API Release Notes, July 2021
Contents
- Ongoing: Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1)
- Ongoing: Retirement of List v1 API
- Ongoing: Retirement of List v3 API
- Ongoing: Retirement of List Item v3 API
- Ongoing: OAuth 2.0 Migration
- Ongoing: Decommission of Bulk User v3.1 API
- Ongoing: Application Connector Username and Password Length Requirements Updated
- Ongoing: Updated Naming Convention for Sub-URLs
- Planned Changes: Deprecation of Travel Profile Notification v1 API
- Planned Changes: Cash Advance v4 API Available
- Planned Changes: Request v4 API Agency Proposal Endpoint
- Planned Changes: New Invoice Pay v4 GET Call Parameter
- Planned Changes: New Invoice Pay v4 PATCH Endpoint
- Planned Changes: Deprecation of User v3 API
- Identity v4 API Available
- Password Optional in Travel Profile 2.0 API
Ongoing: Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1)
Effective July 1, 2020, We have retired the Concur Request APIs (v1.0, v3.0, and v3.1). These APIs are replaced by the Concur Request v4 API.
Business Purpose / Client Benefit
The Concur Request APIs v1.0, v3.0, and v3.1 only support the previous authentication method, which is not best security practice and does not meet the OAuth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 API.
In addition, we have run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 API (not iso-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 API.
Ongoing: Retirement of List v1 API
We will be retiring the List v1 API in a future release. This API is replaced by the List v4 API.
Business Purpose / Client Benefit
This update removes an outdated API. The List v4 APIs use more secure and modern, fine-grained methods. These APIs use Universal Unique Identifiers (UUIDs) and use JSON instead of XML. Also, authentication to the List v4 APIs may be performed with a User JWT or a Company JWT, providing the opportunity to apply the principle of least privilege.
Configuration / Feature Activation
The List v1 API is being retired in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
If you currently use the List v1 API, please plan to migrate to the List Item v4 API as soon as possible.
Ongoing: Retirement of List v3 API
Effective April 16, 2021, we have deprecated the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in a future release.
Business Purpose / Client Benefit
This update removes an outdated API. The List v4 APIs use more secure and modern, fine-grained methods. These APIs use Universal Unique Identifiers (UUIDs) and use JSON instead of XML. Also, authentication to the List v4 APIs may be performed with a User JWT or a Company JWT, providing the opportunity to apply the principle of least privilege.
Configuration / Feature Activation
The List v3 API has been deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
If you currently use the List v3 API, please migrate to the List v4 API as soon as possible.
Ongoing: Retirement of List Item v3 API
Effective April 16, 2021, we have deprecated the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in a future release.
Business Purpose / Client Benefit
This update removes an outdated API. The List Item v4 APIs use more secure and modern, fine-grained methods. These APIs use Universal Unique Identifiers (UUIDs) and use JSON instead of XML. Also, authentication to the List Item v4 APIs may be performed with a User JWT or a Company JWT, providing the opportunity to apply the principle of least privilege.
Configuration / Feature Activation
The List Item v3 API has been deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
If you currently use the List Item v3 API, please migrate to the List Item v4 API as soon as possible.
Ongoing: OAuth 2.0 Migration
We will be converting from the legacy authentication (deprecated 2017) method to the new OAuth 2.0 authentication method. This effort will be taking place starting in the third quarter of 2021 and will conclude by the end of the second quarter of 2022.
Any existing partners, Client Web Service (CWS) clients, and clients with a Hosted Customer Connector using the legacy authentication (deprecated 2017) will need to be converted to the new OAuth 2.0 authentication. If you are a partner or a client using the legacy authentication (deprecated 2017) method, we will be reaching out and will provide communication on how to convert to the new OAuth 2.0 authentication. Clients with a Hosted Custom Connector will be handled by the SAP Concur Development team.
For more information, please refer to Authentication.
With the ongoing effort of the authentication conversion project, we will be placing the Register Partner Application UI into a read-only state. Existing customers who still access or use this UI would now only be able to view their legacy authentication applications. Clients will be unable to create net-new or modify their existing legacy authentication applications.
With the launch of the Company Request Token Self-Service Tool and the Self-Service Tool for Application Management in July 2021, Clients should begin utilizing these tools and UI to create Oauth 2.0 applications. If you feel that your company has a proper business case to create a net-new legacy authentication application, please submit an SAP Concur Support case. The support case will be reviewed and either approved or denied. We will only allowing exceptions for the creation of net new legacy authentication applications until September 20th, 2021.
Business Purpose / Client Benefit
This update provides more secure authentication methods.
Ongoing: Deprecation of Bulk User v3.1 API
We have deprecated the Bulk User v3.1 API for the US and EMEA data centers. This API is replaced by Identity v4. Decommission will follow.
Bulk User v3.1 will remain available for China data centers.
Business Purpose / Client Benefit
This update removes an outdated API. The Identity v4 API allows for a granular access control and fetch limited data as per the need. This service is more resilient than Bulk User v3.1 API.
