This sub-page of the Security Settings menu item allows you to create API credentials for your users in the account.
You can Edit and Delete your previously created API credentials by using the relevant icons in each of the lines.
Depending on your type of contract with SAP Emarsys, when you click the Create API Credentials button, you are presented with a maximum of three options.
If you are not seeing all of these items that simply means that your contract type makes some of the options irrelevant to you, so we removed them for your convenience.
The following chapters describe what steps are needed to create your API credentials with different types of authentication.
OpenID Connect
By selecting the OpenID Connect option, API credentials are created with OpenID Connect authentication, using OAuth 2.0 and JSON Web Token (JWT) technologies.
A brief notification at the top informs you that the credentials have been created.
Your client secret is displayed masked, but it can be made visible and can also be copied by using the View Password and Copy to Clipboard icons, respectively.
Please note that, as the orange warning strip at the top indicates, this is the only time this secret is displayed. If you navigate away from this page without making a note of it, it is impossible to retrieve the secret and new credentials have to be generated.
Make sure to also copy your Client ID as well as the Token Endpoint values, which will be used to acquire the token (JWT) and make your API calls with that.
For more information, see Configuration and usage of OpenID Connect.
In the next step you have to make sure to add the necessary API endpoint permissions. You can search for the keywords and then flip the toggle by the relevant permission options in the Status column of the Permissions window.
When you have finished adding the permissions, click Save at the bottom of the page. Your new API credentials and endpoint permissions have been updated .
OpenID Connect (SAP Cloud Identity)
By selecting the OpenID Connect (SAP Cloud Identity) option, your API credentials are created with OpenID Connect authentication, utilizing your data available at SAP Cloud Identity (SCI).
Please note that this feature is not enabled by default. Please contact us at Emarsys if you need it turned on in your account.
For more information on getting support for SAP Cloud Identity, click here. While asking for support, select the BC-IAM-OID component.
The recommended process is as follows:
- Create the new API credentials for OpenID Connect (SAP Cloud Identity)
- Copy the ID and leave the screen open.
- Open your SAP Cloud Identity system (SCI) in a new browser window/tab and create an application (Applications & Resources → Applications).
- Type: ‘SAP Emarsys Customer Engagement solution’
- Protocol Type: ‘OpenID Connect’
- Add a new attribute (Single Sign-On → Attributes)
- Name: ‘permission’
- Source: ‘Expression’
- Value: <The ID you copied earlier in the Emarsys API Credentials page>
- Save the attribute
- In the OpenId Connect configuration ensure that the Grant Type client credentials grant is enabled. You can turn off the other Grant Types.
- Open Application APIs → Client Authentication for OpenID API Access and copy the Client ID and create a new secret. Do not forget to copy the secret since you will not be able to retrieve it later!
- Return to the Emarsys API Credentials page and paste the Client ID you copied in SCI as well as the URL of the SCI server.
- Make sure to add the necessary API endpoint permissions. You can search for the keywords and then flip the toggle by the relevant permission options in the Status column of the Permissions window.
- Click Save when done.
Please note that using this service comes with some rate limiting. For more information, click here.
WSSE
In order to keep your API secure, change your user name and secret key regularly.
These API credentials are created with a matching key which is available while the confirmation dialog is open. You can copy and paste the key from here. After you close the dialog, the key cannot be retrieved and a new user must be created.
API permission system
You can edit your API endpoint permissions individually to limit which endpoints your employees are allowed to be used with their respective methods.
In case of new API credentials, the required endpoint permissions must be activated one by one. New API permissions will be disabled by default for all API credentials. See the list of permissions required for the listed API endpoints.