Zum Inhalt springen
SAP, DATEV and Dynamics experts
API-Sicherheit

OAuth 2.0 and Token Security for ERP Interfaces

Many ERP-to-shop APIs still run on static keys. How the client credentials flow, mTLS, DPoP, short token lifetimes and scope minimization harden the API.

13 min read OAuth 2.0API-SicherheitERP-IntegrationmTLS

The most sensitive data of any trading company flows between the online shop and the ERP: orders, customer master data, prices, stock levels and payment information. Yet many of these interfaces still run on a single static API key or on Basic Authentication with a hard-coded password. What starts out pragmatic becomes expensive as the attack surface grows and compliance pressure rises. Compromised credentials are among the costliest entry points of all: a data breach costs companies worldwide 4.44 million US dollars on average (IBM Cost of a Data Breach 2025), and faulty authentication ranks second as Broken Authentication in the OWASP API Security Top 10 (OWASP). At the same time, the BSI recently recorded around 309,000 new malware variants per day (BSI). This article shows how to secure the API layer between ERP and shop with OAuth 2.0: using the client credentials flow, sender-constrained tokens via mTLS and DPoP, short token lifetimes, rotation and scope minimization -- guided by the current security guidance IETF RFC 9700.

OAuth 2.0: bound, short-lived tokens for ERP APIsClient credentials flow, mTLS/DPoP and scope minimization instead of static keysShop clientMiddleware / connectorAuthorization ServerToken endpointClient credentials flowERP / Resource ServerSAP, Dynamics, ERP1. Request token3. Present token2. Issue access tokenAccess Tokenscope: orders:read (least privilege)exp: 5 minutes, short-livedcnf: mTLS certificate / DPoPsender-constrained (RFC 9700)Static API key vs. OAuth 2.0 tokenStatic API keyLifetime: unlimitedRevoke: only global rotationBinding: none, plain bearerScope: usually full accessOAuth 2.0 tokenLifetime: minutes, rotatingRevoke: per tokenBinding: mTLS or DPoPScope: narrow, per task

Why Static API Keys and Basic Auth Become a Risk

The appeal of a static API key is obvious: it is set up in minutes, copied into every HTTP call and works immediately. That very simplicity is what makes it a problem. Such a key is a permanent pass with no expiry date. It sits in plaintext in configuration files, in scripts, in developers' clipboards and not rarely in version control, where it was checked in by accident. Anyone who holds it can address the interface indefinitely -- without anyone noticing that the caller is no longer the legitimate one.

The economic dimension is substantial. The average data breach costs companies worldwide 4.44 million US dollars, down from 4.88 million the year before (IBM Cost of a Data Breach 2025). In the US the average is as high as 10.22 million US dollars (IBM Cost of a Data Breach 2025). For interfaces, what matters is less the average than the duration: it takes a mean of 241 days to identify and contain an incident (IBM Cost of a Data Breach 2025). A static key misused unnoticed during that time leaves the interface open for months. The BSI describes compromised credentials and identity theft as a persistently growing threat, especially against cloud infrastructures (BSI).

The static key is a permanent pass

A hard-wired API key cannot be revoked selectively. If compromised, only a global rotation remains -- and that takes down every dependent integration at once. That is precisely why such keys often stay in use for years, even though it has long been unclear who all knows them. A short-lived, revocable token reverses this relationship: it quickly becomes worthless if misused and can be withdrawn individually.

OWASP lists faulty authentication as API2:2023 Broken Authentication in second place of the API Security Top 10 (OWASP). This explicitly includes weakly protected authentication endpoints that can be attacked by brute force or credential stuffing, as well as the insecure storage and management of tokens (OWASP). In first place stands broken object level authorization, where an interface returns records solely by an ID passed to it (OWASP). Both risks share a common root: too much trust in a single, long-lived secret. How these interfaces fit into the wider regulatory frame is covered in our article on the NIS2-compliant hardening of ERP interfaces -- here we look at the concrete authentication mechanisms beneath it.

OAuth 2.0 and the Client Credentials Flow for Machines

OAuth 2.0 is the established standard for delegated authorization. Instead of passing on a permanent password, a client obtains a time-limited access token from an authorization server and presents it on every call to the interface. OAuth knows several procedures, so-called grant types, depending on whether a human is involved in the browser or two systems talk directly to each other. For communication between shop, middleware and ERP -- machine to machine without an interactive user -- the client credentials flow is intended.

Why client credentials and not the authorization code flow

The authorization code flow with PKCE is meant for applications where a human logs in and grants an app access to their data. Between ERP and shop there is no such user -- the systems act in their own name. The client credentials flow is the right one for this: the client identifies itself with its own credentials or a certificate and receives a token that reflects exactly its machine role. The implicit flow and the password grant (ROPC), by contrast, are explicitly discouraged by RFC 9700 (IETF RFC 9700).

