# SAP Concur
SAP Concur (opens new window) is a cloud-based travel and expense management platform that helps businesses manage travel bookings, expense reporting, and invoice processing.
# API version
The SAP Concur connector uses the following SAP Concur APIs:
- Expense Group Configurations v3 (opens new window)
- Expenses v4 (opens new window)
- Identity v4 (opens new window)
- Image v1.0 (opens new window) and Image v3 (opens new window)
- Invoice v3 (opens new window)
- List v4 (opens new window)
- List Item v4 (opens new window)
- Payment Batches v1.1 (opens new window)
- Reports v3 (opens new window) and Reports v4 (opens new window)
- Submit v1.1 (opens new window)
- Travel Extension v4 (opens new window)
- User Provisioning v4 (opens new window)
- Vendor v3.1 (opens new window)
Refer to the Scopes section for details on how these APIs relate to specific triggers and actions.
# Prerequisites
You must obtain credentials from your SAP Concur instance before connecting to SAP Concur in Workato. The SAP Concur connector supports OAuth 2.0 authentication with the following grant types:
- Refresh token grant: Recommended for production instances
- Password grant: Recommended for sandbox instances
- Create an OAuth 2.0 application - Required for all authentication methods
- Generate a company request token - Required for refresh token grant authentication only
- Obtain a refresh token - Required for refresh token grant authentication only
# Create an OAuth 2.0 application
Complete the following steps to create an OAuth 2.0 application in your SAP Concur instance:
Sign in to your SAP Concur instance with administrator credentials.
Go to Administration > Company > Authentication Admin.
Select OAuth 2.0 Application Management from the menu.
Click Create new app.
Complete the basic application configuration fields:
- App Name: Enter a descriptive name for your application (for example,
Workato Integration). - App Description: Enter a description for your application.
- App Stage: Select your environment (Development, Test, or Production).
- Application Type: Select your application type (Web Services (WS) Client or Integration with Concur Solutions (ICS) Client).
- Allowed Grants: Select
passwordandrefresh_token.
Configure the allowed scopes for your integration. At minimum, include EXPRPT. Refer to the Scopes section to identify any additional scopes required by the triggers and actions you plan to use.
Alternatively, you can click Enter Manually and copy and paste the following scopes to enable full connector functionality:
CONFIG
expense.report.read
EXPRPT
identity.user.core.read
identity.user.coreenterprise.writeonly
identity.user.coresensitive.read
identity.user.enterprise.read
identity.user.externalID.writeonly
identity.user.ids.read
identity.user.sap.read
IMAGE
INVPMT
INVVEN
spend.list.read
spend.listitem.delete
spend.listitem.write
spend.user.general.read
spend.user.general.writeonly
travel.user.general.read
travel.user.private.read
user.provision.read
user.provision.write
Click Submit.
Record your Client ID and Client Secret in a secure location. These values are required to establish the connection in Workato.
SAVE YOUR CREDENTIALS
The client secret is only displayed once. If you lose it, you must regenerate it or create a new application.
You have everything required to connect to SAP Concur with password grant authentication. For refresh token grant authentication, continue with the following steps.
# Generate a company request token
Complete the following steps to generate a company request token:
In the SAP Concur admin panel, go to Administration > Company > Authentication Admin.
Select Company Request Token from the menu.
Enter your App ID (Client ID) from the OAuth application you created in the previous section.
Click Submit.
Record the following information displayed in the success dialog:
- Company UUID: Your company's unique identifier.
- Company Request Token: A temporary token that expires in 24 hours.
TOKEN EXPIRATION
The company request token expires after 24 hours. If you don't complete the next steps within 24 hours, you must regenerate the token.
Click OK to close the dialog.
# Obtain a refresh token
Complete the following steps to obtain a refresh token using your Company Request Token:
Open an API client of your choice, such as Postman or cURL.
Create a POST request to the SAP Concur OAuth2 token resource using the endpoint that matches your SAP Concur environment:
- Production:
https://us.api.concursolutions.com/oauth2/v0/token - Implementation (Test):
https://us-impl.api.concursolutions.com/oauth2/v0/token
Configure the request body with the following parameters (use x-www-form-urlencoded format):
- client_id: Your Client ID from the OAuth application
- client_secret: Your Client Secret from the OAuth application
- username: Your Company UUID from the Company Request Token step
- password: Your Company Request Token from the Company Request Token step
- grant_type:
password - credtype:
authtoken
Example Postman configuration:
Postman configuration
Send the request.
Record the refresh_token value in a secure location. This value is required to establish the SAP Concur connection in Workato.
# How to connect to SAP Concur
The SAP Concur connector supports OAuth 2.0 authentication. It uses the refresh token grant flow for production instances and password grant for sandbox instances. Refer to the SAP Concur API Authentication documentation (opens new window) for more information.
REQUIRED SCOPE
You must add the EXPRPT scope when connecting to SAP Concur. SAP Concur returns a Forbidden Request error without this scope.
# Refresh token grant
Use this authentication method for production instances. Contact your Concur account manager to receive refresh token credentials.
Complete the following steps to connect to SAP Concur using refresh token grant authentication:
Click Create > Connection.
Search for and select SAP Concur on the New connection page.
Enter a name for your connection in the Connection name field. Give this connection a unique name that identifies which SAP Concur instance it's connected to.
