API Release Notes, July 2025
New This Month
Now Available: Updates to OAuth 2.0 Application Management
We have updated the OAuth 2.0 Application Management tool, which is used to create apps for integrations. We have introduced two new fields: App Stage and Application Type. These fields provide drop-down lists from which you can select the appropriate value, facilitating better categorization and management of your apps. The update rollout started on July 9th, and the changes are expected to be reflected across all data centers by the end of the same week. For detailed information, check out the OAuth 2.0 Application Management Tool documentation.
Now Available: Hotel Service v4 New Field
The highlightedRateText field has been added to the Rate Response model for the /hotels/rates endpoint in the Hotel Service v4 API. This is an optional field of type string.
Preview: Office Location Field Attributes for Spend User v4 APIs
The Spend User v4 APIs will allow you to set the following office location field attributes: officeLocationCountry, officeLocationStateProvince, officeLocationCity.
Deprecation: Attendee Types v3 API
Effective July 1, 2025, the Attendee Types v3 API was deprecated. This has been replaced by Attendee Types v4. Decommission will follow.
Deprecation: Attendees v3 API
Effective July 1, 2025, the Attendees v3 API was deprecated. This has been replaced by Attendees v4. Decommission will follow.
Ongoing
Deprecation: Expense v3 DELETE
Effective June 26, 2025, Expense v3 DELETE was deprecated. This has been replaced by Expense v4 Delete. Decommission will follow.
Deprecation: Expense Group Configurations v3
Effective June 26, 2025, the Expense Group Configurations v3 API was deprecated. This has been replaced by the Expense Configuration v4 API. Decommission will follow.
Preview: Public Certificate Root Change
To maintain compliance with evolving security standards and ensure uninterrupted compatibility with Mozilla-based browsers, we are transitioning our digital certificates to the updated DigiCert Global Root G2 and G3 authorities:
-
DigiCert Global Root G2 – for RSA-based certificates
-
DigiCert Global Root G3 – for ECDSA-based certificates
This proactive update follows DigiCert’s announcement regarding Mozilla’s planned deprecation of the DigiCert Global Root CA.
Adopting the new root certificates is critical to avoid potential trust errors or connection issues when accessing our services via Mozilla browsers.
Target Implementation Dates:
| Certificate | Implementation Date |
|---|---|
| *.concurcdc.cn | Oct 2, 2025 |
| *.api.concurcdc.cn | Oct 9, 2025 |
| *.concursolutions.com | Oct 23, 2025 |
| *.api.concursolutions.com | Nov 6, 2025 |
Clients who have not pinned the certificate do not need to take any action as the new certificate will automatically be updated when it becomes available.
RECOMMENDATION – Please Read Carefully
Certificate pinning is not recommended.
While it may add a layer of control, pinning certificates introduces risks. Certificates used by SAP Concur are renewed on a regular basis. Pinned certificates are not updated automatically and may cause service disruptions if not updated before implementation date.
FOR SAP ICS Customers
Please refer to section 2 “Which SSL certificates do I need to have installed” of 2914977 - FAQ: Concur Certificates, Authentication, and Connectivity for detailed instructions.
ACTION REQUIRED
If your systems pin the root or intermediate certificate, you must update your trust store to include the following certificates:
RSA Certificates Download Links
- Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1
- Root: DigiCert Global Root G2
ECDSA Certificates Download Links
- Intermediate: DigiCert Global G3 TLS ECC SHA384 2020 CA1
- Root: DigiCert Global Root G3
Note: Most modern systems now prefer ECDSA for connections, while RSA is still used primarily by legacy systems. To ensure full compatibility, please ensure that your systems trust both ECDSA and RSA certificates.
CERTIFICATE CHAIN LINKS: (consist of end-entity, Intermediate, and Root certificates respectively). If your system is pinning the end-entity certificate, see the links below. Please make sure to open the link in an Incognito or Private browser window to ensure there is no cached data causing outdated or incorrect content to appear.
*.concursolutions.com
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_RSA.pem
*.api.concursolutions.com
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_RSA.pem
You can test the certificate here.
Previews
In general, this table lists items that will be shipping in the next 30-60 days. For a broader view of features that are coming, please see our Road Map Explorer.
| Date | API | Preview |
|---|---|---|
| 06/2025 | Detokenizer (DTK) v5 API | The FIPS Compliant v5 Credit Card Detokenization API will be set to launch within the CCPS environment for IBCP customers. This compliance-driven initiative aligns with the Federal Information Processor Standards (FIPS) to ensure robust protection of sensitive data, per U.S. federal requirements. |
| 04/2025 | New Fields Added to Financial Integration Services (FIS) v4 API | For customers of the Concur Expense Professional Edition using the Financial Integration Services (FIS) v4 API, additional fields will be included in the Expense report document payload and mileage fields will be added to the payroll document schema. |
| 03/2025 | Support of Hotel Date Modification for Hotel Connectors | Hotel connectors will support the modification of check-in and check-out dates using the Hotel Service v4 Modify endpoint. This will allow users to change their dates of stay without having to cancel and rebook. |
| 05/2024 | Retention Period for Credit Card Data Files | For compliance reasons, SAP Concur will be implementing a process wherein card data files received from external sources (Issuing banks, Card associations) will be deleted from systems after 90 days. |
| 01/2024 | Hotel Service v4 | Updates to Hotel Service v4 that will remove existing elements from the |
Deprecations and Decommissions
APIs are being deprecated or decommissioned in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
| Date | API | Details |
|---|---|---|
| 04/2025 | Deprecation of Attendees v1, v1.1, and v2 | Effective October 9, 2018, we have deprecated the Attendees v1, v1.1, and v2 APIs. Decommission will follow. |
| 03/2024 | Deprecation of Spend User Retrieval 4.0. | The decommission of password provisioning via file import will occur in April 2025. |
| 06/2023 | Deprecation of Launch External URL Callout v1 | The Launch External URL V1 API is deprecated as of June 16th, 2023. Decommission will follow. |
| 01/2023 | Move from the Travel Request External Validation Callout v1 to the Event Subscription Service (ESS) | This callout was designed to work with the Concur Request v1 API that is in the process of being decommissioned. Users are strongly recommended to move to the Event Subscription Services (ESS) in order to subscribe to the Request events. |
| 01/2021 | List v3 API | Effective April 16, 2021, we have deprecated the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in a future release. |
| 01/2021 | List Item v3 API | Effective April 16, 2021, we have deprecated the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in a future release. Please migrate to the List Item v4 API as soon as possible. |