API Release Notes, October 2025
New This Month
Now Available: Hotel Service v4 New Callback URL
The Change Notification API does not currently provide a way for the hotel connector to know which datacenter to use for the given booking. To resolve this we are adding a callback url to the Hotel Service v4 Reservation request (along with the trip/booking IDs that we are already adding today) based on whatever datacenter the service is running in.
New element added to the ReservationCriteria:
"hrefs": {
"changeNotificationV4": "https://us2.api.concursolutions.com/travel/v4/trips/{TRIP_ID}/hotels/change-notification",
"authV0": "https://us2.api.concursolutions.com/oauth2/v0/token"
}
Note that {TRIP_ID} in above endpoint will be substituted with actual Trip ID used for the booking.
Now Available: Hotel Service v4 New Accepted Payments Response Field
A new field has been added to Hotel Service v4 Search response to allow suppliers to send us accepted payments. This will be used to populate a filter on the Search results page so that the user can filter for hotels that accept American Express, for example.
Accepted Payments should be an array of strings:
"acceptedPayments": [
"AMERICAN EXPRESS"
]
Updated: Digital Certificates to be Transitioned to DigiCert Global Root G2 and G3 Authorities
The following change applies to the Concur Cloud for Public Sector data center: To maintain compliance with evolving security standards and ensure uninterrupted compatibility with Mozilla-based browsers, SAP Concur is transitioning our digital certificates to the following updated DigiCert Global Root G2 and G3 authorities:
- DigiCert Global Root G2 – for RSA-based certificates
- DigiCert Global Root G3 – for ECDSA-based certificates
Adopting the new root certificates is critical to avoid potential trust errors or connection issues when accessing our services via Mozilla browsers.
Note: This proactive update follows DigiCert’s announcement regarding Mozilla’s planned deprecation of the DigiCert Global Root CA.
- Information First Published: October 10, 2025
- Applies to: All Products
- Applicable Data Centers: Concur Cloud for Public Sector
Note: The information in this release note applies to the Concur Cloud for Public Sector data center. For information about Digital Certificate transitions for other data centers, refer to Ongoing Digital Certificates to be Transitioned to DigiCert Global Root G2 and G3 Authorities in the Release Notes section of these release notes.
| Edition | Component | Administrator Action | Availability Target |
|---|---|---|---|
| Professional and Standard | Digital Certificates | Required | Refer to Availability Target Details |
Availability Target Details: SAP Concur plans to implement the changes on the following schedule:
Target Implementation Dates
| Certificate | Implementation Date and Time |
|---|---|
| usg.concursolutions.com | January 15, 2026 at 22:00 PDT |
| usg.api.concursolutions.com | January 22, 2026 at 22:00 PDT |
Clients who have not pinned the certificate do not need to take any action as their certificate will be updated automatically. Most clients do not pin the certificate.
Note: Certificate pinning is not recommended. To maintain compliance with evolving security standards, SAP Concur renews certificates on a regular basis. Pinned certificates are not updated automatically and failure to manually update them before the implementation date might cause service disruptions.
Note: SAP ICS customers who follow the certificate handling processes described in the following note do not need to take any action: 2914977 - FAQ: Concur Certificates, Authentication, and Connectivity.
Action is required if you pin certificates. If your organization pins the root or intermediate certificate, you must update your trust store to include the new certificates before your scheduled update date to avoid service disruptions.
Updated Root Certificates for Pinning Customers:
RSA Certificate Chain:
- Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1
- Root: DigiCert Global Root G2
ECDSA Certificate Chain:
- Intermediate: DigiCert Global G3 TLS ECC SHA384 2020 CA1
- Root: DigiCert Global Root G3
Complete chain: (end-entity, Intermediate and Root certificates, respectively)
For usg.concursolutions.com
- https://assets.concur.com/concurtraining/cte/en-us/usg-concursolutions-com-chain_RSA.pem
- https://assets.concur.com/concurtraining/cte/en-us/usg-concursolutions-com-chain_ECDSA.pem
For usg.api.concursolutions.com
- https://assets.concur.com/concurtraining/cte/en-us/usg-api-concursolutions-com-chain_RSA.pem
- https://assets.concur.com/concurtraining/cte/en-us/usg-api-concursolutions-com-chain_ECDSA.pem
Additional Note for usg.api.concursolutions.com:
As part of our recent Digicert account migration from Concur to SAP, the organization information associated with usg.api.concursolutions.com certificates has been updated.
