What Living Security needs
Scopes: Functional areas that expose worker data — at minimum Staffing (read-only). The sync reads only the standard worker directory (
GET /workers), which the Staffing functional area covers.
Required role: Integration System Administrator in Workday (or an admin with Register API Client and Manage: OAuth 2.0 Clients permissions)
Prerequisites
- A Workday Integration System Administrator (or an administrator with the Register API Client and Manage: OAuth 2.0 Clients security permissions).
- The Workday REST API enabled for your tenant.
Part A — In Workday
Your Workday administrator completes these steps.1
Register an API client
- Sign in to Workday as an administrator.
- In the search bar, run the Register API Client for Integrations task.
- Configure the client:
- Client Name — A descriptive name (e.g.,
Living Security Platform). - Client Grant Type — Select Authorization Code Grant.
- Access Token Type — Bearer.
- Redirection URI — Enter the Living Security callback URL. Obtain the exact value from your Living Security program owner (or support@livingsecurity.com) before submitting — Workday rejects the authorization step if it does not match.
- Non-Expiring Refresh Tokens — Enable this so the connection keeps syncing unattended without periodic re-authorization.
- Scope (Functional Areas) — Grant the functional areas that expose worker data, at minimum Staffing (and Tenant Non-Configurable if your tenant requires it). Grant read-only areas only.
- Client Name — A descriptive name (e.g.,
- Submit the task.
Grant the minimum functional areas needed to read workers. Workday scopes are coarse-grained; Staffing read access is sufficient for the worker directory. Avoid granting areas that expose compensation or other sensitive data unless your use case requires them.
2
Find your authorization domain and token domain
After registering, run the View API Clients report in Workday and open your client. The report lists the OAuth 2.0 endpoints for your tenant:
- Authorization endpoint looks like
https://impl.workday.com/<tenant>/authorize. Your Authorization domain is the host portion only:impl.workday.com— nohttps://, no tenant, no path. - Token endpoint looks like
https://wd3-impl-services1.workday.com/ccx/oauth2/<tenant>/token. Your Token domain is the host before/ccx:wd3-impl-services1.workday.com— nohttps://, no path.
The authorization domain and token domain are frequently different hosts — the sign-in host and the API host. Copy each from the matching endpoint in the report rather than assuming they are the same.
3
Find your tenant
Your Tenant is the identifier embedded in the endpoint URLs from the previous step — the segment after
/ccx/oauth2/ in the token endpoint (e.g., the <tenant> in .../ccx/oauth2/<tenant>/token).It is the same short identifier you see in your Workday tenant URL when signed in.Part B — In the Living Security Platform
The program owner completes this step, or the system admin if using delegated setup.1
After connecting, the Workers data stream starts paused. Enable it from the connection’s stream list when you are ready for Living Security to begin syncing your worker directory.
Troubleshooting
Redirect mismatch error on the consent screen
Redirect mismatch error on the consent screen
The redirection URI registered in Part A, Step 1 does not exactly match the Living Security callback URL. Re-run the Register API Client for Integrations task (or edit the client) and correct the Redirection URI.
Empty results (no workers)
Empty results (no workers)
The API client may be missing the Staffing functional area, or the Workday REST API is not enabled for your tenant. Verify the granted functional areas and that the REST API is enabled for your tenant.
Portions of this documentation are adapted from Nango, used under the Elastic License 2.0.

