Workday Integration Credentials

Workday supports three primary authentication mechanisms for accessing its SOAP and REST APIs.

ISU Username and Password for SOAP APIs

The first option is ISU Username and Password for SOAP APIs.

In this approach, authentication is handled using Basic Authentication with an Integration System User (ISU). The ISU username and password are sent with each SOAP request.

This method requires a dedicated ISU to be created in Workday with the appropriate domain security policies assigned.

ISU Username and Password for SOAP APIs and OAuth 2.0 Client Credentials for REST APIs

The second option is using ISU Username and Password for SOAP APIs and OAuth 2.0 Client Credentials for REST APIs.

In this setup, SOAP APIs continue to use Basic Authentication with the ISU credentials, while REST APIs use OAuth 2.0. For REST access, a token is generated via the /token endpoint using a configured REST API client in Workday, and this token is then used as a Bearer token in API requests.

This approach requires both an ISU (for SOAP) and a REST API client with a client ID and client secret (for REST), along with the necessary scopes. The OAuth 2.0 Client Credentials are needed if you want to access data like bank accounts or leave requests, as those APIs are only avaialble via REST.

OAuth 2.0 Client Credentials for both SOAP and REST APIs

The third option is OAuth 2.0 Client Credentials for both SOAP and REST APIs.

In this model, all API access is authenticated using OAuth 2.0. A token is generated from the /token endpoint using the client credentials of a REST API client configured in Workday. This token is then used as a Bearer token for both SOAP and REST API calls

How to generate Integration Credentials

To know more about to generate the integration credentials, the scopes, and permissions needed, refer to the guide here: Workday credentials for Integration via Knit