Organizations that require more sophisticated approval flows can configure external governance.
This setup allows subscription requests raised within Developer Hub to be reviewed, approved, or rejected through an external system (such as SAP Build Process Automation, any other custom workflow, or an custom application).
Before we dive into the implementation details, it is helpful to revisit the foundations covered in the earlier parts of this series.
In Part 1, we explored the importance of governance within Developer Hub and how administrators can configure built-in governance levels to balance openness with control.
Step 1: Enable External Governance in Developer Hub
Logon to Developer Hub.Navigate to Admin Center > Manage Governance Settings, click on the Subscriptions tab, and choose Edit.Now, select the option Manage Approval Outside Developer Hub and choose Save.
This redirects all future subscription requests to your external governance system for approval.
Note: Enabling this setting alone isn’t enough—several prerequisites must be completed for the setup to function correctly. Make sure you first complete all prerequisite steps and only then update the governance settings.
Step 2: Implement the Service Provider Interface (SPI)
The customer subaccount administrator must implement the Service Provider Interface (SPI), which handles the redirection of subscription requests to your external system.
This could be a workflow, backend service, or UI application that processes approvals.
SPI specifications, including interface details and parameters, are available on the SAP Business Accelerator Hub.
Recommendation
Use SAP Integration Suite API Management for implementing the Service Provider Interface (SPI), and SAP Build Process Automation for designing your external approval workflow. For step-by- step instruction, see Part 3: Implementing External Governance Using SAP Integration Suite and SAP Build Process Automation (add blog link).
Step 3: Create a Destination in SAP BTP Cockpit
Once the SPI is in place, create a destination in your SAP BTP subaccount that points to the SPI endpoint.
This destination should include:
The SPI service URLAuthentication credentials (e.g., OAuth2, Basic Auth)
This setup ensures Developer Hub can securely send subscription requests to your external system.
In your web browser, log on to SAP BTP Cockpit and navigate to your source subaccount.Choose the Connectivity > Destinations tab in the left-hand pane.Choose Create and in the Create New Destination popup, select From Scratch to create a new destination manually.In Destination Details section, fill in all the required details according to the descriptions provided in the table and choose Create.
Note: Use the credentials provided by the customer sub-account administrator. Supported authentication methods include OAuth 2.0, Client Certificate, and Basic authentication.
Fields
Details
Name
Enter DeveloperHub_Governance_SPI as the destination name.
Type
Enter HTTP as the supported type.
Description
Enter a brief description stating the purpose of creating a new destination in the Description field.
URL
Enter the external governance application URL.
Since, in this use case, you are using the API proxy as the SPI implementation in SAP Build, enter the API proxy connectivity link in the Destination URL field and provide the corresponding authentication details.
Proxy Type
Internet
Authentication
Select the authentication type depending on your requirement.
Basic: User provides a simple username and password based authentication.Client Certificate: The user provides the Key Store Source, Key Store Location, and Key Store Password. The server verifies the certificate to grant access.OAuth2ClientCredentials: Used when third-party services need to access resources without sharing the user’s password. A backend service authenticating with a resource server to access an API using Client ID, Client Secret, and Token Service URL. The token URL should correspond to the customer governance application when OAuth2 is being used.
You can also do a Check Connection to verify whether you’ve added the destination correctly.
Step 5: Update Developer Hub with Governance Decisions
After the external administrator approves or rejects a subscription request, that decision must be communicated back to Developer Hub.
The external governance system does this by calling the API Developer Hub – External Governance (CF) published on SAP Business Accelerator Hub, using credentials tied to the AuthGroup.External.Reviewer role collection.
Once the decision is received, Developer Hub updates the subscription status accordingly.
When Governance Takes Effect
Once all prerequisites are fulfilled and Manage Approval Outside Developer Hub is enabled:
New subscription requests are automatically routed to the external approval system.Approvals and rejections are reflected in Developer Hub based on feedback from the external workflow.
⚠️Caution:
If prerequisites aren’t configured correctly, subscription requests will fail. Always verify your setup before enabling external governance.
How the External Subscription Process Works
Developer Submits a Subscription RequestThe developer subscribes to an API product from the Developer Hub catalog.The request is automatically sent to the external approval system.External Administrator Reviews the RequestThe external admin (using a workflow, e.g., SAP Build Process Automation) reviews and approves or rejects the request.They can view API details in Developer Hub or via APIs on SAP Business Accelerator Hub.Developer Receives the DecisionIf approved, the developer receives a confirmation email containing a link to the application with the subscribed product.If rejected, they receive a rejection email, and the pending subscription is deleted.Developers can monitor request status under My Workspace → Subscriptions → Pending Approval.
Configuration Requirements Summary
To ensure smooth external governance:
Set the governance option to Manage Approval Outside Developer HubSelect the Allow Subscription option for the product. Complete all the Service Provider Interface (SPI) and destination configurationsIntegrate the external system properly using the Developer Hub API
Note: ️ You cannot remove or modify products with pending or approved subscriptions.
To apply configuration updates, bring the product into draft mode, make changes, and republish it.
Conclusion
Developer Hub’s governance capabilities provide the flexibility and control modern enterprises need to manage their API ecosystems effectively.
Whether your organization prefers internal governance through SAP systems or external workflows via custom integrations, Developer Hub empowers administrators to tailor governance processes that align with their business policies—ensuring secure, compliant, and well-managed API access across your developer community.
