You have built an AI Agent, but how do you deploy it as a secure, scalable enterprise ready instead of a demo running on localhost:8080 ?

As an application developer, you don’t have to build yet another “Hello World” AI application. Instead, you can deploy a real‑world AI Agent on SAP BTP Cloud Foundry that uses SAP AI Core’s Orchestration Service for safety, and enterprise integration.

In this guide, you will:

• Understand the value of running AI Agent on SAP BTP Cloud Foundry Runtime
• Explore the AI agent reference application with AI tools calling
• Deploy the AI agent on SAP BTP Cloud Foundry and see how it behaves in production
• Configure enterprise authentication with XSUAA and App Router

By the end, you will have a working AI agent application that authenticates users through SAP BTP, calls external tools (embedded in agent), and deploys with a single command on SAP BTP Cloud Foundry Runtime.

Prerequisites

• SAP BTP account
• Cloud Foundry 
  
• SAP AI Core

Why run AI Agents on SAP BTP Cloud Foundry?

SAP BTP Cloud Foundry runtime is a proven, operational‑grade Platform‑as‑a‑Service (PaaS) for running both traditional and cloud‑native applications. For business applications e.g web frontends, APIs, background services, or integration services, Cloud Foundry already provides:

Runtime abstraction and simplified deployment – With cf push or cf deploy, Cloud Foundry auto‑detects the language runtime (e.g., Python, Node.js, Java), installs dependencies, and manages routes and scaling. Application developers don’t need to manage VMs, Dockerfiles, or other deployment manifests, which keeps the development process focused on business logic instead of infrastructure.

Built‑in service binding and lifecycle management – SAP BTP Cloud Foundry integrates with SAP BTP services like SAP HANA, XSUAA, and SAP Integration Suite. Applications consume them via service instances and bindings, so endpoints and credentials are injected at runtime (e.g., via VCAP_SERVICES). This keeps the application code clean, simplifies configuration, and enables safe blue/green deployments.

Enterprise‑grade security and routing – SAP Cloud Foundry delivers standardized OAuth2‑based authentication and role‑based access control via the App Router and XSUAA services. Application are instantly enterprise‑ready, without custom login flows or token‑validation code

How Cloud Foundry benefits apply to AI Agents ?

AI agents benefit from the same abstraction and simplified deployment – Deploying an AI agent (e.g., a Python application) feels no different from deploying a regular app: Cloud Foundry detects the runtime, installs dependencies, and manages routes and scaling. Your AI agent behaves like “just another app” from an operations perspective, even though it calls SAP AI Core and external tools underneath.

Service binding simplifies AI‑centric architectures – AI‑based agents often depend on multiple services. For instance,

• SAP AI Core (for the Orchestration Service and LLMs)
• XSUAA (for authentication)
• SAP HANA or other data sources (for grounding and retrieval)

       Bind them all, and the AI agent receives connections and credentials automatically (no hard‑coding)

 Security and governance by default – For AI agents, access control and audit-ability are critical. With App Router and XSUAA, you ensure:

• Only authenticated users can reach the agent
• Different roles and scopes control who can use which features
• Requests and application logs are tracked as part of the platform’s standard logging stack

Cloud Foundry’s abstraction, built‑in service binding, and enterprise‑grade security make it ideal not only for traditional business applications but also for AI agents. By treating the AI agents as “just another app” on the platform, developers get the same operational simplicity, security, and integration benefits which are exactly required by AI agents.

