API Release Notes, March 2026
New This Month
Preview: SSL Certificates Renewal for *.concursolutions.com and *api.concursolutions.com
Due to industry-wide changes implemented by our Certificate Authority, DigiCert, the maximum validity period for publicly trusted TLS certificates has been reduced to 199 days. As a result, SAP Concur certificates will be renewed more frequently than in previous years. SAP Concur plans to renew the certificates for *.concursolutions.com and *api.concursolutions.com in May 2026.
Additional information about the 199-day certificate validity period is available in the documentation provided by DigiCert.
Note: This change is part of broader security improvements across the industry and has no impact on the security, availability, or trust of SAP Concur services.
End-User Experience
The current certificates will expire as follows:
-
June 4, 2026 23:59 GMT for
*.api.concursolutions.com -
June 5, 2026 23:59 GMT for
*.concursolutions.com
SAP Concur will renew it ahead of this date to ensure continued service availability.
New certificates are planned to be issued as follows:
-
10PM PDT on May 13 2026 for
*.api.concursolutions.com -
10PM PDT on May 20, 2026 for
*.concursolutions.com
Certificate Updates As a part of this renewal, the following updates will be introduced:
*.api.concursolutions.com
-
As part of the recent DigiCert account migration from SAP Concur to SAP, the organization information associated with *.api.concursolutions.com certificates has been updated. For details, please refer to the Certificates Download Links section below.
-
This change affects only the certificate metadata and does not impact service functionality or security.
*.concursolutions.com
-
The Client Authentication extended key usage has been removed from the certificate.
-
This extension was not used as the certificate functions as a TLS server certificate for server authentication only. Its removal does not impact service functionality.
-
For additional information on certificate extended key usage, please refer to the documentation from DigiCert.
Certificate Pinning Guidance
Clients who have not pinned the expiring certificate do not need to take any action as their expiring certificate will be renewed automatically. Most clients do not pin the certificate.
SAP ICS customers who follow the certificate handling processes described in the following note do not need to take any action:
2914977 - FAQ: Concur Certificates, Authentication, and Connectivity.
Clients who have pinned an expiring certificate must update to the new certificate before it is issued at
-
10PM PDT on May 13 2026
*.api.concursolutions.com -
10PM PDT May 20, 2026
*.concursolutions.com
Note: Certificate pinning is not recommended, and you do so at your own risk. To support security for SAP Concur solutions, security certificates are renewed regularly. Pinned certificates are not renewed automatically and, if a pinned certificate is not renewed before it expires, the pinned certificate can cause a disruption of service.
Recommendation: If your implementation requires certificate pinning, we strongly recommend pinning the Root CA certificate, rather than the leaf/end certificate. Pinning the leaf/end certificate may result in service disruption due to the shorter renewal cycle. Pinning to the Root CA provides greater stability while maintaining security.
Certificate Download Links
To avoid disruption of service, clients who pin their security certificates must pin both the RSA and ECDSA certificates. Clients may obtain the new certificates from the following web pages.
These are root and intermediate certificates for both *.concursolutions.com and *.api.concursolutions.com.
RSA Certificates Download Links
-
Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1
-
Root: DigiCert Global Root G2
ECDSA Certificates Download Links
-
Intermediate: DigiCert Global G3 TLS ECC SHA384 2020 CA1
-
Root: DigiCert Global Root G3
Certificate Chain consists of end-entity, Intermediate and Root certificates respectively.
When opening the following links, open the link in an Incognito or Private browser window to ensure there is no cached data causing outdated or incorrect content to appear.
*.api.concursolutions.com
-
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_ECDSA.pem
-
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_RSA.pem
Note: For
*.api.concursolutions.comorganization change, the changes are as follows: From:subject: C=US, ST=Washington, L=Bellevue, O=Concur Technologies, Inc.,To:subject=C=DE, ST=Baden-Württemberg, L=Walldorf, O=SAP SEThis is an internal administrative change and does not affect certificate validity or functionality. The certificate used for *.api.concursolutions.com currently retains a one-year validity period, as it was renewed prior to the certificate validity policy change implemented by DigiCert. Future renewals will follow the updated validity requirements.
*.concursolutions.com
-
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_ECDSA.pem
-
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_RSA.pem
You can access and test the certificates by following the instructions in Concur Shared Release Notes.
Configuration / Feature Activation
If you are not sure whether your SSL certificate is pinned, please consult with your IT department.
Now Available: API Deprecation Headers
For APIs in deprecation, responses will include an x-api-warn header that identifies the deprecated endpoint and its recommended replacement. A sunset header will specify the planned decommission date and include a link to additional deprecation details, in compliance with SAP API policies. This has been applied to both API and UI gateways. For example:
-
x-api-warn: ‘/api/v3.1/travelrequest/’ is deprecated; use ‘/travelrequest/v4/’. See ‘https://developer.concur.com/tools-support/release-notes/api/archive/2023-01-05.html’ for details.
-
sunset: Sun, 01 Mar 2020 00:00:00 GMT
Preview: Manage Participants of an Existing Request in Request v4
The Request v4 API will enable customers and partners to better manage their Budget request experience through Concur Request web services. Enhancements will include capabilities to view and manage Participants on a Parent Request, as well as related improvements to existing endpoints.
Overview
The Request v4 API will include a Participants area and two additional endpoints, as follows:
-
View Participants and Related Child Requests: Customers and partners will be able to retrieve the list of participants associated with a Parent request, along with the child requests linked to it.
-
Manage Participants: Customers and partners will be able to add and remove participants on a Parent request.
