Authentication Mechanisms
Workday exposes three API surfaces, each with its own documented authentication mechanism. Toku uses the same ISU across all three:HTTP Basic (RaaS)
Report requests authenticate with basic auth, using the username formuser@tenant:
WS-Security UsernameToken (WWS)
SOAP calls carry the ISU credentials in a WS-Security header:OAuth 2.0 (Workday REST)
1
Register
Your Workday administrator runs the tenant task Register API Client for Integration, which yields a client ID and client secret.
2
Generate
A non-expiring refresh token is generated for the Toku ISU from the registered API client.
3
Exchange
Toku exchanges the refresh token for short-lived access tokens at the tenant’s token endpoint — the connection stays live without re-authorization.
Hosts
Workday hosts are tenant-specific — an implementation tenant might live atwd2-impl-services1.workday.com, while your production tenant lives elsewhere. Always copy the exact URL from your own tenant rather than reusing an example host.
After your administrator adjusts the ISU’s security group, Workday requires running Activate Pending Security Policy Changes before the new access takes effect. See the Workday Web Services directory to validate any of the calls referenced in this section.
Next
Worker Sync
How Toku reads your worker roster via RaaS
Payroll Sync
How Toku tracks pay runs and payroll results