Configuration / Feature Activation
The Bulk User v3.1 API is being deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
If you currently use the Bulk User v3.1 API, please plan to migrate to the Identity v4 API as soon as possible.
Ongoing: Application Connector Username and Password Length Requirements Updated
Changes are being made to the length of usernames and passwords associated with application connectors. For more information please see the Expense release notes.
Ongoing: Updated Naming Convention for Sub-URLs
Changes are being made to the naming conventions of sub-urls. For more information please see the Expense release notes.
Planned Changes: Deprecation of Travel Profile Notification v1 API
We are deprecating the Travel Profile Notification v1 APIs due to low usage.
Business Purpose / Client Benefit
The Travel Profile Notification v1 APIs support older, less secure authentication methods.
Configuration / Feature Activation
The Travel Profile v1 APIs are being deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
Planned Changes: Cash Advance v4 API Available
The Cash Advance API will empower an employee to request and receive cash in advance of a trip. Cash Advance will ensure that a user is not out of cash during a business trip. In markets where corporate cards are seldom issued, Cash Advance will provide a useful mechanism to ensure the employee is not out of pocket.
Business Purpose / Client Benefit
SAP Concur Cash Advance API will provide partners and customers the ability to manage cash advances. While using the API, customers can create, view, and issue a cash advance. The API will help customers to customize the usage of cash advances according to their needs.
Planned Changes: Request v4 API Agency Proposal Endpoint
We will soon be releasing an additional Request v4 API endpoint that will offer the ability for travel agencies to interact with Concur Request to propose travel itineraries directly into a request, via the agency proposal feature with Request v4 API.
The support of the agency proposal feature through our v4 APIs, available on the Request NexGen UI, will bring benefits of a better experience, simpler connectivity, and deeper integration between travel agencies and Concur Request, as well as a better user experience in their interaction with their travel agencies.
This new endpoint will provide added value to the existing Request v4 API, which already offers the ability for a user to interact with Concur Request to perform the following:
- Get the list of existing Requests.
- Get the detailed information of existing Requests.
- Create, Read, Update, or Delete an existing Request.
- Move an existing Request through the approval flow.
- Get the list of Expected Expenses (including trip segments) in a Request.
- Create, Read, Update, or Delete an expected expense (including trip segments) for a Request.
- Get the list of Request policies assigned to a given user.
- Get information of a travel agency office.
Business Purpose / Client Benefit
This additional endpoint will provide better capabilities for travel agencies who want to benefit from the Concur Request agency proposal feature with a direct consumption of the Request v4 API.
Configuration / Feature Activation
Depending on your travel agency, this feature may not be available for your company. Please liaise with your travel agency to confirm their development completion of the required Request v4 API endpoints to benefit from this feature.
Additional information, please see the Request v4 API documentation.
Planned Changes: New Invoice Pay v4 GET Call Parameter
We will be releasing an additional parameter for the Invoice Pay v4 API. GET calls will have the option to use the new invoiceId
parameter to retrieve payment information and the ERP Document ID associated to the invoice.
Business Purpose / Client Benefit
This update will allow Invoice Payment Provider Partners to retrieve the payment information and ERP Document ID of a single invoice.
Configuration / Feature Activation
The feature will be automatically available; there will be no additional configuration or activation steps.
Planned Changes: New Invoice Pay v4 PATCH Endpoint
We will be releasing a PATCH endpoint for the Invoice Pay v4 API. With the new PATCH, the invoice will be updated with the erpDocumentNumber
value in the body whenever an invoiceId
is passed as part of the API URL.
Business Purpose / Client Benefit
This update will allow Invoice Payment Provider Partners to update the ERP Document ID field on an invoice. Customers will then be able to use the ERP Document ID to help reconcile extracted invoices from SAP Concur services with invoices in their ERP system.
Configuration / Feature Activation
The feature will be automatically available; there will be no additional configuration or activation steps.
Planned Changes: Deprecation of User v3 API
We will be deprecating the User v3 API in a future release.
Business Purpose / Client Benefit
The User v3 API will be replaced due to less secure authentication methods.
Identity v4 API Available
The Identity v4 service enables callers to create, read, update, and delete a user’s core/identity profile information.
Business Purpose / Client Benefit
With granular access control, this API can be used access to user’s profile information on a need-to-know basis.
Password Optional in Travel Profile 2.0 API
Previously, a password was required in the API call to create a new user via the Travel Profile 2.0 API. With this change, a password is no longer required. For users created without a password, we will automatically generate a random, strong password and set it in the database.
- Users using SSO to log in, won’t see any change in behavior
- Users who will need their password to log in, will use the “forgot password” flow on the sign-in screen to reset the password for themselves.
NOTE: This does not affect other methods used to create users, such as other APIs or employee imports. If requirements for those methods change, they will have separate release notes.
Business Purpose / Client Benefit
Having SAP Concur set a password, rather than passing it via API provides higher security.
Configuration / Feature Activation
This feature is enabled by default. There are no configuration steps.