API Release Notes, January 2025

New This Month

Decommissioned: User v1 and V3 APIs

Effective Date: January 21, 2025

The User v1 API has been officially decommissioned and is no longer supported. Clients are advised to transition to the User Provisioning Service v4, which offers enhanced functionality, improved performance, and expanded capabilities to meet modern provisioning needs.

Key Updates in User Provisioning Service v4:

• Streamlined user provisioning processes
• Improved security and compliance features
• Enhanced integration options and scalability

For migration assistance or further inquiries, please contact our support team or refer to the migration guide available on the developer center.

Now Available: Hotel Service New Confirmation Code

The Hotel Service v4 Read Request now includes a new confirmation code type which allows the Concur platform to pass the passive PNR record locator, when available, to the hotel connector. The new confirmation code is CONCUR_GDS_REFERENCE – example below:

"confirmationCodes": [
    {
      "codeType": "CONCUR_GDS_REFERENCE",
      "code": "BCDABC"
    }

Now Available: Hotel Service New Attribute

A new attribute has been added to the search/rates/rate-details request for Hotel Service v4 to enable hotel content providers to identify whether the shop request is being done on mobile or web. The accessViaMobile attribute is a true/false indicator and when set to “true” indicates that the request is from mobile. The default is “false”. Example below:

{
  "accessViaMobile": false,
  "checkin": "2025-06-03",
  "checkout": "2025-06-04",
  "customFields": [
    {
      "name": "RequestorId",
      "value": "165340"
    }
  ],
  "guestCountryCode": "US",
  "includeDepositRequired": false,
  "locationSearch": {
    "location": {
      "address": {
        "addressLines": [
          ""

Now Available: Hotel Service v4 Safety Score for Hotels

Hotel content providers now have the ability to pass a “Safety Score” for every property in the Shop responses in Hotel Service v4. This score is comprised of scores for different safety features for the hotel. Providers can send back 7 pre-defined categories in the response together with a url that links to details of the methodology used for these scores.

safetyScore:   
  fields:
   score: number #required
   detailsUrl: string
   categories: #required with at least one entry
    type: array
    ref: #safetyScoreCategory
 
safetyScoreCategory:   
  fields:
   score: number #required
   type:
     type: string
     enum:
       - NIGHTTIME_SAFETY
       - PHYSICAL_SAFETY
       - BASIC_FREEDOMS
       - WOMENS_SAFETY
       - THEFT
       - HEALTH_AND_MEDICAL
       - LGBTQ_PLUS_SAFETY

Example:

{ "safetyScore": {
   "score": 85,
   "detailsUrl": "http://example.com/details",
   "categories": [
    {
       "score": 90,
       "type": "NIGHTTIME_SAFETY"
    },
    {
        "score": 75,
        "type": "PHYSICAL_SAFETY"
    }
   ]
  }  
}

Preview: SSL Certificate Renewal for *.concursolutions.com and *api.concursolutions.com

Starting in October 2025, DigiCert Global Root CA will be replaced by DigiCert Global Root G2. To ensure clients have adequate time to prepare for this Root certificate change, SAP Concur plans to renew the certificates for *.concursolutions.com and *api.concursolutions.com in March 2025.

Note: The intermediate certificate and Root certificate for *.concursolutions.com and *.api.concursolutions.com will not change in March 2025. Only the end-entity certificate (leaf certificate) will be updated.

Availability Target Details: The intermediate certificate and Root certificate for *.concursolutions.com and *.api.concursolutions.com will not change in March 2025.

SAP Concur plans to issue new certificates as follows:

• 6PM PST on March 20, 2025 (*.concursolutions.com)
• 6PM PST March 27, 2025 (*.api.concursolutions.com)

The current certificates will expire as follows:

• 23:59 GMT on May 13, 2025 (*.concursolutions.com)
• 23:59 GMT on August 2, 2025 (*.api.concursolutions.com)

Clients who have not pinned the expiring certificate do not need to take any action as their expiring certificate will be renewed automatically. Most clients do not pin the certificate.

Note: SAP ICS customers who follow the certificate handling processes described in the following note do not need to take any action:2914977 - FAQ: Concur Certificates, Authentication, and Connectivity.

User Experience

Clients who have pinned an expiring certificate must update to the new certificate before the new certificate is issued at 6PM PST on March 20, 2025 (.concursolutions.com) or at 6PM PST on March 27, 2025 (.api.concursolutions.com).

Clients who have pinned the certificate and who do not update it with the new certificate before it is renewed, will experience disruption to SAP Concur products and services.

Configuration / Feature Activation

IMPORTANT! Certificate pinning is not recommended, and you do so at your own risk. To support security for SAP Concur solutions, security certificates are renewed regularly. Pinned certificates are not renewed automatically and, if a pinned certificate is not renewed before it expires, the pinned certificate can cause a disruption of service.

To avoid disruption of service, clients who pin their security certificates must pin both the RSA and ECDSA certificates. Clients may obtain the new certificates from the following web pages:

*.concursolutions.com New certificates will be provided in Feb 2025.

*.api.concursolutions.com New certificates will be provided in Feb 2025.

Note:If you are not sure whether your *concursolutions.com certificate is pinned, consult with your IT department.

Preview: Spend User Documentation Update

We are combining the Spend User Retrieval and the Spend User Extension Schema documents into one Spend Extension document. The updated document is now available, however if you have the Spend User Extension Schema bookmarked that page will be removed at the end of January, so please update your bookmarks.

Now Available: New Endpoint for Access Token Requests by Third-Party Partners

All third-party partners making access token requests are required to use https://glz.api.concursolutions.com/oauth2/v0/token. This ensures that you receive the correct geolocation for your API calls. Ensure that you make the necessary adjustments to keep the service uninterrupted. The updated information can be found on the Base URI page and in the Base URI section of the Authentication page.

Ongoing

Important: Reversal of Verified Email Flag Management in SAP Concur Profile via Identity 4.1 and UPS 4.0 APIs

Due to identified bugs in the recently released functionality for managing the verified email flag within SAP Concur user profiles via the Identity 4.1 and UPS 4.0 APIs, we have decided to temporarily disable this feature. Our teams are actively working on resolving this issue.

Key Details:

Feature Unavailable: The ability to update the verified email flag via the Identity 4.1 and UPS 4.0 APIs is temporarily disabled and reverted back to pre-feature release behavior.

Impact:

• POST calls attempting to set the emails.verified attribute for managing the flag will fail and return a 400 error.
• PATCH calls attempting to update the emails.verified attribute will not update the attribute and continue to process other operations.
• Existing workflows leveraging this parameter may need adjustments until the issue is resolved.

Flat File Support: Planned flat file support for this feature remains paused as we focus on addressing the bugs in the API implementation.

We apologize for any inconvenience caused and appreciate your patience as we work toward restoring this functionality. Further updates will be communicated as soon as the issue is resolved.

Previews

In general, this table lists items that will be shipping in the next 30-60 days. For a broader view of features that are coming, please see our Road Map Explorer.

Deprecations and Decommissions

APIs are being deprecated or decommissioned in accordance with the SAP Concur API Lifecycle & Deprecation Policy.