Skip to main content
Connecting Workday lets Living Security read your standard worker directory — name, work email, business title, department, manager, location, and employment status — through Workday’s standard REST API. No custom reports (RaaS) are required.

What Living Security needs

Scopes: Functional areas that expose worker data — at minimum Staffing (read-only). The sync reads only the standard worker directory (GET /workers), which the Staffing functional area covers. Required role: Integration System Administrator in Workday (or an admin with Register API Client and Manage: OAuth 2.0 Clients permissions)

Prerequisites

  • A Workday Integration System Administrator (or an administrator with the Register API Client and Manage: OAuth 2.0 Clients security permissions).
  • The Workday REST API enabled for your tenant.

Part A — In Workday

Your Workday administrator completes these steps.
1

Register an API client

  1. Sign in to Workday as an administrator.
  2. In the search bar, run the Register API Client for Integrations task.
  3. Configure the client:
    • Client Name — A descriptive name (e.g., Living Security Platform).
    • Client Grant Type — Select Authorization Code Grant.
    • Access Token TypeBearer.
    • Redirection URI — Enter the Living Security callback URL. Obtain the exact value from your Living Security program owner (or support@livingsecurity.com) before submitting — Workday rejects the authorization step if it does not match.
    • Non-Expiring Refresh Tokens — Enable this so the connection keeps syncing unattended without periodic re-authorization.
    • Scope (Functional Areas) — Grant the functional areas that expose worker data, at minimum Staffing (and Tenant Non-Configurable if your tenant requires it). Grant read-only areas only.
  4. Submit the task.
Grant the minimum functional areas needed to read workers. Workday scopes are coarse-grained; Staffing read access is sufficient for the worker directory. Avoid granting areas that expose compensation or other sensitive data unless your use case requires them.
2

Find your authorization domain and token domain

After registering, run the View API Clients report in Workday and open your client. The report lists the OAuth 2.0 endpoints for your tenant:
  • Authorization endpoint looks like https://impl.workday.com/<tenant>/authorize. Your Authorization domain is the host portion only: impl.workday.com — no https://, no tenant, no path.
  • Token endpoint looks like https://wd3-impl-services1.workday.com/ccx/oauth2/<tenant>/token. Your Token domain is the host before /ccx: wd3-impl-services1.workday.com — no https://, no path.
The authorization domain and token domain are frequently different hosts — the sign-in host and the API host. Copy each from the matching endpoint in the report rather than assuming they are the same.
3

Find your tenant

Your Tenant is the identifier embedded in the endpoint URLs from the previous step — the segment after /ccx/oauth2/ in the token endpoint (e.g., the <tenant> in .../ccx/oauth2/<tenant>/token).It is the same short identifier you see in your Workday tenant URL when signed in.

Part B — In the Living Security Platform

The program owner completes this step, or the system admin if using delegated setup.
1
After clicking Connect, you are redirected to a Workday consent screen — sign in as an administrator and approve the requested access. Once approved, you return to the Living Security Platform and the connection is established.
The redirection URI set in Part A, Step 1 must exactly match the Living Security callback URL. If they differ, Workday blocks the consent step with a redirect-mismatch error and the connection cannot complete.
After connecting, the Workers data stream starts paused. Enable it from the connection’s stream list when you are ready for Living Security to begin syncing your worker directory.
You are now connected to Workday.

Troubleshooting

The token domain may be incorrect, or the API client’s refresh token has expired. Verify the token domain is the host before /ccx in the token endpoint, and that Non-Expiring Refresh Tokens is enabled on the API client.
The API client may be missing the Staffing functional area, or the Workday REST API is not enabled for your tenant. Verify the granted functional areas and that the REST API is enabled for your tenant.

Portions of this documentation are adapted from Nango, used under the Elastic License 2.0.