Architecture

Overview

S4Kit is designed as a secure proxy layer between your applications and SAP S/4HANA systems. This architecture provides security, observability, and simplified authentication.

System Architecture

┌──────────────────────────────────────────────────────────────────┐
│                         Client Side                               │
│  ┌─────────────────────────────────────────────────────────────┐ │
│  │                     Your Application                         │ │
│  │  ┌─────────────┐   ┌─────────────┐   ┌─────────────────┐   │ │
│  │  │   Next.js   │   │   Express   │   │   Python/etc    │   │ │
│  │  └──────┬──────┘   └──────┬──────┘   └────────┬────────┘   │ │
│  │         │                 │                    │            │ │
│  │         └────────────────┬┴───────────────────┘            │ │
│  │                          │                                  │ │
│  │                   ┌──────▼──────┐                          │ │
│  │                   │   S4Kit     │                          │ │
│  │                   │    SDK      │                          │ │
│  │                   └──────┬──────┘                          │ │
│  └──────────────────────────┼──────────────────────────────────┘ │
└──────────────────────────────┼──────────────────────────────────┘
                               │
                               │ HTTPS + API Key
                               ▼
┌──────────────────────────────────────────────────────────────────┐
│                      S4Kit Platform                               │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                    Proxy Service                          │   │
│  │  ┌────────────┐  ┌────────────┐  ┌──────────────────┐   │   │
│  │  │   Auth     │  │   Rate     │  │     Request      │   │   │
│  │  │ Middleware │─▶│  Limiter   │─▶│     Router       │   │   │
│  │  └────────────┘  └────────────┘  └────────┬─────────┘   │   │
│  │                                            │              │   │
│  │  ┌────────────┐  ┌────────────┐  ┌────────▼─────────┐   │   │
│  │  │   Logger   │◀─│   Error    │◀─│   SAP Proxy      │   │   │
│  │  │            │  │  Handler   │  │                  │   │   │
│  │  └────────────┘  └────────────┘  └────────┬─────────┘   │   │
│  └───────────────────────────────────────────┼──────────────┘   │
│                                               │                  │
│  ┌────────────┐  ┌────────────┐  ┌───────────▼────────────┐    │
│  │ PostgreSQL │  │   Redis    │  │   Credential Store     │    │
│  │  (Data)    │  │  (Cache)   │  │   (Encrypted)          │    │
│  └────────────┘  └────────────┘  └───────────┬────────────┘    │
└──────────────────────────────────────────────┼──────────────────┘
                                               │
                                               │ SAP Auth
                                               ▼
┌──────────────────────────────────────────────────────────────────┐
│                     SAP S/4HANA Systems                          │
│  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌───────────┐ │
│  │  Sandbox   │  │    Dev     │  │  Quality   │  │Production │ │
│  └────────────┘  └────────────┘  └────────────┘  └───────────┘ │
└──────────────────────────────────────────────────────────────────┘

Component Overview

SDK (Client)

The TypeScript SDK that runs in your application:

Dynamic Proxy: Creates entity handlers at runtime
Query Builder: Constructs OData query strings
HTTP Client: Handles requests with retry logic
Type Support: Full TypeScript definitions

Proxy Service

The core request processing engine:

Authentication: Validates API keys
Rate Limiting: Enforces request limits
Routing: Directs requests to correct SAP instance
SAP Proxy: Authenticates to SAP and forwards requests
Response Processing: Normalizes OData responses
Logging: Records all requests

Data Storage

Persistent data storage:

PostgreSQL: Configuration, API keys, logs
Redis: Rate limit counters, token cache
Encrypted Store: SAP credentials (libsodium)

Request Flow

1. SDK Request

Your application calls the SDK:

await client.A_BusinessPartner.list({ top: 10 });

2. Request Preparation

The SDK:

Resolves the entity to an OData path
Builds query parameters
Adds authentication header (API key)
Sends HTTP request to platform

