General FAQs

What is YaaS?Simply put, YaaS is a marketplace for services. As a developer, you can create and sell a service, and as a business user, you can consume a service. Additionally, you can create what we call a Builder module using the Builder CLI, and use the Builder to manage these services. On the YaaS Market, you can sell or subscribe to a package, which can contain both services and Builder modules. Developers use the Dev Portal to learn how to build and document their service or Builder module. So in reality, YaaS encompasses all of these things.
How do I get a free YaaS account?It's easy! Click on the yellow register button on the Home page.
What are the basics of YaaS? What are these packages I keep hearing about?We are glad you asked. YaaS is all about packages. For a high-level overview, go to the YaaS in a Nutshell page.
How do I get started with YaaS?The Dev Portal contains Getting Started Guides. Use these guides to learn how to take the first steps with APIS, develop a service, write a Builder Module, or even open a Storefront.
How can I file feature requests, bugs, and get help?Check out the Help and Support page on the Dev Portal.
How can I use the Service SDK?First, learn how to set up the environment. Then, follow the steps in the Create a Service tutorial in the Getting Started Guides. To download the SDK components, include them in the settings.xml file, and then build your project. For more information, see the Service SDK documentation.
What is multi-tenancy?In YaaS, a single service running on a server can serve multiple tenants. The same client can be used in single tenant and multi-tenant scenarios. For more information, see the Media service documentation.
What is a mixin?A mixin is a simple schema. It is defined by users of the Document service and contains additional attributes for a document. For more information, see the Mixins documentation.
What is a mashup?In YaaS, a mashup is just that; a combination of two or more service's functions. For example, the Service Ticket Mashup service provides additional capabilities on top of the Service Ticket service. It provides consistency checks for customer and product master data when creating or updating service tickets. It also reads additional customer and product attributes when retrieving service tickets. Since some existing functionality comes from the Customer and Product services, it is considered a mashup.
How can I deploy my service?For information about deploying your service or your Builder module, see the Deployment documentation.
How can I convert my existing API to YaaS?First, make sure your API is RESTful and follows the API Guidelines. Second, register your service in the Builder, and then create a package so users can subscribe to it. Lastly, create a Builder module so business users can manage it easily. See the Getting Started Guides for more instructions.
Can I use my tablet or phone with YaaS?Yes, with a few clarifications. Most aspects of the Getting Started Guides can be completed using a tablet or a phone, although the screen size may be an issue with some of the tutorials, and having a keyboard is more convenient for coding. In addition, tutorials that require moving data from a local file system to the cloud may not be possible depending on the capabilities of your device. For example, if you try to upload a CSV file, your device might not allow you open the file.
Can I get training as a developer in YaaS?Yes! The Learning Journey: SAP Hybris as a Service (YaaS) Developer is a self-guided video course for developers. The videos walk you through the essential components of YaaS, including how to work with the YaaS Market and the Builder, as well as how to get information and guidance from the Dev Portal, the Knowledge Hub, and helpful forums such as Hybris Experts and the YaaS Community.
Where can I learn how to do short, discrete tasks in YaaS?YaaS Bites in the Getting Started section enable software developers to go from zero-to-YaaS in a couple of days. They are small, focused, incremental coding exercises. Each bite has code, guidelines, and screencasts to ensure your initial journey into YaaS is successful and productive.

Microservice FAQs

What is a microservice?The microservice architectural style is an approach to developing a single application as a suite of smaller services. The application runs its own processes and communicates with lightweight mechanisms, often an HTTP resource API. For more information about microservices, see the YaaS Architecture documentation.
What are some best practices for developing microservices?Read the Development Guidelines for detailed guidelines about developing a microservice. Here are some basic best practices for developing many microservices:
  • Provide a template or SDK so that developers do not have to write boilerplate information.
  • Use domain-driven design principles or something similar to get the correct boundaries.
  • Invest in monitoring, logging, and automated deployments.
  • Invest in infrastructure for decoupled communication.
  • Be your own Operations department.
  • Consider the communication and performance overhead, but don't let this scare you!
  • Use microservices only if the costs of overall setup and service development are balanced.
  • Start with medium-sized services and develop more granularity from there.
Additional information about best practices is available in the API Guidelines and SAP Hybris [y] Factors documentation.
Why did SAP Hybris choose the microservice approach?There are four main reasons:
  1. Cloud First - You can scale different parts of the application independently.
  2. Autonomy - It gives teams and individuals the freedom to choose technologies with which they are familiar.
  3. Keep Momentum - You can independently make new features available as soon as they are done.
  4. Share and Grow - An SAP Partner can easily add isolated features.
What is the recommended approach for versioning microservices?Our recommendation is that you should not version your microservice. In other words, don't break compatibility, ever. Versioning introduces unnecessary complexity.
What are some recommended informational resources?Here are some resources and further reading about the microservices world:

