Log in to save this article and keep your favorite resources in one place.
SAP’s recently updated API policy, introducing new governance for AI agents and data access, has sparked significant discussion across the enterprise landscape, as customers seek to clarify any potential implications for their use of APIs, extensions, and related data transmission interfaces. In a June 30 webinar — intended to provide an overview of the SAP API Policy and its role in enabling secure, scalable, and compliant integrations with SAP solutions — SAP experts sought to assuage concerns that SAP might narrow the integrations and extensions they currently depend on.
“It’s not about shutting doors,” explained Christof Momm, Lead Software Architect at SAP. “We are building new doors — better ones.”
Watch the full webcast recording here and download the relevant PDF; for more, read SAP’s full API Policy FAQ and ASUG’s previous coverage.
While adding rules for AI and agentic traffic, the policy update leaves the practices most customers depend on in place. Only one interface, ODP-RFC, sits on the unpermitted list as of today. Clean core extensibility, custom code in the Z and Y namespaces, and published APIs used as documented all continue unaffected. SAP used the session to explain why this policy update was necessary; its reasoning started with API traffic itself.
A quick look at a few of the webinar’s key takeaways:
- SAP’s presenters cast the update as outlining governance and new AI-era pathways, rather than as the crackdown some customers feared; the update, they stated, is driven by a surge in bot and AI-agent traffic that legacy APIs can’t absorb, as well as by rising security threats to AI tooling.
- What you can use comes down to documentation: published APIs used as documented are supported, undocumented SAP interfaces are at your own risk, and any existing integrations will receive monitoring and outreach before any hard enforcement.
- Customers can check ODP-RFC exposure via a self-assessment tool at SAP Note 3439624; enforcement began June 9, 2026, with a security patch that technically blocks noncompliant ODP via RFC calls, while a December 31, 2026 opt-out deadline applies. (Use of ODP over OData is considered a valid alternative, and there is no plan at this time to restrict this.)
- For AI and agents, SAP is steering customers to standards-based pathways: A2A, into its own Joule agents; the MCP Gateway in SAP Integration Suite; and SAP Business Data Cloud, for data extraction.
Why SAP Updated Its API Policy
One of the main catalysts behind the policy is volume. SAP has watched automated traffic climb as customers point coding agents and chatbots at their systems, and it behaves nothing like the human activity its older APIs were built to absorb. Bots scrape data from public endpoints and, increasingly, hit protected ones with valid credentials. When context is thin, an agent often resorts to trial and error, multiplying calls. In some solutions, the load growth was sharp enough that SAP had to throttle some customers to keep one tenant from degrading another, said Momm.
Then, there is the security side. Momm pointed to a run of supply chain attacks that touched SAP directly, including a LiteLLM incident SAP mitigated with SAP LeanIX, and to a new attack surface that AI-native protocols open. MCP, he noted, now carries its own OWASP Top 10 of vulnerabilities specific to the protocol. Left unpatched, he said, they can spread.
To explain the mechanics of this, Momm compared it to a highway. The existing APIs are a road built for human-driven cars, he said, and AI has sent autonomous trucks onto it. Rather than widen the road or add tolls, SAP kept the original lanes for their traffic and added controls for the heavier load. It then built a separate fast lane where autonomous traffic can coordinate, with no human-driven car in the way.
What Changes, and What Stays the Same
The policy itself can be read on a single page, with practical guidance delivered via an FAQ Momm urged customers to read closely. Its logic rests on a single default tied to SAP’s documentation. Where SAP documents an API and the use a customer puts it to, that use is supported. Where nothing is documented, SAP’s assumption is that the interface was not built for a clear purpose, and the risk falls to the customer. Published APIs are the officially supported, lowest-risk path. Undocumented ones may have run stably for decades, but they sit outside support, and they were never meant for mass data egress or AI consumption.
Custom code stays squarely inside these lines. Anything a customer builds in its own namespaces, and everything the clean core framework classifies at levels A through D, remains permitted. SAP does not govern custom APIs directly, said Momm, though they inherit whatever limits attach to the SAP APIs beneath them.
Such interfaces, he said, “must not be used to circumvent the measures,” whether that means dodging a rate limit or making an interface unsuited to mass egress perform it. The same scope reaches third-party vendor products — SAP will not assess their compliance, leaving customers to verify it with the vendor.
SAP is treading carefully with integrations already running in production. The company is wary of breaking changes, said Momm, and would rather monitor usage and reach out to customers than impose hard limits; nothing already permitted is being invalidated after the fact. Customers who want to audit themselves can use the ABAP Test Cockpit and its Cloud Readiness Check to scan custom code for non-published dependencies; automatic flagging of prohibited APIs is still in preparation.
