API Release Notes, June 2025
New This Month
Important: Deprecation Notification Change
We have updated our Deprecation Policy to remove the 30-day notice prior to Deprecation. We will continue to notify of Deprecated APIs in release notes. Note that APIs will remain in Deprecated status for a minimum of twelve months prior to full Decommissioning unless in exceptional circumstances as defined in the policy.
Now Available: Expense v4 DELETE APIs – Reports v4, Expenses v4
The Expense Report Service API suite includes APIs to delete unsubmitted reports and expenses. These APIs include support for both User and Company JWTs.
Deprecation: Expense v3 DELETE
Effective June 26, 2025, Expense v3 DELETE was deprecated. This has been replaced by Expense v4 Delete. Decommission will follow.
Deprecation: Expense Group Configurations v3
Effective June 26, 2025, the Expense Group Configurations v3 API was deprecated. This has been replaced by the Expense Configuration v4 API. Decommission will follow.
Now Available: Updates to the Expense Configuration v4 API
The Expense Configuration Service has released GET API operations, as follows:
- GET Attendee Types for a User’s Expense Group v4 API
GET Attendee Types v4 API operations allow you to retrieve all attendee types applicable to the user’s expense group based on their userId.
- GET User Expense Groups v4 API
GET Groups v4 API operations allow you to retrieve an expense group applicable to a user based on their userId, including policies, payment types and attendee types linked to the group.
- GET Company Expense Groups v4 API
GET Company Groups v4 API operations allow you to retrieve all expense groups applicable for a company based on their companyID.
- GET Company Expense Groups by ID v4 API
GET Company Groups by Id v4 API operations allow you to retrieve an expense group by id, including policies, payment types and attendee types linked to the group.
Preview: Detokenizer (DTK) v5 API
The FIPS Compliant v5 Credit Card Detokenization API will be set to launch within the CCPS environment for IBCP customers. This compliance-driven initiative aligns with the Federal Information Processor Standards (FIPS) to ensure robust protection of sensitive data, per U.S. federal requirements. For customers with entities in CCPS and IBCP card programs, the new Detokenizer (DTK) functionality will be integral to the payment file process.
Note: The current v4 API service will remain unchanged for other environments.
Overview
The Detokenizer service ensures secure transmission of sensitive data (card number) to customers as part of the remittance file creation process running at caller applications like ICS and CWS, in which the full, unmasked credit card number is required for the correct application of payments.
API Details
The Detokenizer v5 API exposes the following resources and these must be called sequentially:
| Resource | Description |
|---|---|
| RSAPublicKey | Retrieves the RSA public Key via public key API |
| Credit Card Account Details | Retrieves the credit card number via Detokenizer API |
The first DTK v5 API will return the RSA public key and version of the RSA public key. The caller needs to wrap their symmetric key using this public key and this wrapped symmetric key needs to be passed to the second DTK v5 API along with the version earlier mentioned, and the mandatory credit card GUID received from client request to provide encrypted credit card account number.
Preview: Deprecation of Attendees v3 API
Effective July 1, 2025, the Attendees v3 API will be deprecated. This has been replaced by Attendees v4. Decommission will follow.
Preview: Public Certificate Root Change
To maintain compliance with evolving security standards and ensure uninterrupted compatibility with Mozilla-based browsers, we are transitioning our digital certificates to the updated DigiCert Global Root G2 and G3 authorities:
-
DigiCert Global Root G2 – for RSA-based certificates
-
DigiCert Global Root G3 – for ECDSA-based certificates
This proactive update follows DigiCert’s announcement regarding Mozilla’s planned deprecation of the DigiCert Global Root CA.
Adopting the new root certificates is critical to avoid potential trust errors or connection issues when accessing our services via Mozilla browsers.
