OAuth 2.0 and OIDC

Coupa is deprecating legacy API Keys and requiring the use of OAuth 2.0 / OIDC. Starting with R34, no new API Keys will be issued, and API Keys will no longer be supported with R35.

Sunsetting API Keys & Improving API Security with OIDC/OAuth 2.0.

The foundation of Coupa's cloud-based service is our ability to deliver a secure and scalable service that's available to you anytime, from anywhere. As part of Coupa’s roadmap, Coupa will be deprecating API Keys and requiring all customers with API integrations to transition to OpenID Connect (OIDC) an open authentication protocol that extends OAuth 2.0 for an improved level of security for API integrations with Coupa.


API key sunsetting and transition only affects customer-created API integrations to the Coupa core platform, and does not not affect applications such as Treasury, CSO, Supply Chain Design & Planning, etc.

API keys created by Coupa should not be revoked. These keys will be transitioned separately with no action required from you.


All Coupa Administrators should upgrade their API integrations to authenticate with Coupa using OAuth 2.0 and OIDC Connect Clients as soon as possible. Please see the following timeline for important dates:

  • R29 (Jan 2021) - Open Connect API Access available
  • R32 (Jan 2022) - OIDC is the only available option for new customers
  • R34 (Sept 2022) - New API keys can no longer be issued to existing customers
  • R35 (Jan 2023) - OAuth 2.0 transition deadline. API keys will no longer be supported

 Please contact Coupa Support with any questions.


OpenID Connect Clients

15 December 2021

Use Open Connect to provide additional security that's beyond traditional API keys.

Set Up Okta User Provisioning with OAuth 2.0

Configure the OIDC client for Okta User Provisioning.