Documentation Index
Fetch the complete documentation index at: https://docs.s4kit.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
S4Kit is designed as a secure proxy layer between your applications and SAP S/4HANA systems. This architecture provides security, observability, and simplified authentication.System Architecture
Component Overview
SDK (Client)
The TypeScript SDK that runs in your application:- Dynamic Proxy: Creates entity handlers at runtime
- Query Builder: Constructs OData query strings
- HTTP Client: Handles requests with retry logic
- Type Support: Full TypeScript definitions
Proxy Service
The core request processing engine:- Authentication: Validates API keys
- Rate Limiting: Enforces request limits
- Routing: Directs requests to correct SAP instance
- SAP Proxy: Authenticates to SAP and forwards requests
- Response Processing: Normalizes OData responses
- Logging: Records all requests
Data Storage
Persistent data storage:- PostgreSQL: Configuration, API keys, logs
- Redis: Rate limit counters, token cache
- Encrypted Store: SAP credentials (libsodium)
Request Flow
1. SDK Request
Your application calls the SDK:2. Request Preparation
The SDK:- Resolves the entity to an OData path
- Builds query parameters
- Adds authentication header (API key)
- Sends HTTP request to platform
3. API Key Validation
The platform:- Extracts API key from header
- Looks up key in database (cached in Redis)
- Verifies key is valid and not revoked
- Loads key permissions
4. Permission Check
The platform verifies:- Key can access the requested instance
- Key can access the requested service
- Key can perform the requested operation on the entity
5. Rate Limit Check
The platform:- Checks per-minute counter (Redis)
- Checks per-day counter (Redis)
- Returns 429 if limits exceeded
- Increments counters if allowed
6. SAP Authentication
The platform:- Loads SAP credentials (decrypts from store)
- For OAuth: checks token cache, refreshes if needed
- Prepares authentication headers
7. SAP Request
The platform:- Constructs full SAP URL
- Adds authentication headers
- Forwards request to SAP
- Handles CSRF tokens for mutations
8. Response Processing
The platform:- Parses OData response
- Extracts entity data from
d.resultsorvalue - Handles OData errors
- Strips metadata (optional)
9. Logging
The platform records:- Request details
- Response status and timing
- Any errors
- Key and instance information
10. Response
The SDK receives clean JSON data.Security Architecture
API Key Security
- Full keys are never stored
- Only hashed values in database
- Prefix and last 4 chars for identification
Credential Encryption
- 256-bit encryption keys
- Encryption key stored separately
- Credentials cannot be decrypted without key
Network Security
- All traffic over TLS 1.3
- API keys in Authorization header
- SAP credentials never sent to SDK
Scalability
Horizontal Scaling
Caching Strategy
| Data | Cache | TTL |
|---|---|---|
| API Keys | Redis | 5 min |
| OAuth Tokens | Redis | Until expiry |
| Rate Limits | Redis | 1 min / 1 day |
| Service Config | Memory | 1 hour |
High Availability
Failover
- Multiple proxy instances
- Database replication
- Redis clustering
- Health checks
Monitoring
- Request metrics
- Error rates
- Response times
- Resource utilization