What we need

• Client ID (a.k.a. App ID)
• Client Secret
• Geolocation / Base URI (e.g., https://us.api.concursolutions.com)
• Admin access to Authentication Administration in SAP Concur (Web Services Administrator role)
• Company UUID and a Company Request Token (temporary, 24 hours)

SAP Concur OAuth 2.0 Integration

This guide walks enterprise admins through setting up OAuth 2.0 so an application can retrieve data from SAP Concur using the API. SAP Concur follows the OAuth 2.0 framework and uses short-lived access tokens with refresh tokens.

At a glance

• You must register an application to receive a Client ID/Secret. You can do this via SAP Concur Support or the OAuth 2.0 Application Management self-service tool.
• For company-wide integrations, use the Company Request Token Self-Service to generate a Company Request Token (valid 24 hours) and view the Company UUID.

Prerequisites

• Admin access to SAP Concur with the Web Services Administrator role to see Authentication Administration → OAuth 2.0 Application Management and Company Request Token tools. If you don’t see them, ask SAP Concur to enable them. (SAP Concur Developer Center API Release Notes)
• Know your geolocation (region) because token requests are sent to https://<region>.api.concursolutions.com/oauth2/v0/token.

Obtaining OAuth 2.0 Credentials

You can register the application in one of two ways:

1. Contact SAP Concur Support / Implementation team Ask them to create an OAuth2 application and provide Client ID and Client Secret (and confirm scopes).

2. Use the OAuth 2.0 Application Management tool (self-service)

   • In Concur: Administration → Company → Authentication Admin → OAuth 2.0 Application Management
   • Click Create New App, then capture the Client ID and Client Secret. (Tool appears to admins with the Web Services Admin role when enabled.) (OAuth 2.0 Application Management Tool)

If you don’t have access to the tools, request enablement from Client Web Services

Understanding OAuth 2.0 Scopes

Scopes define what your app can do (e.g., read expenses, read users). Choose only what you need based on target APIs. One scope may have access to more than one API/Endpoint.

Scopes needed:

• attendee.admin.read
• attendee.read
• budgetitem.read
• cards.bulkrequest.read
• company.read
• events.topic.read
• expense.config.attendeetypes.restricted.read
• expense.config.groups.restricted.read
• expense.config.policies.restricted.read
• expense.config.expensetypes.restricted.read
• expense.config.paymenttypes.restricted.read
• expense.report.read
• fiscalcalendar.read
• identity.user.core.read
• identity.user.coresensitive.read
• identity.user.enterprise.read
• identity.user.ids.read
• identity.user.sap.read
• invoice.paymentconfirmation.read
• locality.read
• locate.location.read
• purchaserequest.read
• receipts.read
• spenddocs.receipts.compliance.read
• spenddocs.receipts.read
• spend.list.read
• spend.listitem.read
• spend.user.general.read
• travelallowance.allowancedays.read
• travelallowance.configuration.read
• travelallowance.itinerary.read
• travelallowance.itineraryresult.read
• travel.itinerary.read
• travel.receipts.read
• travel.user.general.read
• travel.user.private.read
• user.read
• user.provision.read

Generate the Company Request Token (and capture the Company UUID)

1. In Concur, go to Administration → Company → Authentication Admin → Company Request Token.
2. Enter your App ID (Client ID) and click Submit.
3. Copy the displayed Company UUID and Company Request Token; the token is valid for 24 hours. (Company Request Token Self-Service Tool)

Implementing OAuth 2.0 (Company-Level — Password Grant)

Currently, the Password grant is the only OAuth 2.0 flow available for company-level tokens in SAP Concur. For this flow, set username = Company UUID and password = Company Request Token (24h).

1) Authorization (token) request

HTTP POST to your region’s token endpoint:

POST /oauth2/v0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: us.api.concursolutions.com
Connection: close
Content-Length: 437

POST BODY
client_id=your-client_id
&client_secret=your-client_secret
&grant_type=refresh_token
&refresh_token=valid-refresh_token
&scope=app-scope

Response example

HTTP/1.1 200 OK
Content-Type: application/json
Date: date-requested
Content-Length: 3397
Connection: Close

{
  "expires_in": "3600",
  "scope": "app-scopes",
  "token_type": "Bearer",
  "access_token": "access_token",
  "refresh_token": "refresh_token",
  "id_token": "oidc_token",
  "geolocation": "https://us.api.concursolutions.com"
}

• Access tokens typically last ~1 hour; you’ll also receive a refresh token you can store and reuse.

Notes

• The Company Request Token is temporary (24h). Regenerate it if it expires before you obtain the first access/refresh token pair.

2) Use the access token

Include the bearer token in API calls to the same region host:

curl -H "Accept: application/json" \
     -H "Authorization: Bearer $ACCESS_TOKEN" \
     https://us.api.concursolutions.com/expensereports/v4/...   # example Expense v4 endpoint

3) Refresh the access token (no user action required)

When the access token expires, exchange the refresh token for a new access token.

HTTP POST example:

POST /oauth2/v0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: us.api.concursolutions.com
Connection: close
Content-Length: 437

POST BODY
client_id=your-client_id
&client_secret=your-client_secret
&grant_type=refresh_token
&refresh_token=valid-refresh_token
&scope=app-scope

Response example:

HTTP/1.1 200 OK
Content-Type: application/json
Date: date-requested
Content-Length: 3397
Connection: Close

{
  "expires_in": "3600",
  "scope": "app-scopes",
  "token_type": "Bearer",
  "access_token": "access_token",
  "refresh_token": "refresh_token",
  "id_token": "oidc_token",
  "geolocation": "https://us.api.concursolutions.com"
}

Access tokens are ~1 hour; refresh tokens are typically valid for 6 months per Concur’s OAuth 2.0 implementation guidance. When the token has been refreshed, store the geolocation and the refresh token as they may have changed. On subsequent calls, use the last received geolocation and refresh token.

Troubleshooting

• Don’t see the self-service tools? Ask Client Web Services or SAP Concur Support to enable OAuth 2.0 Application Management and Company Request Token Self-Service for your tenant; ensure your admin has the Web Services Admin role.
• Company Request Token expired: Regenerate it from the Company Request Token page and retry the Password grant.
• Review the HTTP Status Codes

Resources

• OAuth 2.0 Getting Started
• Authentication
• Company Level Authentication
• OAuth 2.0 Application Management
• Company Request Token Self-Service Tool
• HTTP Status Codes