At SAP Concur, e-receipts are digital representations of receipts with both a receipt image and structured data. The e-receipts come from pre-authorized and trusted merchants and are transmitted to SAP Concur using our Receipt API (not email) on behalf of individual users who have connected their accounts/profiles between SAP Concur and the merchant in advance.
New App Center Partners: Your Company must have entered into a commercial agreement with SAP Concur. If you have not yet entered into said agreement with SAP Concur, review the information on the Build App Center Solutions page.
Existing App Center Partners: The SAP Concur Platform team will need to configure your existing sandbox, among other things to enable access. You can make that request by contacting your Alliance Manager.
The below Authentication Methods are available to obtain an access token. Password Grant or Authorization Grant or One-Time Password Grant is required for Certification:
A logged-in SAP Concur user clicks on the Connect button on the App listing in the App Center and authorizes your app to post data. App Listing Example below:
id
and requestToken
parameters.
Example: https://{partner-redirect-URI}?id=8568a4cd-8ffc-49d6-9417-be2d69aa075f&requestToken=5l85ae5a-426f-4d6f-8af4-08648c4b696b
id
and requestToken
values from the URI and use those on a Post request to the SAP Concur Authorization service to obtain the official OAuth2 accessToken
and refreshToken
for the user using the password grant while being geo aware.id_token
to obtain the sub
value and store this value as the user id
(see https://jwt.io).refresh_token
: (36 characters including dashes) valid for six months from the day and time issued.refresh_expires_in
: This is Epoch time format, convert to UTC.geolocation
: to be used when making API calls on behalf of the user.sub
: (36 characters including dashes) user id
value provided on the redirect URI. The user id
will be used to post receipts to the user’s SAP Concur account.Partner App-User clicks on Link to Concur button within the Partner’s website or mobile App. Partner Web or Mobile Connection Example below:
Example: GET /oauth2/v0/authorize?client\_id={your-app-clientId}&redirect\_uri={partner_redirect_URI}&response\_type=code
The SAP Concur Authorization service will prompt the user with two options: “Username/Password” or “Send a link to my email.”
accessToken
and refreshToken
.
Example: https://{partner\_redirect\_URI}?{geolocation}&code=code-964c24ea-9200-45e7-a5ae-15e9cef0d445
accessToken
and refreshToken
.
Example: https://{partner\_redirect\_URI}?{geolocation}&code=code-964c24ea-9200-45e7-a5ae-15e9cef0d445
code
value and user’s geolocation
from the redirect URI to use on a Post request to the SAP Concur Authorization service to obtain an official OAuth2 accessToken
and refreshToken
using the authorization grant.id_token
to obtain the sub
value and store this value as the user id
(see https://jwt.io).refresh_token
: (36 characters including dashes) valid for six months from the day and time issued.refresh_expires_in
: This is Epoch time format, convert to UTC.geolocation
: to be used when making API calls on behalf of the user.sub
: (36 characters including dashes) user id
value provided on the redirect URI. The user id
will be used to post receipts to the user’s SAP Concur account.Partner App-User enters their email address associated with the SAP Concur profile within the Partner’s website or mobile App. Partner one time password (OTP) Connection Example below:
Your Application will make a call to the SAP Concur Authorization service to trigger the OTP email using OTP grant while being geo aware.
otl
that will be used to obtain an official OAuth2 accessToken
and refreshToken
.Example: https://{partner\_redirect\_URI}&otl=7add4621f00b47e1aa2d8a61739c97e6
accessToken
and refreshToken
using the OTP grant while being geo aware.id_token
to obtain thesub
value and store this value as the userid
(see https://jwt.io).refresh_token
: (36 characters including dashes) valid for six months from the day and time issued.refresh_expires_in
: This is Epoch time format, convert to UTC.geolocation
: to be used when making API calls on behalf of the user.sub
: (36 characters including dashes) user id
value provided on the redirect URI. The user id
will be used to post receipts to the user’s SAP Concur account.Getting Started with Receipts v4 documentation can be found here.
Id
previously stored in the user’s profile to post receipts on their behalf.concur-correlationid
and the Location Link from the response headers even for successful responses, this will facilitate support efforts in case of a missing receipt from User’s SAP Concur account.refreshToken
is valid for six months.refresh_token
(Replace)refresh_expires_in
(Replace)Existing applications that use the deprecated /net2/oauth2 framework need to move to support the new OAuth2 Bearer Tokens.
Applications will need to migrate their existing users who already have connected to it to obtain new OAuth2 tokens without requiring users to reauthorize. This can be done by exchanging an old access token for a new refresh token.
id_token
to obtain the sub
value and store this value as the user id
(see https://jwt.io).refresh_token
: (36 characters including dashes) valid for six months from the day and time issued.refresh_expires_in
: This is Epoch time format, convert to UTC.geolocation
: to be used when making API calls on behalf of the user.sub
: (36 characters including dashes) user id
value provided on the redirect URI. The user id
will be used to post receipts to the user’s SAP Concur account.To revoke a user’s refresh_token call the connections endpoint with a DELETE action while being geo aware.
US = https://us.api.concursolutions.com
EMEA = https://emea.api.concursolutions.com
China = https://cn.api.concurcdc.cn
You will need to be aware of the geolocation where the user exists in and make the call to the APIs correctly. If there is a case where you will not or do not know the users geolocation, then you should make the API call using the default US Base URI https://us.api.concursolutions.com
and expect a geolocation error which will return the correct geoLocation for the user. For more information see Base URIs.
Sample of Error below: