X-csrf-token SAP API POST request

Hey Community Members,

when sending a POST request to my SAP system I have to send a x-csrf-token in the header.
The x-csrf-token can be fetched by making a GET request.
Hence, in order to make the POST request, I would have to send first a GET request fetching the token, save it somehow and use it later on for the POST request.

My question: How can I implement a logic, in AppGyver to handle this requirement? Could this be achived by simply adding custom javascript code block?


I think I found a solution for this problem for now.

If you have access to the SAP system you can disable the x-csrf-token mechanism in the SAP system in the transaction SICF. From there you have to finde the node with the API you want to call. Click on details and find the button “GUI_Configuration”. There you can place the following entry: ~CHECK_CSRF_TOKEN=0

You might want to add your logon credentials in the service as well.

Finally, you have to include in your request header:

  • x-requested-with: “X” and
  • accept: “application/json”

I hope this might be helpful for some people to get the API to run. However, I guess that this is not the best solution, because you need access to the SAP system. Welcoming any other approaches :slight_smile:

This answer is based on the post of the following webpage: https://learntips.net/disable-csrf-token-for-odata-calls-using-sap-netweaver-gateway/

Hi @Markus_Fischer1, an alternative solution would be to use the “HTTP Request” flow function from the marketplace to make the GET call, and save the resulting token to an app variable for use in subsequent requests.

Hi @Mari ,
Thank you for your answer. Could you tell me how to get the headers into an app variable? Unforuntately, there is no clear structure of the object of the response header.

I assumed it has the structure of a list with objects which contains the features header and value…
But then I could not assign it to an app variable with this structure.

You should be able to do it with a formula binding outputs["HTTP request"].resHeaders.map.headerName. It doesn’t work with the binding editor since it cannot be assumed beforehand which headers the response will have.

EDIT: Depending on the server this might only work on mobile though because of browser cross-origin issues, so if you’re developing a web app, the first approach might be better

If you’re building an app for internal use (users logging in via VPN, citrix etc.), I think it’s fine to disable the token. But If it’s going to available for the open web, it makes sense to keep it.

Do you have the Integration Suite? CPI can handle CSRF token with each request. Additionally, APIM could be used. In C4C I use a technical user (similar to a communication user) which bypass the CSRF token altogether. Maybe something similar exists in ERP as well?

Hey @Mari ,

Unfortunately, I am still not able to receive the header information from my GET request. I attached my current implementation of the logic part below.


Alert Block

Might there be still sth wrong with my formula?

Hi Atakan,

Thanks for the hint. I only have a trial version of the SAP Integration Suite, but I will have a look into it.

Hi @Markus_Fischer1, if you use that syntax, you’ll need to input the property name as a string resHeaders.map['headerName']

Thank you for you reply, but still no luck, even with quotation marks.

Hi, are you testing on mobile or web? Can you get out for example a 'date' response header (or anything else that the response has)?

I am testing on web. Unfortunately, I can’t display any response header.
Those are the response headers which I am expecting based on Postman:

Hi, like I mentioned in my last comment, the server might have limitations for cross-origin requests, so you might not be allowed to read the response header:

After getting some tipps from Mari on how to use the javascript custom code block, I was able to get the required x-csrf-token.

Below my code:

const myHeaders = new Headers({

  'authorization': 'YOUR CREDENTIALS',

  'x-csrf-token': 'fetch',

  'accept': 'application/json'


const myRequest = new Request('YOUR API', {

  method: 'GET',

  headers: myHeaders,



let response = await fetch(myRequest)

return { result: response.headers.get('x-csrf-token')}

FYI @Markus_Fischer1 and anyone else who is trying to implement this in the future, the “HTTP Request” flow function’s headers output has been fixed.

You can now get the token in a subsequent node with
outputs["HTTP Request"].resHeaders["x-csrf-token"],
so the JS snippet above is no longer required. :slight_smile:

1 Like

How to do the HTTP-Request with a PATCH? That would be important as well