REST API Authentication

All SAP CPQ REST APIs are stateful except the following endpoints which are stateless (no session):

  • /setupSpa/
  • /api/v1/admin/files
  • /api/v1/health
  • /api/v1/Maintenance
  • /api/v1/quote/
  • /api/scim

Methods available for REST APIs are listed and described in Swagger.

Different REST APIs in SAP CPQ support different authentications types: basic authentication, authentication with cookies, JWT token and bearer token. In the following sections, you can learn more about each authentication type and find out for which APIs it can be used. Using any of the techniques creates a session (SAP CPQ currently relies primarily on sessions) and returns a CSRF token which is used for POST methods.

Basic Authentication

Basic authentication is available only for Quote 2.0 APIs.

Authentication with Cookies

This authentication type is for responsive design APIs. If you are calling an API from a SAP CPQ page using JavaScript, no additional steps are required as you are already authenticated. However, if you are calling the API from a third-party tool, you should first log in calling the method /api/rd/v1/Core/LogIn. This creates a session and gets the CSRF header token.
This call will set two cookies that you should set with these API calls:

  • ASP.NET_SessionId
  • WebCom-lbal

If the POST method is executed, the CSRF token needs to be sent as well.

import clr
from System.Net import CookieContainer
from System.Net import Cookie
from System.Net import WebRequest
from System.Net import HttpWebResponse

baseUrl = ''

webRequest = WebRequest.Create(baseUrl + 'Core/LogIn?username=usernameGoesHere&password=passwordGoesHere&domain=domainGoesHere')
webRequest.CookieContainer = CookieContainer()
webRequest.Method = 'POST'
webRequest.ContentLength = 0

response = webRequest.GetResponse()
cookies = response.Cookies

newRequest = WebRequest.Create(baseUrl + 'QuoteList/GetInitData')
newRequest.Method = 'GET'
# we are creating cookie container to collect cookies
newRequest.CookieContainer = CookieContainer()

# setting cookies from previous request that are needed for authentication
# cookies that are required are ASP.NET_SessionId and WebCom-lbal
if cookies is not None:
    for cookie in cookies:
        if cookie.Name == 'ASP.NET_SessionId' or cookie.Name == 'WebCom-lbal':

newResponse = newRequest.GetResponse()
data = StreamReader(newResponse.GetResponseStream()).ReadToEnd()

JWT Token

The REST APIs with the following endpoints support JWT token authorization:

  • api/v1/cartApi
  • api/v1/ClmApi
  • api/v1/CustomerApi
  • api/v1/customers
  • api/v1/markets
  • api/v1/quotes

To authenticate with a JWT token, follow these steps:

  1. Go to Setup > General > Application Parameters > General Parameters and generate a shared secret key in Shared secret.
  2. Generate a JWT token.
    You can use, for example.
  3. Pass the token in Authorization.

Bearer Token – for Setup SPA pages only

This type of authentication is only used for Setup Spa APIs. In order to access any part of SAP CPQ Setup via REST API, you need to be logged in. Logging in requires a bearer token, which can be retrieved by providing an adequate username, password, and domain.
The following information is required for generating a bearer token:

Route: /basic/api/token
Method: POST
Body: grant_type=password&username={username}&password={password}&domain={domain

   "access_token": "{access token}", 
   "token_type": "bearer", 
   "expires_in": 86399 

Once you do this, you will receive a bearer token with which you can access certain parts of Setup. Each following API call can be performed with the same token, so you are not required to request a new one per each request.

You are here: SAP Sales Cloud CPQ Online HelpSAP CPQ APIREST API Authentication