From: subject=C=US, ST=Washington, L=Bellevue, O=Concur Technologies, Inc.,
To: subject=C=DE, ST=Baden-Württemberg, L=Walldorf, O=SAP SE
Note: This is an internal administrative change and does not affect certificate validity or functionality.
You can access and test the certificates by following the instructions in Shared Release Notes. Note that the release notes will be updated with the latest changes for usg.api.concursolutions.com in the month of November.
If you’re unsure whether your organization pins certificates, please reach out to your IT department for guidance. You can also review additional details in us Shared Release Notes.
Updated Preview: New Client SSL Certificate for ESS webhook.api.concursolutions.com
Overview
In an effort to ensure the ongoing security of our products and services, on October 22, 2025, ESS will be issuing a new webhook.api.concursolutions.com SSL certificate. We will always use the same client x509 certificate. The common name is C=DE, ST=Baden-Württemberg, L=Walldorf, O=SAP SE, CN=webhook.api.concursolutions.com.
Please note that this year not just the certificate will be reissued, but also the location, country, and organization in the certificate metadata is changing to SAP.
Make sure you visit our Troubleshooting section in the Event Subscription Service v4 documentation.
Deprecation: Locations v3 API
Effective October 10, 2025, the Locations v3 API will be deprecated. This has been replaced by Localities v5. Decommission will follow.
Ongoing
Preview: Public Certificate Root Change
To maintain compliance with evolving security standards and ensure uninterrupted compatibility with Mozilla-based browsers, we are transitioning our digital certificates to the updated DigiCert Global Root G2 and G3 authorities:
-
DigiCert Global Root G2 – for RSA-based certificates
-
DigiCert Global Root G3 – for ECDSA-based certificates
This proactive update follows DigiCert’s announcement regarding Mozilla’s planned deprecation of the DigiCert Global Root CA.
Adopting the new root certificates is critical to avoid potential trust errors or connection issues when accessing our services via Mozilla browsers.
Target Implementation Dates:
| Certificate | Implementation Date |
|---|---|
| *.concurcdc.cn | Oct 2, 2025 |
| *.api.concurcdc.cn | Oct 9, 2025 |
| *.concursolutions.com | Oct 23, 2025 |
| *.api.concursolutions.com | Nov 6, 2025 |
Clients who have not pinned the certificate do not need to take any action as the new certificate will automatically be updated when it becomes available.
RECOMMENDATION – Please Read Carefully
Certificate pinning is not recommended.
While it may add a layer of control, pinning certificates introduces risks. Certificates used by SAP Concur are renewed on a regular basis. Pinned certificates are not updated automatically and may cause service disruptions if not updated before implementation date.
FOR SAP ICS Customers
Please refer to section 2 “Which SSL certificates do I need to have installed” of 2914977 - FAQ: Concur Certificates, Authentication, and Connectivity for detailed instructions.
ACTION REQUIRED
If your systems pin the root or intermediate certificate, you must update your trust store to include the following certificates:
RSA Certificates Download Links
- Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1
- Root: DigiCert Global Root G2
ECDSA Certificates Download Links
- Intermediate: DigiCert Global G3 TLS ECC SHA384 2020 CA1
- Root: DigiCert Global Root G3
Note: Most modern systems now prefer ECDSA for connections, while RSA is still used primarily by legacy systems. To ensure full compatibility, please ensure that your systems trust both ECDSA and RSA certificates.