In the client credentials flow, the client authenticates directly at the authorization server's token endpoint and receives an access token in return. Authentication no longer happens through a plaintext password, but ideally through a client certificate. This is what such a token request looks like at its core:

Token request in the client credentials flow
POST /oauth/token HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&scope=orders:read inventory:write

# Response: short-lived access token with a narrow scope,
# bound to the client certificate (mTLS) or to a DPoP key

In practice, the central place for this logic is the middleware: it fetches tokens, renews them in time, holds certificates and enforces the hardening uniformly, instead of implementing it anew in every single point-to-point connection. The access token the server issues is deliberately short-lived and carries only the permissions the respective process actually needs.

Bearer Tokens and Their Core Problem

A plain access token is initially a bearer token -- a holder token. The name says it all: whoever holds the token may use it, regardless of whether they are the legitimate client or an attacker who intercepted it. The server only checks whether the token is valid, not who presents it. A bearer token thus has the same conceptual weak point as a static key, only with a shorter lifespan. If it falls into the wrong hands -- through a leak in log files, a compromised proxy or a faulty error message -- it can be reused unhindered until it expires.

A bearer token is like cash: whoever finds it can spend it. Sender-constrained tokens turn this cash into a personalized cheque that is only valid with the matching ID.

ERP Integration Agency

Sender-Constrained Tokens: mTLS and DPoP

This is exactly where the current security guidance comes in. RFC 9700, the Best Current Practice for OAuth 2.0 security in force since January 2025, recommends binding access tokens to their sender (IETF RFC 9700). Such a sender-constrained token is only usable if the caller additionally proves possession of a certain secret -- a private key or a certificate. A stolen token alone then no longer helps an attacker. RFC 9700 names two standardized mechanisms for this: mutual TLS per RFC 8705 and Demonstrating Proof of Possession, DPoP for short, per RFC 9449 (IETF RFC 9700).

With mutual TLS, both sides identify themselves with certificates -- not only the server to the client, but also the client to the server. The issued token is bound to the public key of the client certificate; the resource server accepts it only over the same certificate-secured connection. DPoP pursues the same goal at the application layer: the client generates a signed proof per request with its private key, which the server checks against the key stored in the token. Both mechanisms render an intercepted token worthless, but differ in infrastructure and usage profile.

AspectMutual TLS (RFC 8705)DPoP (RFC 9449)
Bound toClient certificatePublic-private key pair
LayerTransport layer (TLS)Application layer (HTTP header)
InfrastructureCertificate management, PKI neededFeasible without client PKI
Typical useServer-to-server in the data centerClients without a stable certificate base
Proof perConnectionIndividual request

For the classic server-to-server connection between middleware and ERP -- such as a SAP integration -- mutual TLS is often the obvious choice, because both sides are managed anyway and a certificate structure exists. DPoP plays to its strength where a full-blown client PKI would be too costly. What matters is not the choice of one mechanism or the other, but that tokens are bound to their sender at all, instead of wandering through the systems as freely transferable cash.

Short Lifetimes and Token Rotation

A sender-constrained token is already considerably harder to misuse. The second line of defense is its lifespan. RFC 9700 recommends short-lived access tokens to limit the window in which a compromised token is useful at all (IETF RFC 9700). Instead of a key that is valid for years, the client receives a token that expires after minutes and is fetched anew when needed. When a token expires, any unnoticed misuse ends automatically with it.

So that the client does not have to go through a full re-authentication on every call, refresh tokens come into play. These longer-lived tokens serve solely to obtain new access tokens. Because they thus become a worthwhile target themselves, RFC 9700 recommends refresh token rotation: on every redemption, the old refresh token is invalidated and a new one issued (IETF RFC 9700). If an already redeemed refresh token reappears, that is a clear sign of theft -- and the entire token chain can be blocked immediately.

  • Short access token lifetime: minutes instead of months limit the misuse window to a minimum.
  • Refresh token rotation: every redemption invalidates the previous refresh token and exposes reuse immediately.
  • Sender-constraining refresh tokens too: the refresh token is also bound to mTLS or DPoP, so that theft alone is of no use.
  • Automatic renewal: the middleware fetches tokens in time and without downtime, so short lifetimes do not disrupt operations.
  • Immediate revocation: individual tokens or clients can be blocked specifically, without halting all integrations.

