SAP has recently made an important change to how OAuth Tokens are managed for SAP Analytics Cloud (SAC) hosted SAP data centers (Neo).

OAuth Clients are used to allow applications to call the REST APIs of SAC. For example if you wanted to automate the creation of user management you would use the SAC User API, or if you wanted to embed stories in to your application you may want to use the SAC Stories API.

In order to call the API you must use your OAuth Client to retrieve a token that can then be used to authenticate your API calls.

SAC OAuth tokens and refresh tokens can no longer have infinite expiry dates, and now have a maximum of 180 days. In order to eliminate this vulnerability:

1. new oAuth Clients tokens can no longer be created with lifetimes longer than 180 days.


2. all previously created Oauth Client tokens with lifetimes > 180 days have had their lifetimes reduced to 180 days.

Both measures were applied during the week of August 9 2023, any OAuth clients tokens with 180 day lifetimes at that time will be due to expire in early January.

Actions for developers calling the SAC REST APIs:

• Ensure your code can properly handle the lifecycle of OAuth tokens and refresh tokens. Your code should be able to handle the expiry of tokens and the refresh tokens, including the creation of new tokens.


• Please complete your review and corrections before January 1 2024, in order to avoid service interruptions when accessing SAC from the public APIs.

Key Points

• This update only affects SAC hosted SAP Managed Data Centers (Neo)


• Token expiry dates should not be confused with OAuth client secret expiry dates

To learn more about managing OAuth Clients with SAC see the following links:

• Managing OAuth Clients and Trusted Identity Providers.


• https://blogs.sap.com/2018/04/20/sap-analytics-cloud-apis-getting-started-guide/