Connect to SAP Concur
Use the first Location drop-down menu to select the project or folder to store your connection.
Use the Implementation instance drop-down menu to select whether you're connecting to a Concur implementation server. Select Yes if connecting to an implementation server. Defaults to No for existing connections.
Use the Authentication type drop-down menu to select Refresh token grant.
Use the second Location drop-down menu to select the location of your Concur implementation server.
Enter the client ID from your application in the Client ID field.
Enter the client secret from your application in the Client secret field.
Enter the refresh token from your application in the Refresh token field.
Click Connect.
# Password grant
Use this authentication method for sandbox instances.
Complete the following steps to connect to SAP Concur using password grant authentication:
Click Create > Connection.
Search for and select SAP Concur on the New connection page.
Enter a name for your connection in the Connection name field. Give this connection a unique name that identifies which SAP Concur instance it's connected to.
Connect to SAP Concur
Use the first Location drop-down menu to select the project or folder to store your connection.
Use the Implementation instance drop-down menu to select whether you're connecting to a Concur implementation server. Select Yes if connecting to an implementation server. Defaults to No for existing connections.
Use the Authentication type drop-down menu to select Password grant.
Enter your SAP Concur Username.
Enter your SAP Concur Password.
Use the second Location drop-down menu to select the location of your Concur implementation server.
Enter the Client ID from your application.
Enter the Client secret from your application.
Click Connect.
# Scopes
The credentials you use to set up the SAP Concur connection must have access to certain scopes depending on the triggers and actions you plan to use.
REQUIRED SCOPE
The EXPRPT scope is required for connection setup.
Each trigger and action in the connector uses a specific API version due to SAP Concur's granular versioning approach.
The following table lists:
- The scopes required for each trigger and action
- The API name and version associated with each trigger and action
Refer to the SAP Concur API Reference (opens new window) documentation for more information.
| Name | Scopes | API group | API name and version |
|---|---|---|---|
| New expense report trigger | EXPRPT | Expense | Reports v3 |
| New expense report submission trigger | EXPRPT | Expense | Reports v3 |
| New or updated expense report trigger | EXPRPT | Expense | Reports v3 |
| New or updated invoice trigger | INVPMT | Invoice | Invoice v3 |
| New or updated user trigger | identity.user.ids.read, identity.user.core.read, identity.user.coresensitive.read, identity.user.enterprise.read, identity.user.sap.read | User | Identity v4 |
| Create list item action | spend.listitem.write, LIST | Common | List Item v4 |
| Create user action | user.provision.write, identity.user.coreenterprise.writeonly, identity.user.externalID.writeonly, spend.user.general.writeonly | User | User Provisioning v4 |
| Create users action (batch) | user.provision.write, identity.user.coreenterprise.writeonly, identity.user.externalID.writeonly, spend.user.general.writeonly | User | User Provisioning v4 |
| Create vendors action (batch) | INVVEN | Invoice | Vendor v3.1 |
| Delete list item action | spend.listitem.delete | Common | List Item v4 |
| Get all attendee types action (batch) | CONFIG | Expense | Expense Group Configurations v3 |
| Get all expense group configurations action (batch) | CONFIG | Expense | Expense Group Configurations v3 |
| Get all expense types action (batch) | CONFIG | Expense | Expense Group Configurations v3 |
| Get all list item action (batch) | spend.list.read | Common | List Item v4 |
| Get all lists action | spend.list.read | Common | List v4 |
| Get all payment types action (batch) | CONFIG | Expense | Expense Group Configurations v3 |
| Get expense report details action | expense.report.read | Expense | Reports v4 |
| Get invoice details action | INVPMT | Invoice | Invoice v3 |
| Get itemizations of specific expense action | expense.report.read | Expense | Expenses v4 |
| Get user action | travel.user.general.read, travel.user.private.read, spend.user.general.read, user.provision.read | User | Travel Extension v4, User Provisioning v4 |
| Get user provisioning status details action | user.provision.read | User | User Provisioning v4 |
| Retrieve children of list item action | spend.listitem.read | Common | List Item v4 |
| Search expense reports action (batch) | EXPRPT | Expense | Reports v3 |
| Search users action (batch) | identity.user.ids.read, identity.user.core.read, identity.user.coresensitive.read, identity.user.enterprise.read, identity.user.sap.read | User | Identity v4 |
| Search vendors action (batch) | INVVEN | Invoice | Vendor v3.1 |
| Submit an expense report through a workflow action | EXPRPT | Expense | Submit v1.1 |
| Update user action | user.provision.write, identity.user.coreenterprise.writeonly, identity.user.externalID.writeonly, spend.user.general.writeonly | User | User Provisioning v4 |
| Update user action (batch) | user.provision.write, identity.user.coreenterprise.writeonly, identity.user.externalID.writeonly, spend.user.general.writeonly | User | User Provisioning v4 |
| Update vendors action (batch) | INVVEN | Invoice | Vendor v3.1 |
| Upload receipt image action | IMAGE | Receipt Image | Image v3 |
| Get entry image URL action | IMAGE | Receipt Image | Image v1.0 |
| Get expense report details action (deprecated) | expense.report.read | Expense | Expenses v4 |
| Get payment batch list action (deprecated) | PAYBAT | Expense | Payment Batches v1.1 |
Last updated: 11/11/2025, 4:47:02 PM