Workday is a cloud-based enterprise platform for human capital management (HCM), payroll, and financials. The Workday integration with Frontegg lets your application read worker data, supervisory organizations, job profiles, locations, and time off and leave information from your Workday tenant on behalf of your users through the Workday REST API.
Workday hosts its OAuth and REST endpoints per tenant, on a datacenter-specific host. Because of this, the integration needs four values: your OAuth Client ID and Client Secret, your Workday host, and your Workday tenant name.
Prerequisites
Prerequisites
- A Workday tenant (implementation or production) and the security permissions required to run the Register API Client task — typically the Integration System Administrator or Security Administrator role.
- Access to a Frontegg account so you can retrieve your Redirect URL (see How to get your Redirect URL).
Workday registers an OAuth client through a single task. The steps below walk through that task and the values you need to collect from it.
Sign in to your Workday tenant. In the search box at the top, type Register API Client and select the task named Register API Client (not Register API Client for Integrations and not Register External OAuth Client — those are for different grant types).
In the Register API Client form, fill in the core settings:
- Client Name: enter an identifiable name, for example
Frontegg Integration. - Client Grant Type: select Authorization Code Grant.
- Access Token Type: select Bearer.
- Non-Expiring Refresh Tokens: enable this option. Frontegg requests offline access so it can refresh the access token without prompting the user to sign in again.
In the Redirection URI field, enter your Frontegg Redirect URL:
https://YOUR_MCP_GATEWAY_URL/integration-callback
The redirect URL must match exactly what Frontegg sends during the OAuth flow, including the scheme and path. See How to get your Redirect URL for how to obtain YOUR_MCP_GATEWAY_URL.
In the Scope (Functional Areas) field, add the functional areas that cover the data the integration reads. Each Workday functional area maps to a group of REST resources.
| Scope (functional area) | Grants access to |
|---|---|
Worker Data | Worker records and worker details |
Staffing | Job profiles, locations, and staffing data |
Organizations and Roles | Supervisory organizations and worker organization memberships |
Time Off and Leave | Time off requests, time off balances, absence types, and leave types |
Take only what you need
Take only what you need
Following the principle of least privilege, add only the functional areas your integration actually uses. The exact functional-area names available in the Scope field depend on your tenant's configuration — if a name above is not listed verbatim, choose the closest matching area that covers the same domain (Human Resources / Absence). You can adjust the scope assignments later by editing the API client.
Click OK to register the client. Workday displays the generated credentials, including the Client ID and Client Secret, along with the Token Endpoint, Authorization Endpoint, and REST API Endpoint.
Copy the Client ID and Client Secret and store them securely now. The Client Secret is shown only once — if you navigate away before copying it, you will have to generate a new secret.
The host and tenant are both contained in the REST API Endpoint shown on the credentials screen (you can also find it later by running the View API Clients task). The endpoint looks like this:
https://wd2-impl-services1.workday.com/ccx/api/v1/acmeFrom this URL:
- Host is the domain —
wd2-impl-services1.workday.com(your value may differ, for examplewd5-services1.myworkday.com). - Tenant is the path segment after the API version —
acmein the example above.
Keep both values handy for the Frontegg portal.
Once you have your Client ID, Client Secret, host, and tenant, enter them in the integration configuration page of the Frontegg portal:
- Open the Frontegg portal and navigate to [ENVIRONMENT] → Integrations → Workday.
- Enter the Client ID and Client Secret in the corresponding fields.
- Enter your Workday host (e.g.
wd2-impl-services1.workday.com). - Enter your Workday tenant (e.g.
acme). - Select the required scopes.
- Click Save.
Keep your credentials secure
Keep your credentials secure
Never share or commit your Client Secret to version control.