Updates to Existing Request v4 API Behavior
-
Request Policies for a User: Policy responses will indicate whether a given policy supports creating Parent requests (Budget requests).
-
Create a Request: The request creation process will support the following Budget request scenarios:
– Creating a Parent Request using an eligible policy
– Creating a Child Request and linking it to an existing parent request
-
Get Request Details: Request details will indicate whether the request is Parent or Child. For Child requests, the response will also include a reference to the related Parent request.
Configuration / Feature Activation
The Request v4 APIs will be available for users of both Professional and Standard versions of Concur Request. For additional information, refer to the Request v4 API documentation.
Decommissioning of Launch External URL V1
Effective Date: June 3, 2026
The Launch External URL V1 callout API, deprecated in June 2023, will be shut down and no longer accessible upon decommissioning on June 3, 2026. To ensure continued functionality and reliability, all customers must migrate to Launch External URL V4, which provides full functional equivalence with no known gaps. Please reach out to your SAP Concur representative for more information.
Ongoing
Important! Upcoming Shutdown of Request V1, V3, and V3.1
Effective Date: August 5, 2026
As previously announced, the Concur Request APIs v1.0, v3.0, and v3.1 have been decommissioned. These versions will be retired and no longer accessible as of August 5, 2026. Customers currently using these versions must migrate to the successor API, Request API V4, to ensure uninterrupted functionality. Please reach out to your Concur representative for more information.
Preview: Removal of concur.profile and concur.app Fields from Access Tokens(JWTs)
Two fields will be removed from Access Tokens (JWTs) and ID Tokens: concur.profile and concur.app. These fields currently contain fully formed URLs pointing to Profile v1 resources, for example:
- https://integration.api.concursolutions.com/profile/v1/principals/
- https://integration.api.concursolutions.com/profile/v1/apps/
These fields are being removed because the referenced URLs are no longer valid following the transition from Profile V1 to Profile v4. Also, these URLs were provided for convenience only and can be constructed using other information available in the JWT.
Target Dates
- Removal from Integration environments — week of March 23
- Removal from Production environments — week of April 6
Required Action
If your integration consumes either the concur.profile or concur.app fields from a JWT, update your implementation to remove this dependency by forming the necessary URL directly in your code.
Previews
In general, this table lists items that will be shipping in the next 30-60 days. For a broader view of features that are coming, please see our Road Map Explorer.
| Date | API | Preview |
|---|---|---|
| 01/2026 | Additions to Reservation and Search Requests in Hotel Service v4 | This API will add travel arranger details to a reservation request. It will also add the GIATA ID to a hotel search request. |
| 07/2025 | New Attributes for Spend User v4.1 | The Spend User v4.1 API will allow you to access the processorReportAccess field in the User Preference extension and the User extension will allow you to access the following fields: officeLocationCountry, officeLocationStateProvince, officeLocationCity. |
| 04/2025 | New Fields Added to Financial Integration Services (FIS) v4 API | For customers of the Concur Expense Professional Edition using the Financial Integration Services (FIS) v4 API, additional fields will be included in the Expense report document payload and mileage fields will be added to the payroll document schema. |
| 05/2024 | Retention Period for Credit Card Data Files | For compliance reasons, SAP Concur will be implementing a process wherein card data files received from external sources (Issuing banks, Card associations) will be deleted from systems after 90 days. |
| 01/2024 | Hotel Service v4 | Updates to Hotel Service v4 that will remove existing elements from the |
Deprecations and Decommissions
APIs are being deprecated or decommissioned in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
| Date | API | Details |
|---|---|---|
| 10/2025 | Deprecation of Locations v3 | Effective October 10, 2025, the Locations v3 API will be deprecated. This has been replaced by Localities v5. Decommission will follow. |
| 07/2025 | Deprecation of Expense Group Configurations v3 | Effective June 26, 2025, the Expense Group Configurations v3 API was deprecated. This has been replaced by the Expense Configuration v4 API. Decommission will follow. |
| 07/2025 | Deprecation of Expense v3 DELETE | Effective June 26, 2025, Expense v3 DELETE was deprecated. This has been replaced by Expense v4 Delete. Decommission will follow. |
| 07/2025 | Deprecation of Attendees v3 API | Effective July 1, 2025, the Attendees v3 API was deprecated. This has been replaced by Attendees v4. Decommission will follow. |
| 07/2025 | Deprecation of Attendee Types v3 API | Effective July 1, 2025, the Attendee Types v3 API was deprecated. This has been replaced by Attendee Types v4. Decommission will follow. |
| 04/2025 | Deprecation of Attendees v1, v1.1, and v2 | Effective October 9, 2018, we have deprecated the Attendees v1, v1.1, and v2 APIs. Decommission will follow. |
| 03/2024 | Deprecation of Spend User Retrieval 4.0. | The decommission of password provisioning via file import will occur in April 2025. |
| 06/2023 | Deprecation of Launch External URL Callout v1 | The Launch External URL V1 API is deprecated as of June 16th, 2023. Decommission will follow. |
| 01/2023 | Move from the Travel Request External Validation Callout v1 to the Event Subscription Service (ESS) | This callout was designed to work with the Concur Request v1 API that is in the process of being decommissioned. Users are strongly recommended to move to the Event Subscription Services (ESS) in order to subscribe to the Request events. |
| 01/2021 | List v3 API | Effective April 16, 2021, we have deprecated the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in a future release. |
| 01/2021 | List Item v3 API | Effective April 16, 2021, we have deprecated the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in a future release. Please migrate to the List Item v4 API as soon as possible. |