Skip to main content

Authorization

Follow this guide to create a new SAP Ariba credential that will allow Nexla to authenticate to and exchange data with your SAP Ariba account.
sap_ariba_api_auth.png

SAP Ariba

Prerequisites

To connect Nexla to the SAP Ariba APIs, your organization must be enrolled to use SAP Ariba's Open APIs and you must have an application registered in the SAP Ariba Developer Portal. The credential requires an OAuth 2.0 Client ID and Client Secret, an Application API Key, and your Ariba Realm identifier.

Register Your Organization for SAP Ariba Open APIs

SAP Ariba's Open APIs are available to customers and partners who have been granted API access for their Ariba realm. To request access, contact your SAP Ariba account representative or visit the SAP Ariba Developer Portal. An Organization Admin for your Ariba account is required to complete the registration process and approve API access requests.

Create an Application in the SAP Ariba Developer Portal

Each integration that calls SAP Ariba APIs must be backed by a registered application in the Developer Portal. Creating the application generates the Application Key and OAuth credentials required by Nexla.

  1. Sign in to the SAP Ariba Developer Portal using your SAP credentials. Select the correct data center region (for example, US or EU) when prompted.

  2. From the top navigation, click Manage, then click the + icon next to the application search field to open the Create Application dialog.

  3. Enter a descriptive name in the Application Name field (for example, Nexla Integration) and provide a brief description in the Description field.

  4. Associate the application with the API products your integration will use. Select from the available APIs — such as Operational Reporting for Procurement, Master Data, Sourcing Reporting, and Analytics Reporting — and click Save to create the application.

  5. In the My Applications list, locate and select the newly created application. The Application Key (also called the API Key) is displayed on the application detail page. Copy and save this value — it is required for the API Key field in Nexla.

    SAP Ariba permits one application registration per realm-and-API-product combination per customer. If an existing application already covers the same realm and APIs you need, use the credentials from that application instead of creating a new one.

Request API Access for Your Realm

After creating the application, you must request API access to link it with your Ariba realm.

  1. From the application detail page, click Actions and select Request API Access.

  2. Select the API products to which you need access, then select your Ariba realm from the realm list, and click Submit.

  3. API access requests are typically reviewed within 12 to 24 hours. You will receive an email notification when access has been approved.

Generate the OAuth Client Secret

The OAuth Client Secret is generated separately after API access is approved, and must be performed by a user with the Organization Admin role.

  1. From the My Applications list, select the approved application.

  2. Click Actions and select Generate OAuth Secret.

  3. A dialog displays the OAuth Client ID and OAuth Secret (Client Secret). Copy both values immediately and store them in a secure location such as a password manager.

    Important

    The OAuth Client Secret is displayed only once at the time of generation. If the secret is lost or not copied, a new one must be generated — which invalidates the previous secret and requires updating any existing integrations that use it.

Find Your Realm Identifier

The Realm is the unique identifier for your SAP Ariba tenant. It is passed as a query parameter in all API calls and is required to scope requests to your organization's data.

  • Realm names follow the format s1-<companyname>-T for test/sandbox environments and s1-<companyname> for production environments.

  • Your realm can be found in the Environment Details section of the SAP Ariba Developer Portal when viewing your application, in your SAP Ariba administrative account profile, or in the URL when you are logged in to the SAP Ariba buyer portal.

For additional step-by-step setup guidance, refer to Steps to Start Using the SAP Ariba APIs and Finding Your Application's API Key and OAuth Client ID in the SAP Help Portal.

Create an SAP Ariba Credential

  • To create a new SAP Ariba credential, after selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

Credential Name & Description

  1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

    Resource descriptions are recommended but are not required. They should be used to provide information about the resource purpose, data freshness, etc. that can help the owner and other users efficiently understand and utilize the resource.

SAP Ariba OAuth 2.0 + API Key Settings

SAP Ariba uses a two-part authentication model for all Open API requests: OAuth 2.0 Client Credentials to obtain a short-lived Bearer access token, combined with a static Application API Key sent as the apiKey request header on every call. Both components are required and must be configured in this credential.

  1. Enter your OAuth 2.0 Client ID in the Client ID field. This is the OAuth Client ID value displayed after generating the OAuth secret in the SAP Ariba Developer Portal, as described in the prerequisites above.

  2. Enter your OAuth Client Secret in the Client Secret field. This is the secret generated via the Generate OAuth Secret action in the Developer Portal. This field is masked for security.

    Nexla uses the Client ID and Client Secret to request a Bearer access token from the SAP Ariba token endpoint (https://api.ariba.com/v2/oauth/token) using the OAuth 2.0 Client Credentials (2-legged) flow. Access tokens are automatically refreshed as needed during data ingestion — no manual token management is required.

  3. Enter your Application API Key in the API Key field. This is the Application Key shown on the application detail page in the SAP Ariba Developer Portal. The API Key is sent as the apiKey header on every API request to identify which registered application is calling the API.

  4. Enter your SAP Ariba Realm identifier in the Realm field. This is the tenant identifier for your Ariba environment (for example, s1-acme-T for a test environment or s1-acme for production). The realm is appended as a query parameter to all API calls to scope data retrieval to your organization.

  5. Enter the Base URL for the SAP Ariba API in the Base URL field. The default value is https://openapi.ariba.com/api and is correct for most environments. This field is pre-populated with the default value. Update it only if your SAP Ariba environment uses a different regional or custom API gateway endpoint.

    The Base URL, combined with the specific API path and Realm, forms the root of all API calls. For example, Procurement Reporting job submissions use the path https://openapi.ariba.com/api/procurement-reporting-job/v2/prod/jobs?realm=&lt;your-realm&gt;. Contact your SAP Ariba administrator or check the API documentation at the SAP Help Portal if you are unsure which base URL applies to your deployment.

Save the Credential

  1. Once all of the relevant steps in the above sections have been completed, click the Save button at the bottom of the overlay to save the configured credential.

  2. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.