Builder FAQs

What is the Builder?The Builder is a back-office and management tool of YaaS and its key user interface to manage all the components. With a YaaS account, you can complete the following tasks using the Builder:
  • Create a development project in the context of a YaaS organization.
  • View all of the projects for which you have a membership.
  • Manage these project's resources, according to your user role, such as services, Builder modules, and packages.
  • Use third-party Builder modules within your projects.
How do I log in to the Builder?When you sign up for a free YaaS account, an email is sent to you. After you confirm your email address, you can use your account to log in to the Builder.
What is the difference between a Builder module and the Builder? How do I understand all of this Builder lingo?!We understand that the verbiage might be a little confusing at first. The Builder is a tool, and a Builder module is a single view in the Builder. Everyone can create Builder modules and extend the core Builder. A good place to start is with the YaaS Bites Essentials in the Getting Started section. It quickly orients you to the lingo, and the basics of using the Builder.
What are some of the best practices for setting up organizations, teams, and projects in the Builder?
  • The use of organizations in YaaS is modeled after the real world. For instance, if you are working for a company, use the organization for your company. Don't create projects and teams in your own organization, but ask your colleagues to invite you to the company organization instead. If your company is gigantic, but neatly split up into several functional areas, then create multiple organizations. For instance, if one company has several brands, each brand can be its own organization. In this scenario, different publishers are displayed on the YaaS Market with different YaaS URLs.
  • The YaaS URL or basepath is used as part of the service proxy's URL. If you create two organizations for one company, they have different basepaths, and all services that are published as a package need to be owned by the same team.
  • If your development organization is split into multiple independent teams, create a YaaS team for each one. This keeps the services, packages, and teams independent, and that is optimal in the world of YaaS.
  • If you work on early prototypes or crazy ideas which might, or might not make it into real products, create teams in the real organization of your company. Also, create your draft packages, services, or Builder modules within your existing teams. Don't create separate teams for testing and publishing because your current work in progress might be your company's next bestselling package. You can test your package in a test project.
How can I use the Builder SDK?To create your own user interfaces to manage your services in the Builder, use the Builder SDK CLI. For more information, see the Builder SDK documentation.
How do I register a service in Builder?For information on registering a service in the Builder, see the Create a Service tutorial in the Getting Started Guides.
How do I subscribe to unpublished packages?In your own organization, go to your subscriptions and click Subscribe. For more information, see the Create a Builder Module tutorial in the Getting Started Guides.
What are your best practices for securing services and Builder modules?Secure your service by assigning scopes for different operations, without having to write any code. For more information, see Secure a Service.
Why do I need to provide a credit card for my organization in the Builder?Companies using YaaS for commercial purposes must provide a valid credit card. If the free monthly usage limit is exceeded, any additional usage costs are billed to the credit card. Companies using YaaS for non-commercial purposes do not need to provide a credit card.
What are techné components and how can I use them?The techné components are styling components to ensure all Builder modules look consistent. If you write a Builder module, you should use techné components and styles. Follow the instructions on the techné Getting Started documentation.
How can I extend the Builder?The Builder can be extended using your own plug-ins and modules. For more information, read the Extending the Builder documentation.