Short lifetimes need reliable renewal

Short-lived tokens only unfold their protection if renewal is reliably automated. If a token becomes invalid at the wrong moment without a new one being ready in time, order reconciliation or stock synchronization break off. The art lies in choosing the lifetime short enough for security and the renewal robust enough for continuous operation. Central token handling in the middleware takes this task off every single connection -- complemented by robust error handling in interfaces that cleanly catches expired tokens instead of aborting processing.

Scope Minimization Following Least Privilege

Even a short-lived, bound token should be allowed to do only as much as necessary. That is exactly what scopes achieve: they restrict a token to a narrowly defined set of rights. A process that only needs to transfer orders from the shop into the ERP needs no token with full access to customer master data and prices. RFC 9700 explicitly advises keeping scopes minimal and granting only the permissions actually required (IETF RFC 9700). This least privilege principle limits the damage should a token be compromised after all.

The effect reaches all the way to broken object level authorization, which OWASP lists in first place of the API Security Top 10 (OWASP). A narrowly scoped token that only allows read access to orders cannot change prices or delete customer records, even if an attacker captures it. Scopes do not replace per-record authorization checks, but they considerably shrink the attack surface of each individual token. How such an authorization layer can be centralized is shown in our comparison of REST API and middleware.

One scope per task

Every integration process gets its own client profile with exactly the rights its task requires -- no more.

Separate read and write

A read-only access to orders gets no write permission. This way a compromised token cannot change any data.

No catch-all client

Instead of a universal access for all interfaces, each connection receives its own clearly delimited mandate.

Narrow scopes per process
# Order import shop -> ERP
scope=orders:read

# Stock feedback ERP -> shop
scope=inventory:write

# Price maintenance (separate client, own certificate)
scope=prices:write

What RFC 9700 Concretely Recommends

RFC 9700 bundles the current security guidance for OAuth 2.0. The Best Current Practice published in January 2025 updates the attacker model and summarizes what has proven secure over years of practical experience (IETF RFC 9700). For an ERP-to-shop interface, the core points translate into a few clear rules: sender-constrained tokens instead of plain bearer tokens, short lifetimes, refresh token rotation, minimal scopes and the avoidance of outdated procedures such as the implicit flow and the password grant.

AspectGrown connectionPer RFC 9700
AuthenticationStatic API key or Basic AuthOAuth 2.0 client credentials flow
Token typelong-lived bearer secretsender-constrained via mTLS or DPoP
Lifetimeunlimited, rarely rotatedshort-lived, automatically renewed
Refreshno conceptrotating, blocked on reuse
Permissionusually full accessminimal scopes per process
Revocationonly global key rotationspecific per token or client

Security as a property of the interface, not an afterthought

The individual building blocks -- client credentials flow, token binding, short lifetimes, rotation and narrow scopes -- interlock. Only together do they yield an interface where a single leaked secret no longer opens the whole system. Anyone who builds in these principles from the start, instead of retrofitting them later, saves costly rework and closes the most common attack paths from the outset.

The Path from Static Keys to OAuth 2.0

The path from a grown connection with a static key to a token-based interface can be taken step by step, without interrupting ongoing operations -- as part of an orderly system integration. At the start there is no big redevelopment, but a stocktaking: which interfaces exist, how do they authenticate today and what data flows across them. From this finding the order follows -- the connections with the most far-reaching rights and the most sensitive data first.

1. Take stock

Record all interfaces, their authentication, their data classes and their permissions. Static keys and Basic Auth connections become visible in the process.

2. Introduce an authorization server

Provide a token endpoint, set up client profiles per process and distribute certificates for mTLS or keys for DPoP.

3. Switch over gradually

Move each connection individually from the static key to the client credentials flow, test in parallel and only then shut down the old access.

4. Monitor and operate

Continuously observe token usage, error rates and revocations so that short lifetimes and rotation work reliably in continuous operation.

Anyone who embeds this hardening into a broader integration strategy will find further approaches in our article on connecting JTL-Wawi to the online shop as well as on the digital product passport under the ESPR -- both show that a secure API layer is the basis for new data flows. How to make token usage, error rates and anomalies visible in ongoing operation is deepened in the article on observability of interfaces.

Security is not a feature you bolt onto an interface afterwards. It is the way an interface organizes trust -- from the very first line.

ERP Integration Agency

Sources and Studies

This article is based on data from: IETF RFC 9700 (Best Current Practice for OAuth 2.0 Security, January 2025), IETF RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) and IETF RFC 9449 (OAuth 2.0 Demonstrating Proof of Possession, DPoP); OWASP API Security Top 10 (2023 edition, in particular API1 and API2); BSI (Federal Office for Information Security), The State of IT Security in Germany (2024); IBM Cost of a Data Breach Report (2025). The figures cited can vary depending on the survey period.