CERTIFICATE CHAIN LINKS: (consist of end-entity, Intermediate, and Root certificates respectively). If your system is pinning the end-entity certificate, see the links below. Please make sure to open the link in an Incognito or Private browser window to ensure there is no cached data causing outdated or incorrect content to appear.
*.concursolutions.com
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_RSA.pem
*.api.concursolutions.com
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_ECDSA.pem
https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_RSA.pem
You can test the certificate here.
Previews
In general, this table lists items that will be shipping in the next 30-60 days. For a broader view of features that are coming, please see our Road Map Explorer.
| Date | API | Preview |
|---|---|---|
| 07/2025 | New Attributes for Spend User v4.1 | The Spend User v4.1 API will allow you to access the processorReportAccess field in the User Preference extension and the User extension will allow you to access the following fields: officeLocationCountry, officeLocationStateProvince, officeLocationCity. |
| 07/2025 | Support for IPv6 | The SAP Concur platform will support IPv6 for network communication to and from SAP Concur solutions. This implementation is expected for Q4/2025. Previously, IPv6 was only supported for inbound HTTPS calls, and all other inbound and outbound calls supported only IPv4. |
| 06/2025 | Detokenizer (DTK) v5 API | The FIPS Compliant v5 Credit Card Detokenization API will be set to launch within the CCPS environment for IBCP customers. This compliance-driven initiative aligns with the Federal Information Processor Standards (FIPS) to ensure robust protection of sensitive data, per U.S. federal requirements. |
| 04/2025 | New Fields Added to Financial Integration Services (FIS) v4 API | For customers of the Concur Expense Professional Edition using the Financial Integration Services (FIS) v4 API, additional fields will be included in the Expense report document payload and mileage fields will be added to the payroll document schema. |
| 05/2024 | Retention Period for Credit Card Data Files | For compliance reasons, SAP Concur will be implementing a process wherein card data files received from external sources (Issuing banks, Card associations) will be deleted from systems after 90 days. |
| 01/2024 | Hotel Service v4 | Updates to Hotel Service v4 that will remove existing elements from the |
Deprecations and Decommissions
APIs are being deprecated or decommissioned in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
| Date | API | Details |
|---|---|---|
| 07/2025 | Deprecation of Expense Group Configurations v3 | Effective June 26, 2025, the Expense Group Configurations v3 API was deprecated. This has been replaced by the Expense Configuration v4 API. Decommission will follow. |
| 07/2025 | Deprecation of Expense v3 DELETE | Effective June 26, 2025, Expense v3 DELETE was deprecated. This has been replaced by Expense v4 Delete. Decommission will follow. |
| 07/2025 | Deprecation of Attendees v3 API | Effective July 1, 2025, the Attendees v3 API was deprecated. This has been replaced by Attendees v4. Decommission will follow. |
| 07/2025 | Deprecation of Attendee Types v3 API | Effective July 1, 2025, the Attendee Types v3 API was deprecated. This has been replaced by Attendee Types v4. Decommission will follow. |
| 04/2025 | Deprecation of Attendees v1, v1.1, and v2 | Effective October 9, 2018, we have deprecated the Attendees v1, v1.1, and v2 APIs. Decommission will follow. |
| 03/2024 | Deprecation of Spend User Retrieval 4.0. | The decommission of password provisioning via file import will occur in April 2025. |
| 06/2023 | Deprecation of Launch External URL Callout v1 | The Launch External URL V1 API is deprecated as of June 16th, 2023. Decommission will follow. |
| 01/2023 | Move from the Travel Request External Validation Callout v1 to the Event Subscription Service (ESS) | This callout was designed to work with the Concur Request v1 API that is in the process of being decommissioned. Users are strongly recommended to move to the Event Subscription Services (ESS) in order to subscribe to the Request events. |
| 01/2021 | List v3 API | Effective April 16, 2021, we have deprecated the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in a future release. |
| 01/2021 | List Item v3 API | Effective April 16, 2021, we have deprecated the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in a future release. Please migrate to the List Item v4 API as soon as possible. |