Skip to main content
This guide will show you how to register your application with Workday to obtain your own production OAuth credentials (client id & secret). Once you complete this guide, your users can grant your app access to their Workday account. You will have full access to the Workday REST API, which lets you read and write data in the connected Workday accounts.
1

Access the Workday API Client Registration

  1. Log in to your Workday tenant as an administrator.
  2. In the Search bar, type Register API Client and select it.
2

Create OAuth 2.0 credentials

  1. On the Register API Client page, configure:
    • Client Name: Enter a unique, descriptive name (e.g., Nango HRIS Integration).
    • Client Grant Type: Select Authorization Code Grant (required for OAuth 2.0 flows).
    • Access Token Type: Select Bearer (standard for API authentication).
    • Redirection URI: Set to https://api.nango.dev/oauth/callback.
      • Use your custom callback URL if your Nango account has one set up.
    • Non-Expiring Refresh Tokens: ✅ Enable (recommended for long-lived access).
    • Scope (Functional Areas):
      • Custom Objects > System (required for custom object operations).
      • System - Workday Query Language (WQL) (required for WQL queries).
      • HRIS (for core employee/personnel data).
      • Staffing (for recruitment/hiring data).
      • Tenant Non-Configurable (read-only tenant settings).
    • Include Workday Owned Scope: ⚠️ Optional; it grants access to API scopes that are owned and managed by Workday itself.
  2. Click OK to generate client credentials (Client ID and Client Secret), save these credentials securely as you’ll need them when configuring your integration in Nango.
3

Obtain refresh token (optional)

The refresh token is optional. If omitted, Nango will automatically obtain and use the refresh token from the OAuth authorization flow. If you provide a refresh token, Nango will use the one you provide instead. Important: If you provide a refresh token, it must be non-expiring to ensure token refresh operations don’t fail. Make sure Non-Expiring Refresh Tokens is enabled when registering your API client (see Step 2).
To obtain a refresh token:
  1. After registering your API client, navigate to the API client details page of your newly registered client.
  2. Click the Related Actions icon (usually represented by three dots or a gear icon).
  3. Go to API Client → click Manage Refresh Tokens for Integrations.
  4. In the prompt that appears, enter the Integration System User (ISU) in the Workday Account field.
  5. A new screen will appear. Check the “Regenerate New Refresh Token” box and click OK.
  6. A new refresh token will be generated. Save this token securely as you’ll need it when configuring your integration in Nango (optional).
4

Configure your integration in Nango

Follow the Quickstart to add your credentials to Nango.