3. API Key Validation

The platform:

Extracts API key from header
Looks up key in database (cached in Redis)
Verifies key is valid and not revoked
Loads key permissions

4. Permission Check

The platform verifies:

Key can access the requested instance
Key can access the requested service
Key can perform the requested operation on the entity

5. Rate Limit Check

The platform:

Checks per-minute counter (Redis)
Checks per-day counter (Redis)
Returns 429 if limits exceeded
Increments counters if allowed

6. SAP Authentication

The platform:

Loads SAP credentials (decrypts from store)
For OAuth: checks token cache, refreshes if needed
Prepares authentication headers

7. SAP Request

The platform:

Constructs full SAP URL
Adds authentication headers
Forwards request to SAP
Handles CSRF tokens for mutations

8. Response Processing

The platform:

Parses OData response
Extracts entity data from d.results or value
Handles OData errors
Strips metadata (optional)

9. Logging

The platform records:

Request details
Response status and timing
Any errors
Key and instance information

10. Response

The SDK receives clean JSON data.

Security Architecture

API Key Security

Full Key: sk_live_abc123...xyz789
         ↓
Stored:  hash(key), prefix: "sk_live_abc1", last4: "z789"

Full keys are never stored
Only hashed values in database
Prefix and last 4 chars for identification

Credential Encryption

Credentials → libsodium.encrypt(key) → Encrypted blob → Database

256-bit encryption keys
Encryption key stored separately
Credentials cannot be decrypted without key

Network Security

All traffic over TLS 1.3
API keys in Authorization header
SAP credentials never sent to SDK

Scalability

Horizontal Scaling

┌─────────────┐     ┌─────────────────────┐
│ Load        │────▶│ Proxy Instance 1    │
│ Balancer    │────▶│ Proxy Instance 2    │────▶ SAP
│             │────▶│ Proxy Instance N    │
└─────────────┘     └─────────────────────┘
                              │
                    ┌─────────┴─────────┐
                    │  Shared State     │
                    │  (Redis + PG)     │
                    └───────────────────┘

Caching Strategy

Data	Cache	TTL
API Keys	Redis	5 min
OAuth Tokens	Redis	Until expiry
Rate Limits	Redis	1 min / 1 day
Service Config	Memory	1 hour

Getting Started

SDK

Platform

Concepts

Architecture

Overview

System Architecture

Component Overview

SDK (Client)

Proxy Service

Data Storage

Request Flow

1. SDK Request

2. Request Preparation

3. API Key Validation

4. Permission Check

5. Rate Limit Check

6. SAP Authentication

7. SAP Request

8. Response Processing

9. Logging

10. Response

Security Architecture

API Key Security

Credential Encryption

Network Security

Scalability

Horizontal Scaling

Caching Strategy

High Availability

Failover

Monitoring

Getting Started

SDK

Platform

Concepts

​Overview

​System Architecture

​Component Overview

​SDK (Client)

​Proxy Service

​Data Storage

​Request Flow

​1. SDK Request

​2. Request Preparation

​3. API Key Validation

​4. Permission Check

​5. Rate Limit Check

​6. SAP Authentication

​7. SAP Request

​8. Response Processing

​9. Logging

​10. Response

​Security Architecture

​API Key Security

​Credential Encryption

​Network Security

​Scalability

​Horizontal Scaling

​Caching Strategy

​High Availability

​Failover

​Monitoring

Overview

System Architecture

Component Overview

SDK (Client)

Proxy Service

Data Storage

Request Flow

1. SDK Request

2. Request Preparation

3. API Key Validation

4. Permission Check

5. Rate Limit Check

6. SAP Authentication

7. SAP Request

8. Response Processing

9. Logging

10. Response

Security Architecture

API Key Security

Credential Encryption

Network Security

Scalability

Horizontal Scaling

Caching Strategy

High Availability

Failover

Monitoring