Storefront and Commerce FAQs

What is the YaaS Storefront?The YaaS Storefront is actually a ready-to-use template, and can be set up as a fully transactional storefront within minutes, or you can use the template as a starting point to customize your own features and functionality. For more information and to see a live demo, read the Storefront Template documentation.
What packages are required to run the Storefront?Check out the Commerce as a Service Guide in the Knowledge Hub for detailed information on Commerce Packages.
How do I integrate a service in the YaaS Storefront?To learn how a connection is established between a service and the YaaS Storefront, see the Integrate a Service in the Storefront tutorial in the Getting Started Guides.
How can I extend the Storefront?You can extend the storefront application in any number of ways, depending on your requirements. For more information, read the Extending the Storefront documentation.
What currencies are accepted in YaaS?There is a currency property key called configuration.supportedCurrencies. For more information about supported currencies, see Supported Global Fallbacks.
How can I prevent rounding of prices for cart items?Currently, fractional-cent pricing is not supported.

Security Token FAQs

What authorization service is used in YaaS?We use the OAuth2 authorization service, which implements the OAuth 2.0 framework to issue access tokens, authenticate resource owners, and revoke an access token. For more information, see the OAuth2 documentation.
How do I get customer-facing access tokens, such as from the customer's web browser or application?Use the anonymous login method to get a token, which enables you to receive public product information from the Product service. For more information, see the Account service documentation.
How do I get customer access tokens for a registered user?You can obtain OAuth2 tokens from the /login method using the Customer service. These tokens access the user's data. The data services, such as the Order service in the Commerce package, require a specific scope in order to return the user's data, such as hybris.order_view_history. The following scopes are included in the tokens by default: hybris.order_post, hybris.customer_edit_profile, hybris.coupon_redeem, hybris.customer_view_profile, and hybris.order_view_history. For more information, see the Customer service documentation.

API Proxy FAQs

What is the API proxy?The API proxy is a YaaS security barrier between services and clients. This is the only component that communicates directly with your service.
What is a generated proxy URL?Your service contributes to a consistent environment of the YaaS platform, and each service needs to be explicitly recognized within the system. This is secured by the API proxy mechanism. It actively monitors the calls between services and rewrites the source URLs of all services into generated proxy URLs that are not exposed to external clients. The value of the generated proxy URLs can be retrieved from the Builder. It consists of the common domain https://api.yaas.io followed by the external path. This is an example of a deployed service: https://wishlist.cfapps.io. Its generated proxy URL is https://api.yaas.io/mybasepath/wishlist/v1.
As a developer, how can I benefit from the API proxy?The API proxy protects YaaS resources against unauthorized access. It verifies access tokens and rewrites the URL values from the target service response to a generated proxy URL. The API proxy handles the validation of tokens and the complexity of the OAuth2 implementation. Responses received from services include all security-relevant information delivered in the Hybris-specific headers. The headers can be "trusted" by the target service because clients cannot tamper with them. More details about Hybris-specific headers are provided in the next section.
What are the API proxy headers?The API proxy headers are parameters that are added to requests after they enter the internal system. Typical headers are:
  • hybris-tenant
  • hybris-user
  • hybris-client
  • hybris-scopes
As a result, services can recognize the tenant, client, user, and scopes related to a given request. For more information, see the Hybris Headers section of the API Guidelines documentation.
What is the default security scheme for newly created services in the Builder?For a newly created service, the token is verified and Hybris-specific headers are evaluated for all paths except for root. This allows you to check if the service is accessible to the caller. For more information on how to secure your service, see the Security documentation.
What does the URL rewrite mechanism do?The mechanism adds Hybris-specific parameters to the request headers and overrides values from the original call. It actively analyzes the content of the service response and rewrites its source URL to a dedicated proxy URL, which the external clients can access. For more information about the URL rewrite mechanism, see the Details section of the OAuth2 documentation.
Why is the Skip Authorization parameter set to false by default when I add Authorization Rules in the Builder?This ensures that the issued access token is verified when calling the resource and Hybris-specific headers are forwarded to the service.
You cannot trust the response from a service when you skip the authorization because it does not contain any information about the user, client, tenant, or scopes.
Why should I set Basic Authentication in my service if YaaS uses OAuth 2.0?This ensures that your service is used only from within the proxy environment. Without this last-mile security, your service can receive calls from other resources and you cannot trust the Hybris-specific headers. For more information, see the Security documentation.
Why do I receive an error code of 400 when calling the proxy?You receive an error code of 400 with the message Invalid host header in the request and the type validation_violation when the request is unauthorized. This means that your request does not include the host header, or that the value of this header is invalid. The only allowed values of the host header are URLs that include the yaas.io domain, such as api.yaas.io or api.eu.yaas.io.
Why do I receive an error code of 401 when calling the proxy?You receive an error code of 401 with the message Invalid host header in the request and the type insufficient_credentials when the request is unauthorized. This means that no credentials are provided in the token, or that the provided credentials are invalid, or that the provided credentials are invalid, such as a bad or expired token.
If a different error message is displayed, the response most likely does not come from the API Proxy.
Why do I receive an error code of 403 when calling the proxy?You receive an error code of 403 with the message Access denied: no subscription to the product and type insufficient_credentials when you are not subscribed to a package. This means that you are a system-known user, but you are not allowed to perform the requested operation. Keep your subscriptions up to date to avoid this issue.
Why do I receive an error code of 404 when calling the proxy?You receive an error code of 404 with the message Service does not exist and type element_resource_non_existing when your service is not deployed in the Builder. For undeployed services, the generated proxy URL is not active. Calls to such a service are not routed by the API proxy.
Does the API proxy limit the number of service requests?Yes. This ensures continuous quality of service and protects the YaaS API environment against malicious intentions and programming errors. The API proxy is still processing as many requests as it is capable of with minimum latency.
How does the API proxy handle throttling?There is a two-level rate-limiting mechanism implemented:
  • Per tenant - This involves all requests for a specific hybris-tenant.
  • Global - This refers to all incoming requests.
When the API proxy reaches its limit, the rule is applied and the service returns a status code of 429 or 503 respectively, along with the error message. Subsequent calls are rejected.
Why do I receive an error code of 429 when calling the proxy?This depends on the error message:
  • Call is blocked - too many requests and type insufficient_resources - This means that the maximum allowed number of calls per tenant in a specific time interval is exceeded. Your client is sending excessive requests and you need to manage the number of requests.
  • Call is blocked - quota exceeded and type insufficient_resources - This means that the paying-tenant quota in a package rate plan has been reached. The calls are rejected until the new quota is redeemed.
Why do I receive an error code of 502 when calling the proxy?This depends on the error message:
  • Proxy is not authorized to call upstream service. - This means that the upstream service is secured with Basic Authentication and the API Proxy service does not have the relevant data. For more information, see the Secure a Service document.
  • Upstream service is not reachable: Connection refused. - This means that the hosting server refuses to accept the connection on the default port. There can be a problem with the web server software or the software itself is not running.
  • Upstream service is not reachable: Can not resolve service address. - This means that the service source URL is not found or has an invalid value.
  • Connection to upstream service has been reset by remote peer. - This means that the service sent a connection reset flag (RST). This usually happens when previous data sent was not received.
Why do I receive an error code of 503 when calling the proxy?This depends on the error message:
  • Service temporarily unavailable. Please try again later. and type service_temporarily_unavailable - This means that the maximum allowed global number of calls per service in a specific time interval is exceeded. Superfluous or unnecessary calls are made to the API proxy.
  • Too many active requests. Please try again later. and type service_temporarily_unavailable - This means that the API proxy has reached the maximum number of calls it can process at the same time. Wait a few moments and call the proxy again.
  • The circuit breaker for requested service is currently open. Please try again later. and type circuit_breaker_open - This means that the target service is sending response codes of 5xx and the failure ratio is greater than 50%. When the service stops returning the error codes, the circuit breaker is closed automatically after a few minutes.
Why do I receive an error code of 504 when calling the proxy?You receive an error code of 504 with the message Service is not reachable: Upstream service connection timeout., when the service did not respond in a timely manner. This means that the service source URL is not reachable, or the response took too long.
What can I do to prevent issues with throttling?These ideas help reduce the numbers of requests to the API proxy:
  • Use a test client for development and take control over the number of requests.
  • Design your client for error handling.
  • Cache results from previous calls.
  • Carefully plan and batch the requests.

    • Send feedback

      If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.

    • Get Help

      Use our private help channel. Receive updates over email and contact our specialists directly.

    • hybris Experts

      If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.