API Key Deprecation FAQ

Note:

API key sunsetting and transition only affects customer-created API integrations to the Coupa core platform, and does not not affectapplications such as Treasury, CSO, Supply Chain Design & Planning, etc.

API keys created by Coupa should not be revoked. These keys will be transitioned separately with no action required from you.

What’s happening?

With so much data flowing through API interfaces, API security is a top priority for Coupa and our customers. With Release 29, we introduced Open Connect API Access to improve the level of security for integrations with the Coupa platform, and by Release 35, we will deprecate legacy API Keys and require the use of OAuth 2.0 for all customer integrations.

Why is this change being made?

Security is a top priority for Coupa, and we continuously employ the latest industry standards and best practices. Coupa is sunsetting API Keys and moving to OAuth 2.0 and OpenID Connect to provide a higher level of API integration security. Using OAuth 2.0 applications can securely access resources from a server, without storing credentials. Temporary tokens are used instead of static keys that refresh on a consistent timeline to ensure security.

What’s the timeline for sunsetting API Keys and migrating to OAuth 2.0?

All Coupa Administrators should transition their API integrations to authenticate with Coupa using OAuth2 as soon as possible. Please see the following timeline for important dates:

  • R29 (Jan 2021) - OAuth API Access available

  • R32 (Jan 2022) - OAuth is the only available option for new customers

  • R34 (Sept 2022) - New API keys can no longer be issued to existing customers

  • R35 (Jan 2023) - Transition deadline. API keys will no longer be supported

Is the transition from API Keys to OAuth / OIDC required?

Transitioning your API integrations to OAuth 2.0 / OIDC is required. It is needed to assure the security of applications and must be completed by Release 35. Coupa will no longer issue new API Keys beginning with Release 34 (Sept 2022), and will end support for API keys at Release 35 (Jan 2023).

What actions are required to transition API integrations to OAuth2 / OIDC ?

In brief, the transition from API Keys to OAuth2 includes the following steps:

  1. OAuth Client creation (similar to the current API key creation)

  2. OAuth Scope assignment (similar to the current API permission assignment)

  3. Credentials test (connectivity test using an http client like Postman)

  4. Build Middleware script/flow for token creation and refresh every 20 hours.

  5. Update Integrations to use new token generated by script created in step #4 (if needed)

  6. Test new integration (token generator script)

  7. Test existing master data/transactional integrations using OAuth.

  8. Plan move to Production

  9. MTP and Hypercare

  10. Disable the API Keys for each integration that has been transitioned to OAuth2. This is an important security step and will signal to Coupa that the transition to OAuth is complete.

Note:

Coupa has prepared a OAuth 2.0 Transition Guideto provide more detailed guidance and instruction.

Is there any impact or actions needed to ensure the SFTP Loader continues to work?

No change or action is required for Coupa customers related to transitioning authentication for the SFTP loader. The internal keys used as part of the SFTP authentication are being transitioned to OAuth by Coupa.

Is there any impact on the Mobile App?

Internal API keys used for the Mobile product have already been transitioned to OAuth. No action is required on the customer side to transition.

Does this impact my Coupa-Netsuite Bundle?

Coupa customers will need to upgrade to the latest version of the Netsuite SuiteScript bundle, 7.1 or above. This bundle has OAuth 2.0 capability built in. Once configured, API integrations will access data via OAuth 2.0.

What additional information is available?

Coupa Webinars

Success Portal Documentation & Supporting Information

General OpenID Connect Information

Where can I post any questions (customer)?

Please post questions in the OIDC / OAuth discussion in the Coupa online Community. For detailed technical questions, your organization’s Designated Support Contact can open a ticket with Coupa Support via the support portal.