Target Implementation Dates:
| Certificate | Implementation Date |
|---|---|
| *.concurcdc.cn | Oct 2, 2025 |
| *.api.concurcdc.cn | Oct 9, 2025 |
| *.concursolutions.com | Oct 23, 2025 |
| *.api.concursolutions.com | Nov 6, 2025 |
Clients who have not pinned the certificate do not need to take any action as the new certificate will automatically be updated when it becomes available.
RECOMMENDATION – Please Read Carefully
Certificate pinning is not recommended.
While it may add a layer of control, pinning certificates introduces risks. Certificates used by SAP Concur are renewed on a regular basis. Pinned certificates are not updated automatically and may cause service disruptions if not updated before implementation date.
FOR SAP ICS Customers
Please refer to section 2 “Which SSL certificates do I need to have installed” of 2914977 - FAQ: Concur Certificates, Authentication, and Connectivity for detailed instructions.
ACTION REQUIRED
If your systems pin the root or intermediate certificate, you must update your trust store to include the following certificates:
RSA Certificates Download Links
- Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1
- Root: DigiCert Global Root G2
ECDSA Certificates Download Links
- Intermediate: DigiCert Global G3 TLS ECC SHA384 2020 CA1
- Root: DigiCert Global Root G3
Note: Most modern systems now prefer ECDSA for connections, while RSA is still used primarily by legacy systems. To ensure full compatibility, please ensure that your systems trust both ECDSA and RSA certificates.
CERTIFICATE CHAIN LINKS: (consist of end-entity, Intermediate, and Root certificates respectively). If your system is pinning the end-entity certificate, see the links below. Please make sure to open the link in an Incognito or Private browser window to ensure there is no cached data causing outdated or incorrect content to appear.
*.concursolutions.com
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_RSA.pem
*.api.concursolutions.com
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_RSA.pem
You can test the certificate here.
Ongoing
Not applicable.
Previews
In general, this table lists items that will be shipping in the next 30-60 days. For a broader view of features that are coming, please see our Road Map Explorer.
| Date | API | Preview |
|---|---|---|
| 04/2025 | New Fields Added to Financial Integration Services (FIS) v4 API | For customers of the Concur Expense Professional Edition using the Financial Integration Services (FIS) v4 API, additional fields will be included in the Expense report document payload and mileage fields will be added to the payroll document schema. |
| 03/2025 | Support of Hotel Date Modification for Hotel Connectors | Hotel connectors will support the modification of check-in and check-out dates using the Hotel Service v4 Modify endpoint. This will allow users to change their dates of stay without having to cancel and rebook. |
| 05/2024 | Retention Period for Credit Card Data Files | For compliance reasons, SAP Concur will be implementing a process wherein card data files received from external sources (Issuing banks, Card associations) will be deleted from systems after 90 days. |
| 01/2024 | Hotel Service v4 | Updates to Hotel Service v4 that will remove existing elements from the |
Deprecations and Decommissions
APIs are being deprecated or decommissioned in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
| Date | API | Details |
|---|---|---|
| 04/2025 | Deprecation of Attendees v1, v1.1, and v2 | Effective October 9, 2018, we have deprecated the Attendees v1, v1.1, and v2 APIs. Decommission will follow. |
| 03/2024 | Deprecation of Spend User Retrieval 4.0. | The decommission of password provisioning via file import will occur in April 2025. |
| 06/2023 | Deprecation of Launch External URL Callout v1 | The Launch External URL V1 API is deprecated as of June 16th, 2023. Decommission will follow. |
| 01/2023 | Move from the Travel Request External Validation Callout v1 to the Event Subscription Service (ESS) | This callout was designed to work with the Concur Request v1 API that is in the process of being decommissioned. Users are strongly recommended to move to the Event Subscription Services (ESS) in order to subscribe to the Request events. |
| 01/2021 | List v3 API | Effective April 16, 2021, we have deprecated the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in a future release. |
| 01/2021 | List Item v3 API | Effective April 16, 2021, we have deprecated the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in a future release. Please migrate to the List Item v4 API as soon as possible. |