Skip to main content



Coupa Success Portal

Security Considerations

API Integration


For overall security and SSL encryption, Coupa supports secure HTTP using TLS 1.1 and above.


To make the REST API calls secure, Coupa provides unique API key, and a valid key is mandatory to make any Coupa APIs.


All Coupa REST API Requests are authenticated by a unique API key, generated in Coupa. All API requests must pass an “X-COUPA-API-KEY” header with an API key.  A key can be created from the “API Keys” section of the Administration tab by an admin user. The key is a 40 character long hex code. Any changes to resources via the API will be attributed to the key used.

API key should be handled as a sensitive information, and must be shared securely. The key should be provided only to the authorized persons (who will be making calls or system owner of the caller program).

Keys may be re-generated by Coupa Admin as per the customer’s security policy. 

As part of R15 release following features would be available:

  • API keys now can be configured to have an expiry date. Configuring an API key with an expiry date is optional and if the administrator does not specify an expiry date then the key never expires. If an expiry date is specified, the API key expires at the end of the day (midnight UTC).
  • API keys can now be configured to provide permission to API access and management. This gives administrators the ability to restrict access and utilization of any and all Coupa APIs from a single API key.

sFTP Integration


Coupa primarily exchanges files with customers via the SFTP protocol.  We support both username/password or SSH key authentication (Talk to your Coupa contact for getting the SFTP credentials).  SFTP is preferable to FTP as both the control and data channels are encrypted.

As part of R15 release Coupa would support PGP encryption of the files exchanged through SFTP. 

Coupa supports RSA 2048 bit key for SSH authentication.

Whitelisting the IPs

Coupa provides the following list of IP addresses and recommends customers to whitelist them to ensure secure connection between networks. To ensure a secure connection, Coupa provides a complete list of our public IP addresses. With the exceptions listed on the pages linked below, Coupa has registered all IP addresses and ranges with Amazon Web Services (AWS). Coupa's newer IP addresses and ranges are registered with American Registry for Internet Numbers (ARIN). While it is highly recommended to whitelist our entire IP ranges, you can choose to only whitelist a subset of our IP ranges. If you must do this, review the following information on the links listed below to avoid any unintended service disruptions.

SFTP folder structure

Once you login using the sftp account credentials, would see following Coupa standard folder structure. Use only those folders which are applicable (as mentioned in each scenarios)







File storage policies

Coupa SFTP should be used for exchanging files, and not for storing or archiving the files. All outbound files from Coupa will be placed under the respective outbound folders, and customer system should pick up the file, process it and delete the file from Coupa sftp. Partners may archive the file on partner system.

For inbound files to Coupa, files are picked up and start processing within couple of minutes, once successfully picked up, files are archived under ‘/Archive/Incoming’. Archive files are moved to AWS backup after 2 weeks timeframe. 

Files are still available to download from ‘File Status’ page of Coupa. 

  • Was this article helpful?