App Development

SAP Mobile Application Tips: SCM Authentication Without MAD

The Goal

Create an application connection to an SMP server without any dependencies on a native (iOS, Android, JS, etc.), third-party client.

Why not use MAF?

Because most REST service providers lack experience in native platforms, the client SDKs they offer are often underdeveloped and consist of little more than a wrapper around network calls and a few convenience methods for interacting with data from the service. In addition, their SDKs often do not follow platform conventions and are therefore prone to bugs, memory leaks, and other problems.


  • SMP 3.0 SP04+ Runtime
  • Eclipse Kepler with SAP Mobile Platform Tools installed
  • Application configured with proper backend, authentication, and proxy settings


Gather required information. You’ll need to know the following:

  • device_type - Device you’re registering with (Android, Blackberry, iOS, iPad, iPhone, iPod, Windows, Windows 8, WinPhone8)
  • smp_server_id - SMP Server Id
  • smp_server_password - SMP Server Password
  • smp_server_url - URL for SMP Server
  • smp_server_port - Port used on SMP Server
  • smp_application_id - Your SMP Application Id
  • authorization_code - HTTP Basic Authorization header (Base64 encoded string of <smp_server_url>:<smp_server_password>)

Create Application Connection

To create a connection to your application, you’ll need to send an HTTP POST:




Content-Type: application/atom+xml
Accept: application/json
Authorization: Basic <authorization_code>


<?xml version="1.0" encoding="utf-8"?>    
<entry xmlns="" xmlns:m=""    
    <content type="application/xml">    

If everything went well, you’ll receive a 201 response code. You’ll want to capture the ApplicationConnectionId from the JSON response payload to be used as the X-SMP-APPCID header, which will identify the application connection for future requests. The ApplicationConnectionId is keyed under response["d"]["ApplicationConnectionId"].

Making Non-Modifying Requests (GET, HEAD, etc.) with an Application Connection

After successfully creating an application connection, you may use the resulting ApplicationConnectionId to make requests which don’t modify data by including the ApplicationConnectionId as an HTTP Header.


X-SMP-APPCID: <ApplicationConnectionId>
Authorization: Basic <authorization_code>

Making Modifying Requests (POST, PUT, etc.) with an Application Connection

To make requests which modify data you must include the X-CSRF-Token header. This token prevents Cross-Site Request Forgery (CSRF). The token does expire after a short period of time, so it must be refreshed periodically. To fetch or refresh the token, add the following header to a non-modifying request:


Authorization: Basic 

The token will be returned to you in the response headers.

Response Headers

X-CSRF-Token: <token_value>

Use the token_value in future requests the same way you fetched it, but replacing FETCH with the value.


X-CSRF-Token: <token_value>

If the server responds with a 403, you’ll know it’s time to refresh the token.


Now you’re ready to make authenticated requests using your newly created application connection independent from third-party code! This is the first step to building applications with the SCM. Stay tuned for an upcoming post on the next step: how to interact with your server using the OData protocol.

The documentation used to develop this workflow can be found here.

Moving from Monolith to Microservices Architecture

When a client decides to move from a monolith platform to microservice architecture,...

Read the article