1. Zapier
  2. Apps
  3. Human resources
  4. Workday

Workday administrator prerequisites for Zapier connection

Updated

This guide is for Workday administrators who need to configure authentication for the Zapier Workday integration. This setup is required before users in your organization can connect Workday to Zapier.

The integration supports two authentication methods:

  • OAuth 2.0 (required): Handles REST API requests, read operations, triggers, and searches.
  • Integration System User (ISU) (optional): Required for SOAP-based actions that create or modify records.
OAuth 2.0 setup ISU setup

OAuth 2.0 setup

OAuth 2.0 is required for all Workday connections to Zapier. Register an API client in Workday and provide your users with the credentials they need.

1. Register an API client in Workday

  1. Log in to Workday as a user with administrative permissions.
  2. Search for Register API Client in the Workday search bar.
  3. Open the task.
  4. Fill in the required fields:
    • Client Name: Enter a descriptive name (for example, Zapier Integration).
    • Client ID: Workday generates this automatically, or you can specify a custom value.
    • Client Secret: Workday generates this automatically.
    • Redirection URI: Enter https://zapier.com/dashboard/auth/oauth/return/App214709CLIAPI/
  5. Copy the Token Endpoint URL (for example, https://impl-services1.wd12.myworkday.com/ccx/oauth2/mytenant/token).
  6. Copy the Authorization Endpoint URL (for example, https://impl-services1.wd12.myworkday.com/ccx/oauth2/mytenant/authorize).
  7. (Recommended) In the Scope or Functional Areas section, select only the functional areas your integration needs. This limits the OAuth token's access to specific Workday domains (for example, Worker Data, Time Tracking, or Procurement).
  8. Click Submit to create the API client.
  9. Save the Client ID and Client Secret.

Learn more in Workday's documentation about registering an API client and managing API client access (scopes).

2. Provide credentials to your users

Share the following six credentials with each user who needs to connect Workday to Zapier:

  • Client ID: From the API client registration in step 1.
  • Client Secret: From the API client registration in step 1.
  • Base URL: The first part of your Workday REST API endpoint (for example, https://impl-services1.wd12.myworkday.com).
  • Tenant: The last part of your Workday REST API endpoint (for example, mytenant).
  • Token Endpoint: The token endpoint URL from step 1.
  • Authorization Endpoint: The authorization endpoint URL from step 1.

The Base URL and Tenant come from your Workday REST API endpoint. For example, if your endpoint is https://impl-services1.wd12.myworkday.com/ccx/api/v1/mytenant, the Base URL is https://impl-services1.wd12.myworkday.com and the Tenant is mytenant.

3. Set OAuth user permissions

The user who authorizes the OAuth connection needs appropriate permissions for the operations they want to perform. For read-only operations, minimal permissions are sufficient.

To avoid granting excessive permissions to individual users, use ISU credentials for write operations. Refer to the ISU setup section for details.

Once you complete these steps, users in your organization can connect Workday to Zapier with OAuth 2.0.

Best practices: team-based ISU setup

For enterprise environments, create separate ISU users for each team with appropriate data scopes.

HR and people operations
  • Purpose: Handle employee lifecycle operations without access to financial data.
  • Permissions:
    • Worker Data: Get, Put, Post (for hire, terminate, change job).
    • Time Tracking: Get, Put, Post (for time off requests).
    • Recruiting: Get, Put, Post (for job requisitions).
  • Data scope restrictions: Exclude Payroll and Financials entirely; limit to HR organizational units only.
Procurement and finance
  • Purpose: Handle supplier and invoice operations with access to financial data.
  • Permissions:
    • Procurement: Get, Put, Post (for supplier and invoice operations).
    • Financials: Get (for financial reporting).
    • Payroll: Get (for payroll reporting, if needed).
  • Data scope restrictions: Limit to finance organizational units; include payroll data only when needed for reporting.
Payroll
  • Purpose: Handle payroll-specific operations.
  • Permissions:
    • Payroll: Get, Put, Post (for payroll operations).
    • Worker Data: Get (for worker information needed for payroll).
  • Data scope restrictions: Limit to payroll organizational units only; exclude other sensitive domains you do not need.

Troubleshooting

"Authentication failed" error
  • Verify the Client ID and Client Secret are correct.
  • Check that the Token Endpoint and Authorization Endpoint URLs are correct.
  • Ensure the Base URL and Tenant values match your Workday REST API endpoint.
"Invalid ISU credentials" error
  • Verify the ISU username and password are correct.
  • Check that the ISU user has the required permissions for the operation.
  • Ensure the ISU user has not been deactivated in Workday.
"Permission denied" error
  • Check that the OAuth user (for read operations) or ISU user (for write operations) has the required permissions.
  • Verify domain permissions are granted correctly in Workday.
  • Check that data scope restrictions are not blocking access to the required data.

Learn more in Workday error: Permission denied.

Actions requiring ISU are not available
  • Ensure ISU credentials have been entered in the Zapier connection settings.
  • Verify both ISU username and password are provided (both are required).
  • Check that the ISU user has the necessary permissions for the action.
Was this article helpful?
0 out of 0 found this helpful

Zapier Early Access

Get access to tomorrow’s no-code automation products and features today. By opting-in to our current and future pre-release products, you’ll work directly with the Zapier product team and join a dedicated community of automation enthusiasts. Learn more about Zapier Early Access