What are we building: The Reference AI Agent

We are deploying an AI Agent application that has a web interface, showcases production-ready patterns (discussed above) on SAP BTP Cloud Foundry deployments. It connects SAP AI Core, XSUAA and uses external tool calling to:

• Search the web with DuckDuckGo
• Query Wikipedia article summaries.
• Look up word definitions and examples
• Get real‑time weather from Open‑Meteo

Technology Stack

• Python Backend: AI Agent with a chat based user interface
• SAP AI Core integration: leverages unified API for multiple LLMs providers (e.g., GPT‑5)
• App Router and XSUAA Service: Handles OAuth2 authentication (only authentication)
• The tools/modules encapsulate external capabilities (tools) that the LLM can call

For local development, see the step-by-step local setup guide in the repository

Step 1: Build the Reference App

# clone the repository
git clone https://github.com/sap-samples/cloud-foundry-runtime-learning-journey.git

# navigate to ai-agent-demo directory
cd cloud-foundry-runtime-learning-journey/examples/ai-samples/ai-agent-demo

Step 2:  Update Configurations

Before we begin with the required configuriation, we need to ensure that the Cloud Foundry org and space is set correctly

# Check your current target
cf target

# If not set, log in and target your org/space
cf login -a https://api.cf.eu12.hana.ondemand.com
cf target -o  -s 

# Expected output

API endpoint:   https://api.cf.eu12.hana.ondemand.com
API version:    3
User:           your-email@abccompany.com
Org:            your-org
Space:          your-space

Now, open deploy/xs-security.jsonand deploy/mta.yaml to update configurations:

2.1.  Update  XUSAA redirect routes

{
  "xsappname": "ai-agent-demo",
  "tenant-mode": "dedicated",
  "oauth2-configuration": {
    "redirect-uris": [
      "https://ai-agent-demo.cfapps..hana.ondemand.com/**"
    ]
  }
}

modules:
  - name: approuter
    type: nodejs
    path: approuter
    parameters:
      memory: 256M
      routes:
        - route: ai-agent-demo.cfapps..hana.ondemand.com  # Replace Route with correct region

resources:
  - name: aicore
    type: org.cloudfoundry.existing-service
    parameters:
      service-name: default_aicore  # Replace with your AI Core service instance name

# Install uv if you haven't already
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install dependencies
uv sync

# Activate virtual environment
source .venv/bin/activate  # On Unix/macOS
# or
.venv\Scripts\activate  # On Windows

# sync requirements.txt with pyproject.toml:
uv pip compile pyproject.toml -o requirements.txt

cd deploy

mbt build

# Expected output
INFO] the MTA archive generated at: mta_archives/ai-agent-demo_1.0.0.mtar

cf deploy mta_archives/ai-agent-demo_1.0.0.mtar

cf apps

# output

ai-agent-demo                      started           web:1/1     ai-agent-demo_PROTECTED_ROUTE.cfapps.eu12.hana.ondemand.com
approuter                          started           web:1/1     ai-agent-demo.cfapps.eu12.hana.ondemand.com

# Weather
What's the weather in Tokyo?

# Web Search
Search for latest news about SAP AI Core

# Wikipedia
Tell me about machine learning from Wikipedia

# Dictionary
What does serendipity mean?

# Stream logs from the Python backend
cf logs ai-agent-demo

# Stream logs from App Router
cf logs approuter

# View recent logs (last 100 lines)
cf logs ai-agent-demo --recent

 2026-04-20T17:41:04.79+0200 [APP/PROC/WEB/0] OUT === Received input: What's the weather in Tokyo?
   2026-04-20T17:41:09.32+0200 [APP/PROC/WEB/0] OUT === Generated response length: 131
   2026-04-20T17:41:09.32+0200 [APP/PROC/WEB/0] OUT === Response preview: Tools Used: `get_weather`
   2026-04-20T17:41:09.32+0200 [APP/PROC/WEB/0] OUT ---
   2026-04-20T17:41:09.32+0200 [APP/PROC/WEB/0] OUT Weather: Tokyo, Japan
   2026-04-20T17:41:09.32+0200 [APP/PROC/WEB/0] OUT Temperature: 15.6°C
   2026-04-20T17:41:09.32+0200 [APP/PROC/WEB/0] OUT Condition: Partly Cloudy
   2026-04-20T17:41:09.32+0200 [APP/PROC/WEB/0] OUT Wind Speed: 4.6 km/h...