Where SAP Draws the Line on ODP-RFC
One interface does cross into prohibited territory, and so far it is the only one. ODP-RFC was built as an internal SAP interface, and SAP objects to its use for the external, large-scale data calls it was never designed to carry. Even here, the restriction comes with room to maneuver.
Customers can run a self-assessment with the tooling in SAP Note 3439624 to learn whether they are affected. A security patch shipped on June 9. Customers found to be impacted could suspend it temporarily while they migrate to a target-state architecture; an opt-out is available only through December 31, 2026, after which the restriction becomes permanent.
Customers relying on the interface today have a supported alternative. ODP over OData remains valid and unrestricted, a documented route to the same data without the prohibited RFC path. More interfaces are likely to be flagged over time, Momm said, as SAP labels confidential ABAP components and extends ATC to detect them. ABAP is open and can be read, he acknowledged, but that does not mean that everything can be used.
A Primer on MCP and A2A
The policy’s other half is the part SAP most wants noticed. Even as it sets defaults on the older interfaces, it opens pathways designed for AI, and those run on two open protocols instead of custom, one-off integrations. The Model Context Protocol (MCP) connects an agent to systems, documents, and data, exposing them as tools it can call. Momm likened it to JDBC, a standard way to reach the data layer. The Agent2Agent protocol (A2A) handles the other direction, letting independent agents and systems talk to one another, work that older REST interfaces once did.
SAP has tied itself to both. It is a founding member of the Linux Foundation’s A2A project and a Gold member of the Agentic AI Foundation. SAP is also contributing to MCP to make it enterprise-ready.
Those protocols anchor a set of endorsed pathways. The one SAP prefers is A2A into its own agents, Joule among them, because those agents, as Momm put it, “have the context, and they know precisely what to do with the tasks,” sparing the APIs the overuse of a less-informed caller. MCP through the Integration Suite turns existing APIs into agent-ready tools, and SAP Business Data Cloud handles extraction for data and analytics work, including a documented pattern that connects to Databricks.
The dedicated gateway for the preferred A2A route, the Agent Gateway, is still forthcoming; until it ships, SAP points customers to the endorsed patterns in its Architecture Center and AI Golden Path guide.
SAP recently added a more open option allowing third-party MCP servers, though Momm was clear it puts the security and integration burden — from authentication to supply chain exposure — on the customer. Using it is “their own risk,” he said, and SAP steers customers toward managed offerings instead.
Governing Agent Access Through the MCP Gateway
To make MCP practical at enterprise scale, Dhawal Joshi, Chief Product Owner for SAP’s API Platform in the Integration Suite, introduced the new MCP Gateway. The gateway takes APIs, integrations, and data sources a customer already runs and, in Joshi’s words, turns them into “discoverable and reusable tools for agent use.” A customer can build a server from an existing API artifact, an OpenAPI or OData specification, or an RFC, then secure it through SAP’s identity services.
Governance, more than raw connectivity, is the gateway’s point, said Joshi. Agents subscribe to a published server through a developer hub and receive their own scoped credentials, granted and traced agent by agent, with an analytics view showing which agents and tools are in use. The design also trims the token cost of agent access. A raw, verbose OData call handed to an agent can balloon its context and raise the chance of agents hallucinating; an MCP tool gives it a leaner, purpose-shaped interface instead.
Joshi gave a live demonstration, building a procurement-compliance server and running an agent that reviewed a purchase order and flagged an inactive supplier.
The MCP Gateway ships as part of the Integration Suite’s Enhanced and Premium editions. Joshi said the rollout began the day of the webinar, reaching production data centers on AWS and Azure from July 5, with more on July 12 and Google Cloud Platform to follow. About 20 customers had run the gateway in beta, and SAP uses it internally, though none had yet gone live on the generally available release.
The Q&A drew out a distinction worth keeping in mind. SAP does not mandate its own gateway; customers can front their agents with other MCP servers, provided they take on the security and lifecycle work themselves. One participant flagged the gap between the policy’s strict legal tone and the FAQ’s more practical one, and SAP said the two do different jobs. The policy sets the legal framework, while the FAQ explains how to live within it day to day.
Momm offered his own summation after the demo. “We are not locking down everything with the API policy. We are also opening up a lot,” he said, “but doing things right is important.” For now, the policy restricts a single interface, leaves clean core and custom code alone, and routes the new agent traffic through pathways SAP is still building out.
Watch the full webcast recording here and download the relevant PDF.
You Might Be Interested In
Log in to save this article and keep your favorite resources in one place.
Log in to save this article and keep your favorite resources in one place.
Log in to save this article and keep your favorite resources in one place.
Log in to save this article and keep your favorite resources in one place.