API key sunsetting and transition only affects customer integrations to the Coupa core platform, and does not not affect applications such as Treasury, CSO, Supply Chain Design & Planning, etc.
With so much data flowing through API interfaces, API security is a top priority for Coupa and our customers. With Release 29, we introduced Open Connect API Access to improve the level of security for integrations with the Coupa platform, and by Release 35, we will deprecate legacy API Keys and require the use of OAuth 2.0 for all customer integrations.
Why is this change being made?
Security is a top priority for Coupa, and we continuously employ the latest industry standards and best practices. Coupa is sunsetting API Keys and moving to OAuth 2.0 and OpenID Connect to provide a higher level of API integration security. Using OAuth 2.0 applications can securely access resources from a server, without storing credentials. Temporary tokens are used instead of static keys that refresh on a consistent timeline to ensure security.
What’s the timeline for sunsetting API Keys and migrating to OAuth 2.0?
All Coupa Administrators should transition their API integrations to authenticate with Coupa using OAuth2 as soon as possible. Please see the following timeline for important dates:
- R29 (Jan 2021) - OAuth API Access available
- R32 (Jan 2022) - OAuth is the only available option for new customers
- R34 (Sept 2022) - New API keys can no longer be issued to existing customers
- R35 (Jan 2023) - Transition deadline. API keys will no longer be supported
Is the transition from API Keys to OAuth / OIDC required?
Transitioning your API integrations to OAuth 2.0 / OIDC is required. It is needed to assure the security of applications and must be completed by Release 35. Coupa will no longer issue new API Keys beginning with Release 34 (Sept 2022), and will end support for API keys at Release 35 (Jan 2023).
What actions are required to transition API integrations to OAuth2 / OIDC ?
In brief, the transition from API Keys to OAuth2 includes the following steps:
- OAuth Client creation (similar to the current API key creation)
- OAuth Scope assignment (similar to the current API permission assignment)
- Credentials test (connectivity test using an http client like Postman)
- Build Middleware script/flow for token creation and refresh every 20 hours.
- Update Integrations to use new token generated by script created in step #4 (if needed)
- Test new integration (token generator script)
- Test existing master data/transactional integrations using OAuth.
- Plan move to Production
- MTP and Hypercare
- Disable the API Keys for each integration that has been transitioned to OAuth2. This is an important security step and will signal to Coupa that the transition to OAuth is complete.
Coupa has prepared a OAuth 2.0 Transition Guide to provide more detailed guidance and instruction.
Is there any impact or actions needed to ensure the SFTP Loader continues to work?
No change or action is required for Coupa customers related to transitioning authentication for the SFTP loader. The internal keys used as part of the SFTP authentication are being transitioned to OAuth by Coupa.
Is there any impact on the Mobile App?
Internal API keys used for the Mobile product have already been transitioned to OAuth. No action is required on the customer side to transition.
Does this impact my Coupa-Netsuite Bundle?
Coupa customers will need to upgrade to the latest version of the Netsuite SuiteScript bundle, 7.1 or above. This bundle has OAuth 2.0 capability built in. Once configured, API integrations will access data via OAuth 2.0.
What additional information is available?
- Oct 14, 2021: OAuth (API)
- March 25, 2022: Transitioning to OAuth(API)
- May 3, 2022: OAuth migration for NetSuite Bundle Customers
Success Portal Documentation & Supporting Information
- OAuth 2.0 Transition Guide
- OAuth 2.0 Getting Started with Coupa API
- OpenID Connect Clients
- OAuth 2.0 for Call Outs
- Postman Collection for Coupa APIs
General OpenID Connect Information