKey) to the PreFlow (to verify the API authentication key has been correctly provided)
- Add Mediation Policy “Assign Message” (setHeader) to set the Basic Authentication between API Management and SAP CPI
Deploy the API.
Create Product and add the API:
- (4) Access Developer Portal: Consume API
Create Application for Product: Consume APIs -> Create
Add Product and Save.
As you can see, an Application Key and Secret has been generated.
The full URL for the Webhook can now be retrieved here:
- (5) Implement URL (here in MailChimp)
- (6) Monitor API and Integration Flow (SAP CPI)
To test the Webhook, we unsubscribe a user from the Mailchimp list and voilá, the message is sent via API to SAP CPI:
Summary: Message Flow / Call Stack