SAP S/4HANA
ERPsystem_type: "sap"Bidirectional proxy for SAP OData v4, BAPI/RFC, and S/4HANA REST APIs with PQC-sealed credentials.
Overview#
The SAP connector proxies calls to SAP S/4HANA Cloud Public Edition and Private Edition OData v4 services, as well as the SAP Business Accelerator Hub APIs. Basic auth credentials or OAuth2 client credentials are sealed in QuantaVault. CSRF token handling is managed automatically by the proxy engine.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1An SAP S/4HANA system with OData v4 or API access enabled
- 2Service user credentials (basic_auth) or OAuth2 client credentials
- 3Network access from QuantaSeal egress IPs to your SAP system (see Dashboard → Settings → Egress IPs)
- 4A QuantaSeal API key
Configuration#
Follow these steps to connect SAP S/4HANA to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In SAP BTP Cockpit (Cloud) or SAP system (on-premise), create a service user or OAuth2 client.
- 2
For Cloud: note the token URL, client_id, and client_secret from your BTP subaccount.
- 3
Seal credentials: POST /api/v2/vault/seal with credential_type: oauth2_client or basic_auth.
- 4
Create the integration: POST /api/v2/integrations with system_type: sap and your SAP base URL.
Authentication Types#
SAP S/4HANA Cloud uses OAuth2 client_credentials with SAP BTP as the token authority. On-premise S/4HANA typically uses basic_auth. Both are stored as PQC-sealed vault entries.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
odata_query | Execute an OData v4 query against an S/4HANA service. |
odata_create | Create an entity via OData v4 POST. |
odata_update | Update an entity via OData v4 PATCH. |
odata_delete | Delete an entity via OData v4 DELETE. |
api_call | Call any SAP Business Accelerator Hub REST endpoint. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRSAP0000001",
"operation": "odata_query",
"payload": {
"service": "/sap/opu/odata4/sap/api_purchaseorder_2/srvd_a2x/sap/purchaseorder/0001",
"entity": "PurchaseOrder",
"filter": "CompanyCode eq \'1000\'",
"top": 5
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted SAP OData response>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
403 - CSRF token required
The proxy engine handles CSRF token fetching automatically for SAP OData. If you see this error, check that the service URL is correct and the user has the required authorizations.
SSL certificate error connecting to on-premise SAP
Upload your SAP system's CA certificate in Dashboard → Settings → CA Certificates. On-premise systems commonly use self-signed or internal CA certificates.