API Key Security
Improved API key security with API key expiration and administrator specified permissions for APIs.
Coupa requires API keys for users to authenticate and securely send API requests to your Coupa instance. Each API key is unique.
API Keys Deprecation
R32 - OAuth2.0 is the only available option for new customers
R34 - new API keys can no longer be issued to existing customers
R35 - API keys will no longer be supported
What We Were Thinking
We wanted to improve the security provided by our API keys. We have done this in the following ways:
- API keys now can be configured to have an expiry date. Configuring an API key with an expiry date is optional and if the administrator does not specify an expiry date then the key never expires. If an expiry date is specified, the API key expires at the end of the day (midnight UTC).
- API keys can now be configured with fine-grained access control, by Coupa object and by action.
How It Works
There are many ways that API keys could be used. For example:
- Administrators could create an API key for each supplier, business unit, or third party system that connects to Coupa using APIs
- Administrators could create APIs based on specific sets of permissions
Create an API key
If you want to create an API key, go to Setup > Integrations > API Keys and click the Create button. Provide the details below. When you're done, be sure to copy or write down (safer) the API key. Once you save the key, you won't have access to it again, and if you lose it, you'll have to generate a new one by editing the existing key details.
|Name||Provide a meaningful name for the API key.|
|Description||Provide a meaningful description for the API key.|
|Contact First Name||When an API key is used (example: to make an API call), the First Name and Last Name appear on the Integration History of that object.|
|Contact Last Name||When an API key is used (example: to make an API call), the First Name and Last Name appear on the Integration History of that object.|
|Contact Login||This is a mandatory field and it must be unique, but this login information will not be visible in the Coupa UI.|
|Contact Email||This is a mandatory field and it must be unique.
This is the email address that Coupa sends a notification to when the API key is going to expire.
|Expiry Date||The date when the API key expires.
The API key expires at midnight UTC on the expiry date.
Enabling permissions gives the administrator exacting control over each API in Coupa. Leaving this unselected grants use to all Coupa APIs, meaning it is probably better to leave it blank only when connecting to systems in your infrastructure.
None of the SIM or Supplier Risk APIs are enabled by default if you deselect this setting. If you need to enable any these, you must select Enable Permissions and then explicitly select the permissions you want to grant.
|Revoke API Key||This is only available when editing API keys. Revokes the access and permissions to APIs that the API key grants. Revoke access to a key when you feel the key has been compromised or if someone is abusing an API.|
|Regenerate API Key||This is only available when editing API keys. Regenerates the API key.|