> ## Documentation Index
> Fetch the complete documentation index at: https://docs.livingsecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Workday

> Connect Workday to the Living Security Platform to import your worker directory through the standard REST API.

export const ConnectInPlatform = ({tile, children}) => <Step title="Enter the credentials in the Living Security Platform">
    <p>
      Completed by whoever holds Living Security access — the program owner, or the system
      admin if they've been invited (delegated setup).
    </p>
    <ol>
      <li>
        Go to <strong>Settings → Integrations → Catalog</strong>, find the{' '}
        <strong>{tile}</strong> tile, click <strong>Connect</strong>.
      </li>
      <li>
        Fill in the fields below, then click <strong>Connect</strong>.
      </li>
    </ol>
    {children}
  </Step>;

export const SystemAdminBanner = ({system, recommendDelegated}) => <Note>
    <p>
      <strong>This guide is for your {system} administrator.</strong> It covers creating API
      credentials inside {system}, which requires admin access to {system} — not to the
      Living Security Platform.
    </p>
    <p>
      If you're the Living Security <strong>program owner</strong> and don't administer {system},
      send this page to whoever does. They complete Part A and hand the credentials back to you
      (or enter them directly if you've invited them into the platform).
      {recommendDelegated && <>
          {' '}Because setup produces sensitive key material, we recommend the{' '}
          <strong>delegated setup</strong> path so the secret is never sent back to you.
        </>}
    </p>
  </Note>;

<SystemAdminBanner system="Workday" />

Connecting Workday lets Living Security read your standard worker directory — name, work email, business title, department, manager, location, and employment status — through Workday's standard REST API. No custom reports (RaaS) are required.

## What Living Security needs

| Credential               | Description                                                                                      |
| ------------------------ | ------------------------------------------------------------------------------------------------ |
| **Authorization domain** | The host that serves your Workday sign-in/consent screen (e.g., `impl.workday.com`).             |
| **Token domain**         | The host that issues API access tokens for your tenant (e.g., `wd3-impl-services1.workday.com`). |
| **Tenant**               | Your Workday tenant identifier.                                                                  |

**Scopes:** Functional areas that expose worker data — at minimum **Staffing** (read-only). The sync reads only the standard worker directory (`GET /workers`), which the Staffing functional area covers.

**Required role:** **Integration System Administrator** in Workday (or an admin with **Register API Client** and **Manage: OAuth 2.0 Clients** permissions)

### Prerequisites

* A Workday **Integration System Administrator** (or an administrator with the **Register API Client** and **Manage: OAuth 2.0 Clients** security permissions).
* The Workday REST API enabled for your tenant.

***

## Part A — In Workday

*Your Workday administrator completes these steps.*

<Steps>
  <Step title="Register an API client">
    1. Sign in to Workday as an administrator.
    2. In the search bar, run the **Register API Client for Integrations** task.
    3. Configure the client:
       * **Client Name** — A descriptive name (e.g., `Living Security Platform`).
       * **Client Grant Type** — Select **Authorization Code Grant**.
       * **Access Token Type** — **Bearer**.
       * **Redirection URI** — Enter the Living Security callback URL. Obtain the exact value from your Living Security program owner (or [support@livingsecurity.com](mailto:support@livingsecurity.com)) before submitting — Workday rejects the authorization step if it does not match.
       * **Non-Expiring Refresh Tokens** — Enable this so the connection keeps syncing unattended without periodic re-authorization.
       * **Scope (Functional Areas)** — Grant the functional areas that expose worker data, at minimum **Staffing** (and **Tenant Non-Configurable** if your tenant requires it). Grant read-only areas only.
    4. Submit the task.

    <Note>
      Grant the minimum functional areas needed to read workers. Workday scopes are coarse-grained; **Staffing** read access is sufficient for the worker directory. Avoid granting areas that expose compensation or other sensitive data unless your use case requires them.
    </Note>
  </Step>

  <Step title="Find your authorization domain and token domain">
    After registering, run the **View API Clients** report in Workday and open your client. The report lists the OAuth 2.0 endpoints for your tenant:

    * **Authorization endpoint** looks like `https://impl.workday.com/<tenant>/authorize`.
      Your **Authorization domain** is the host portion only: `impl.workday.com` — no `https://`, no tenant, no path.
    * **Token endpoint** looks like `https://wd3-impl-services1.workday.com/ccx/oauth2/<tenant>/token`.
      Your **Token domain** is the host before `/ccx`: `wd3-impl-services1.workday.com` — no `https://`, no path.

    <Note>
      The authorization domain and token domain are frequently **different hosts** — the sign-in host and the API host. Copy each from the matching endpoint in the report rather than assuming they are the same.
    </Note>
  </Step>

  <Step title="Find your tenant">
    Your **Tenant** is the identifier embedded in the endpoint URLs from the previous step — the segment after `/ccx/oauth2/` in the token endpoint (e.g., the `<tenant>` in `.../ccx/oauth2/<tenant>/token`).

    It is the same short identifier you see in your Workday tenant URL when signed in.
  </Step>
</Steps>

***

## Part B — In the Living Security Platform

*The program owner completes this step, or the system admin if using delegated setup.*

<Steps>
  <ConnectInPlatform tile="Workday">
    | Field                    | Value                                                                         |
    | ------------------------ | ----------------------------------------------------------------------------- |
    | **Authorization domain** | The authorization domain from Part A, Step 2 (e.g., `impl.workday.com`)       |
    | **Token domain**         | The token domain from Part A, Step 2 (e.g., `wd3-impl-services1.workday.com`) |
    | **Tenant**               | The tenant identifier from Part A, Step 3                                     |
  </ConnectInPlatform>
</Steps>

After clicking **Connect**, you are redirected to a Workday consent screen — sign in as an administrator and approve the requested access. Once approved, you return to the Living Security Platform and the connection is established.

<Warning>
  The redirection URI set in Part A, Step 1 must exactly match the Living Security callback URL. If they differ, Workday blocks the consent step with a redirect-mismatch error and the connection cannot complete.
</Warning>

<Note>
  After connecting, the **Workers** data stream starts paused. Enable it from the connection's stream list when you are ready for Living Security to begin syncing your worker directory.
</Note>

You are now connected to Workday.

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="Redirect mismatch error on the consent screen">
    The redirection URI registered in Part A, Step 1 does not exactly match the Living Security callback URL. Re-run the **Register API Client for Integrations** task (or edit the client) and correct the Redirection URI.
  </Accordion>

  <Accordion title="401 Unauthorized or token errors">
    The token domain may be incorrect, or the API client's refresh token has expired. Verify the token domain is the host before `/ccx` in the token endpoint, and that **Non-Expiring Refresh Tokens** is enabled on the API client.
  </Accordion>

  <Accordion title="Empty results (no workers)">
    The API client may be missing the **Staffing** functional area, or the Workday REST API is not enabled for your tenant. Verify the granted functional areas and that the REST API is enabled for your tenant.
  </Accordion>
</AccordionGroup>

***

<Note>Portions of this documentation are adapted from [Nango](https://nango.dev/docs/), used under the [Elastic License 2.0](https://github.com/NangoHQ/nango?tab=License-1-ov-file#readme).</Note>
