Contents

Ongoing: Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1)

Effective July 1, 2020, SAP Concur has retired the Concur Request APIs (v1.0, v3.0, and v3.1). These APIs are replaced by the Concur Request v4 API.

Business Purpose / Client Benefit

The Concur Request APIs v1.0, v3.0, and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 API.

In addition, SAP Concur has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 API (not iso-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 API.

Ongoing: Retirement of List v1 API

Effective July 15, 2021, SAP Concur will retire the List v1 API, so it will not be supported after that date. This API is replaced by the List v4 API.

Business Purpose / Client Benefit

This update removes an outdated API. The List v4 APIs use more secure and modern, fine-grained methods. These APIs use Universal Unique Identifiers (UUIDs) and use JSON instead of XML. Also, authentication to the List v4 APIs may be performed with a User JWT or a Company JWT, providing the opportunity to apply the principle of least privilege.

Configuration / Feature Activation

The List v1 API is being retired in accordance with the SAP Concur API Lifecycle & Deprecation Policy.

If you currently use the List v1 API, please plan to migrate to the List Item v4 API as soon as possible.

Planned Changes: Travel Profile Notification v1 API Deprecation

SAP Concur is deprecating the Travel Profile Notification v1 APIs due to low usage.

Business Purpose / Client Benefit

The Travel Profile Notification v1 APIs support older, less secure authentication methods.

Configuration / Feature Activation

The Travel Profile v1 APIs are being deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.

Planned Changes: Deprecation of List v3 API

Effective April 16, 2021, SAP Concur will deprecate the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in July 2021.

Business Purpose / Client Benefit

This update removes an outdated API. The List v4 APIs use more secure and modern, fine-grained methods. These APIs use Universal Unique Identifiers (UUIDs) and use JSON instead of XML. Also, authentication to the List v4 APIs may be performed with a User JWT or a Company JWT, providing the opportunity to apply the principle of least privilege.

Configuration / Feature Activation

The List v3 API is being deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.

If you currently use the List v3 API, please plan to migrate to the List v4 API as soon as possible.

Planned Changes: Deprecation of List Item v3 API

Effective April 16, 2021, SAP Concur will deprecate the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in July 2021.

Business Purpose / Client Benefit

This update removes an outdated API. The List Item v4 APIs use more secure and modern, fine-grained methods. These APIs use Universal Unique Identifiers (UUIDs) and use JSON instead of XML. Also, authentication to the List Item v4 APIs may be performed with a User JWT or a Company JWT, providing the opportunity to apply the principle of least privilege.

Configuration / Feature Activation

The List Item v3 API is being deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.

If you currently use the List Item v3 API, please plan to migrate to the List Item v4 API as soon as possible.

Planned Changes: New Client SSL Certificate for Event Subscription Service webhook.api.concursolutions.com

In an effort to ensure the ongoing security of our products and services, the Event Subscription Service will be issuing a new webhook.api.concursolutions.com SSL certificate. The current certificate will expire on January 27, 2021.

Any customer who has pinned this expiring certificate will need to update to the new certificate prior to the expiration date. If the pinned certificate is not updated prior, your organization and users will experience disruption to SAP Concur products and services. Customers who have not pinned the certificate do not need to take any action as the new certificate is updated automatically. Most customers do not pin the certificate.

Please be aware: As an enhancement to our Security and Compliance program, this certificate will be updated on an annual basis.

Business Purpose / Client Benefit

This update provides ongoing security for our products and services.

Configuration / Feature Activation

Please consult with your IT department to check if this applies to you.

Planned Changes: Decommission of Receipts v3 API

Effective January 31st, 2021 SAP Concur has decommissioned the Receipts v3 API. This API is replaced by the Receipts v4 API.

Business Purpose / Client Benefit

This update removes an outdated API.

Configuration / Feature Activation

The Receipts v3 API has been decommissioned in accordance with the SAP Concur API Lifecycle & Deprecation Policy.

Planned Changes: Expense v4 APIs Available

The Report, Expense, and Allocation v4 APIs will enable the ability to read and modify data in an unsubmitted report. These APIs will handle data in a more fine-grained manner and are resource specific. They can be utilized for any use case that requires retrieving/updating a specific report, expense, or allocation.

Business Purpose / Client Benefit

The Allocations v4 API will provide new functionality to update an allocation and retain the sanctity of a group allocation. In addition, the GET APIs will comprehensively cover the functionality provided in v3 allocations.

The Expense v4 API will enable additional access to product functionality from the API layer than previous versions. Drilling down from the summary of expenses on a report to the detail of every expense will provide the ability to hone into specific data without carrying the entire payload of the expense report.

The Report v4 API will provide additional pieces of data that are required for third party applications and were not readily available in previous versions. These attributes will provide more information about the report and how it gets processed based on product functionality.

Configuration / Feature Activation

The Expense v4 APIs are available for users of Expense for Professional and Standard Editions.

Launch External URL v4 Callout Available

The Launch External URL v4 callout enables Concur Expense to display a field with a button that launches a separate browser window when clicked. The window is controlled by an application connector, created by a third-party developer or the client. The application connector is a web server that presents information in the window.

For more information, please see Launch External URL v4.

Business Purpose / Client Benefit

The Launch External URL v4 callout gives clients and third-party developers the ability to extend the functionality of the SAP Concur platform, providing a means to deliver custom user interactions, or access functionality found in an external system.

The Launch External URL v4 callout will be available for Concur Expense within SAP Concur’s mobile app and NextGen UI at the Report Header, Expense Entry, or Allocation levels, which expands the locations of the feature as compared to the previous version. The Launch External URL v4 callout will provide enhanced security benefits, such as leveraging the latest SAP Concur API authentication methods. The Launch External URL v4 will also offer additional parameters and will work in conjunction with SAP Concur’s more advanced v4 APIs.

Configuration / Feature Activation

The Launch External URL callout is activated through the Application Connector Registration process through Web Services.

Previous Change to Company Level Authentication Data Center Tokens

In October 2020, a change was made to the response from a call to the Company Level Authentication token endpoint.

Prior to the change, a call to the Company Level Authentication token endpoint required the same data center as the company’s data. If call was made to a data center where the company’s data was not located, the call would fail with an Error 16 and a response indicating the correct data center.

After the change, the call succeeds regardless of which data center is called, and the response indicates the correct data center to use for subsequent calls.

Callers to the Company Level Authentication token endpoint should not depend on getting an Error 16 to determine the correct data center. Callers should expect a successful call regardless of the data center, and then make subsequent calls to the data center indicated in the response.

Business Purpose / Client Benefit

This change was part of an overall effort to make tokens data center aware, so they can be seamlessly routed to the correct data center.

Configuration / Feature Activation

The feature was automatically available; there were no additional configuration or activation steps.