MYSAPSSO2 Token Tool

Decode and encode SAP SSO2 logon tickets

Base64 Token

Ctrl+Enter to submit

Decoded Fields

Field	Value	Hex

What is MYSAPSSO2?

MYSAPSSO2 is an SAP SSO2 logon ticket — a cookie-based Single Sign-On token used by SAP systems. When a user authenticates to an SAP system, the server issues a signed ticket stored as the MYSAPSSO2 browser cookie. Other SAP systems that trust the issuer's certificate can accept the ticket for passwordless login.

Token Structure

The token is a base64-encoded binary blob with this layout:

Offset	Content
0	Version byte (usually `0x02`)
1–4	Codepage — 4 ASCII bytes (e.g. `4103`)
5…n	TLV (Tag-Length-Value) fields — see table below
n+1	`0xFF` end-of-fields marker
n+2…n+3	Signature length — 2-byte big-endian uint16
n+4…	PKCS#7 / CMS signature block (BER/DER encoded)

Common TLV fields:

ID	Name	Encoding
0x01	User	UTF-16LE text
0x02	System ID (SysId)	UTF-16LE text
0x03	Client	UTF-16LE text
0x04	Validity (expiry)	UTF-16LE `YYYYMMDDHHmmss`
0x05	Signature Flags	Raw bytes (hex)
0x06	Recipient Info	UTF-16LE text
0x09	Short Info	UTF-16LE text

How to Use — Decode

Get the token from your browser cookies (look for MYSAPSSO2) or from an HTTP Authorization header.
Paste the base64 string into the Decode tab and click Decode Token.
Or click Load Example to generate a sample token and decode it instantly.
The decoded fields table shows each TLV field's label, value, and raw hex bytes.
If the token has a PKCS#7 signature, the issuer CN, serial number, digest algorithm, and signing time are shown below the fields. SAP typically uses BER indefinite-length encoding for the signature block.

How to Use — Encode

User (required) — the SAP username to embed in the ticket.
System ID — 3-character SAP system identifier (e.g. PRD, DEV).
Client — 3-digit SAP client number (e.g. 100, 800).
Validity — expiry date/time; use the datetime picker and it auto-formats to YYYYMMDDHHmmss.
Signing — optionally provide a PEM private key and certificate to produce a PKCS#7-signed token.
Without signing, the token is structurally valid but unsigned — useful for testing and development.
After encoding, click Decode This to verify the token round-trips correctly.

Limitations & Security Notes

Unsigned tokens will not be accepted by production SAP systems — they require a valid PKCS#7 signature from a trusted certificate.
When signing, the private key is sent to the server for processing. Only use this tool in trusted environments (localhost, internal network).
This tool is intended for development, testing, and educational purposes.
Never use real production private keys on untrusted servers.