Coupa requires API keys for users to authenticate and securely send API requests to your Coupa instance. Each API key is unique.
What We Were Thinking
We wanted to improve the security provided by our API keys. We have done this in the following ways:
- API keys now can be configured to have an expiry date. Configuring an API key with an expiry date is optional and if the administrator does not specify an expiry date then the key never expires. If an expiry date is specified, the API key expires at the end of the day (midnight UTC).
- API keys can now be configured with fine-grained access control, by Coupa object and by action.
How It Works
There are many ways that API keys could be used. For example:
- Administrators could create an API key for each supplier, business unit, or third party system that connects to Coupa using APIs
- Administrators could create APIs based on specific sets of permissions
Create or edit an API key
Go to Setup > Company Setup > API Keys.
Specify the following:
Setting Details Name Provide a meaningful name for the API key. Description Provide a meaningful description for the API key. Contact First Name When an API key is used (example: to make an API call), the First Name and Last Name appear on the Integration History of that object. Contact Last Name When an API key is used (example: to make an API call), the First Name and Last Name appear on the Integration History of that object. Contact Login This is a mandatory field and it must be unique, but this login information will not be visible in the Coupa UI. Contact Email This is a mandatory field and it must be unique.
This is the email address that Coupa sends a notification to when the API key is going to expire.
Expiry Date The date when the API key expires.
The API key expires at midnight UTC on the expiry date.
Enabling permissions gives the administrator exacting control over each API in Coupa. Leaving this unselected grants use to all Coupa APIs, meaning it is probably better to leave it blank only when connecting to systems in your infrastructure.
None of the SIM or Supplier Risk APIs are enabled by default if you deselect this setting. If you need to enable any these, you must select Enable Permissions and then explicitly select the permissions you want to grant.
Revoke API Key This is only available when editing API keys. Revokes the access and permissions to APIs that the API key grants. Revoke access to a key when you feel the key has been compromised or if someone is abusing an API. Regenerate API Key This is only available when editing API keys. Regenerates the API key.