API Release Notes, June 2025
New This Month
Preview: Detokenizer (DTK) v5 API
The FIPS Compliant v5 Credit Card Detokenization API will be set to launch within the CCPS environment for IBCP customers. This compliance-driven initiative aligns with the Federal Information Processor Standards (FIPS) to ensure robust protection of sensitive data, per U.S. federal requirements. For customers with entities in CCPS and IBCP card programs, the new Detokenizer (DTK) functionality will be integral to the payment file process.
Note: The current v4 API service will remain unchanged for other environments.
Overview
The Detokenizer service ensures secure transmission of sensitive data (card number) to customers as part of the remittance file creation process running at caller applications like ICS and CWS, in which the full, unmasked credit card number is required for the correct application of payments.
API Details
There are two APIs which are developed as part of Detokenizer (DTK) v5 and they must be called in sequence.
The Detokenizer v5 API exposes the following resources and these must be called sequentially:
| Resource | Description |
|---|---|
| RSAPublicKey | Retrieves the RSA public Key via public key API |
| Credit Card Account Details | Retrieves the credit card number via Detokenizer API |
The first DTK v5 API will return the RSA public key and version of the RSA public key. The caller needs to wrap their symmetric key using this public key and this wrapped symmetric key needs to be passed to the second DTK v5 API along with the version earlier mentioned, and the mandatory credit card GUID received from client request to provide encrypted credit card account number.
Preview: New Expense Configuration v4 APIs
The Expense Configuration Service will release GET API operations, as follows:
GET Attendee Types for a user’s expense group v4 API
A GET Attendee Types v4 API operation will be released to allow for the retrieval of all attendee types applicable to the user’s expense group based on their userId.
GET User Expense Groups v4 API
A GET Groups v4 API operation will be released to allow for the retrieval of an expense group applicable to a user based on their userId, including policies, payment types and attendee types linked to the group.
GET Company Expense Groups v4 API
A GET Company Groups v4 API operation will be released to allow for the retrieval of all expense groups applicable for a company based on their companyID.
GET Company Expense Groups by ID v4 API
A GET Company Groups by Id v4 API operation will be released to allow for the retrieval of an expense group by id, including policies, payment types and attendee types linked to the group.
Preview: Public Certificate Root Change
To maintain compliance with evolving security standards and ensure uninterrupted compatibility with Mozilla-based browsers, we are transitioning our digital certificates to the updated DigiCert Global Root G2 and G3 authorities:
DigiCert Global Root G2 – for RSA-based certificates DigiCert Global Root G3 – for ECDSA-based certificates
This proactive update follows DigiCert’s announcement regarding Mozilla’s planned deprecation of the DigiCert Global Root CA.
Adopting the new root certificates is critical to avoid potential trust errors or connection issues when accessing our services via Mozilla browsers.
Target Implementation Dates:
| Certificate | Implementation Date |
|---|---|
| *.concurcdc.cn | Oct 2, 2025 |
| *.api.concurcdc.cn | Oct 9, 2025 |
| *.concursolutions.com | Oct 23, 2025 |
| *.api.concursolutions.com | Nov 6, 2025 |
Clients who have not pinned the certificate do not need to take any action as the new certificate will automatically be updated when it becomes available.
RECOMMENDATION – Please Read Carefully
Certificate pinning is not recommended.
While it may add a layer of control, pinning certificates introduces risks. Certificates used by SAP Concur are renewed on a regular basis. Pinned certificates are not updated automatically and may cause service disruptions if not renewed before expiry.
FOR SAP ICS Customers
Please refer to section 2 “Which SSL certificates do I need to have installed” of 2914977 - FAQ: Concur Certificates, Authentication, and Connectivity for detailed instructions.
ACTION REQUIRED
If your systems pin the root or intermediate certificate, you must update your trust store to include the following certificates:
RSA Certificates Download Links
- Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1
- Root: DigiCert Global Root G2
-
ECDSA Certificates Download Links
- Intermediate: DigiCert Global G3 TLS ECC SHA384 2020 CA1
- Root: DigiCert Global Root G3
Note: Most modern systems now prefer ECDSA for connections, while RSA is still used primarily by legacy systems. To ensure full compatibility, please ensure that your systems trust both ECDSA and RSA certificates.
CERTIFICATE CHAIN LINKS: (consist of end-entity, Intermediate, and Root certificates respectively). Please make sure to open the link in an Incognito or Private browser window to ensure there is no cached data causing outdated or incorrect content to appear
*.concurcdc.cn
https://assets.concur.com/concurtraining/cte/en-us/www-concurcdc-cn-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/www-concurcdc-cn-chain_RSA.pem
*.api.concurcdc.cn
https://assets.concur.com/concurtraining/cte/en-us/api-concurcdc-cn-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/api-concurcdc-cn-chain_RSA.pem
*.concursolutions.com
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_RSA.pem
*.api.concursolutions.com
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_RSA.pem
Ongoing
Not applicable.
Previews
In general, this table lists items that will be shipping in the next 30-60 days. For a broader view of features that are coming, please see our Road Map Explorer.
| Date | API | Preview |
|---|---|---|
| 04/2025 | New Fields Added to Financial Integration Services (FIS) v4 API | For customers of the Concur Expense Professional Edition using the Financial Integration Services (FIS) v4 API, additional fields will be included in the Expense report document payload and mileage fields will be added to the payroll document schema. |
| 04/2025 | Expense v4 DELETE APIs for Reports v4 and Expenses v4 | The Expense Report Service API suite will be updated to include APIs to delete unsubmitted reports and expenses. |
| 03/2025 | Support of Hotel Date Modification for Hotel Connectors | Hotel connectors will support the modification of check-in and check-out dates using the Hotel Service v4 Modify endpoint. This will allow users to change their dates of stay without having to cancel and rebook. |
| 05/2024 | Retention Period for Credit Card Data Files | For compliance reasons, SAP Concur will be implementing a process wherein card data files received from external sources (Issuing banks, Card associations) will be deleted from systems after 90 days. |
| 01/2024 | Hotel Service v4 | Updates to Hotel Service v4 that will remove existing elements from the |
Deprecations and Decommissions
APIs are being deprecated or decommissioned in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
| Date | API | Details |
|---|---|---|
| 04/2025 | Deprecation of Attendees v1, v1.1, and v2 | Effective October 9, 2018, we have deprecated the Attendees v1, v1.1, and v2 APIs. Decommission will follow. |
| 03/2024 | Deprecation of Spend User Retrieval 4.0. | The decommission of password provisioning via file import will occur in April 2025. |
| 06/2023 | Deprecation of Launch External URL Callout v1 | The Launch External URL V1 API is deprecated as of June 16th, 2023. Decommission will follow. |
| 01/2023 | Move from the Travel Request External Validation Callout v1 to the Event Subscription Service (ESS) | This callout was designed to work with the Concur Request v1 API that is in the process of being decommissioned. Users are strongly recommended to move to the Event Subscription Services (ESS) in order to subscribe to the Request events. |
| 01/2021 | List v3 API | Effective April 16, 2021, we have deprecated the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in a future release. |
| 01/2021 | List Item v3 API | Effective April 16, 2021, we have deprecated the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in a future release. Please migrate to the List Item v4 API as soon as possible. |