Organizations that require more sophisticated approval flows can configure external governance.This setup allows subscription requests raised within Developer Hub to be reviewed, approved, or rejected through an external system (such as SAP Build Process Automation, any other custom workflow, or an custom application).Before we dive into the implementation details, it is helpful to revisit the foundations covered in the earlier parts of this series.In Part 1, we explored the importance of governance within Developer Hub and how administrators can configure built-in governance levels to balance openness with control.Step 1: Enable External Governance in Developer HubLogon to Developer Hub.Navigate to Admin Center > Manage Governance Settings, click on the Subscriptions tab, and choose Edit.Now, select the option Manage Approval Outside Developer Hub and choose Save.This redirects all future subscription requests to your external governance system for approval.Note: Enabling this setting alone isn’t enough—several prerequisites must be completed for the setup to function correctly. Make sure you first complete all prerequisite steps and only then update the governance settings.Step 2: Implement the Service Provider Interface (SPI)The customer subaccount administrator must implement the Service Provider Interface (SPI), which handles the redirection of subscription requests to your external system.This could be a workflow, backend service, or UI application that processes approvals.SPI specifications, including interface details and parameters, are available on the SAP Business Accelerator Hub. RecommendationUse SAP Integration Suite API Management for implementing the Service Provider Interface (SPI), and SAP Build Process Automation for designing your external approval workflow. For step-by- step instruction, see Part 3: Implementing External Governance Using SAP Integration Suite and SAP Build Process Automation (add blog link).Step 3: Create a Destination in SAP BTP CockpitOnce the SPI is in place, create a destination in your SAP BTP subaccount that points to the SPI endpoint.This destination should include:The SPI service URLAuthentication credentials (e.g., OAuth2, Basic Auth)This setup ensures Developer Hub can securely send subscription requests to your external system.In your web browser, log on to SAP BTP Cockpit and navigate to your source subaccount.Choose the Connectivity > Destinations tab in the left-hand pane.Choose Create and in the Create New Destination popup, select From Scratch to create a new destination manually.In Destination Details section, fill in all the required details according to the descriptions provided in the table and choose Create.Note: Use the credentials provided by the customer sub-account administrator. Supported authentication methods include OAuth 2.0, Client Certificate, and Basic authentication.FieldsDetailsNameEnter DeveloperHub_Governance_SPI as the destination name.TypeEnter HTTP as the supported type.DescriptionEnter a brief description stating the purpose of creating a new destination in the Description field.URLEnter the external governance application URL.Since, in this use case, you are using the API proxy as the SPI implementation in SAP Build, enter the API proxy connectivity link in the Destination URL field and provide the corresponding authentication details.Proxy TypeInternetAuthenticationSelect the authentication type depending on your requirement.Basic: User provides a simple username and password based authentication.Client Certificate: The user provides the Key Store Source, Key Store Location, and Key Store Password. The server verifies the certificate to grant access.OAuth2ClientCredentials: Used when third-party services need to access resources without sharing the user’s password. A backend service authenticating with a resource server to access an API using Client ID, Client Secret, and Token Service URL. The token URL should correspond to the customer governance application when OAuth2 is being used. You can also do a Check Connection to verify whether you’ve added the destination correctly.Step 5: Update Developer Hub with Governance DecisionsAfter the external administrator approves or rejects a subscription request, that decision must be communicated back to Developer Hub.The external governance system does this by calling the API Developer Hub – External Governance (CF) published on SAP Business Accelerator Hub, using credentials tied to the AuthGroup.External.Reviewer role collection.Once the decision is received, Developer Hub updates the subscription status accordingly.When Governance Takes EffectOnce all prerequisites are fulfilled and Manage Approval Outside Developer Hub is enabled:New subscription requests are automatically routed to the external approval system.Approvals and rejections are reflected in Developer Hub based on feedback from the external workflow.⚠️Caution:If prerequisites aren’t configured correctly, subscription requests will fail. Always verify your setup before enabling external governance.How the External Subscription Process WorksDeveloper Submits a Subscription RequestThe developer subscribes to an API product from the Developer Hub catalog.The request is automatically sent to the external approval system.External Administrator Reviews the RequestThe external admin (using a workflow, e.g., SAP Build Process Automation) reviews and approves or rejects the request.They can view API details in Developer Hub or via APIs on SAP Business Accelerator Hub.Developer Receives the DecisionIf approved, the developer receives a confirmation email containing a link to the application with the subscribed product.If rejected, they receive a rejection email, and the pending subscription is deleted.Developers can monitor request status under My Workspace → Subscriptions → Pending Approval.Configuration Requirements SummaryTo ensure smooth external governance:Set the governance option to Manage Approval Outside Developer HubSelect the Allow Subscription option for the product. Complete all the Service Provider Interface (SPI) and destination configurationsIntegrate the external system properly using the Developer Hub APINote: ️ You cannot remove or modify products with pending or approved subscriptions.To apply configuration updates, bring the product into draft mode, make changes, and republish it.ConclusionDeveloper Hub’s governance capabilities provide the flexibility and control modern enterprises need to manage their API ecosystems effectively.Whether your organization prefers internal governance through SAP systems or external workflows via custom integrations, Developer Hub empowers administrators to tailor governance processes that align with their business policies—ensuring secure, compliant, and well-managed API access across your developer community. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
