Skip to main content
Toku connects to Workday as a dedicated Integration System User (ISU) placed in its own Integration System Security Group. The group carries least-privilege domain security policies scoped to the integration — your Workday administrator creates both during setup and can revoke access at any time. Toku’s implementation team provides the exact scope list during onboarding.

Authentication Mechanisms

Workday exposes three API surfaces, each with its own documented authentication mechanism. Toku uses the same ISU across all three:

HTTP Basic (RaaS)

Report requests authenticate with basic auth, using the username form user@tenant:

WS-Security UsernameToken (WWS)

SOAP calls carry the ISU credentials in a WS-Security header:

OAuth 2.0 (Workday REST)

1

Register

Your Workday administrator runs the tenant task Register API Client for Integration, which yields a client ID and client secret.
2

Generate

A non-expiring refresh token is generated for the Toku ISU from the registered API client.
3

Exchange

Toku exchanges the refresh token for short-lived access tokens at the tenant’s token endpoint — the connection stays live without re-authorization.

Hosts

Workday hosts are tenant-specific — an implementation tenant might live at wd2-impl-services1.workday.com, while your production tenant lives elsewhere. Always copy the exact URL from your own tenant rather than reusing an example host.
After your administrator adjusts the ISU’s security group, Workday requires running Activate Pending Security Policy Changes before the new access takes effect. See the Workday Web Services directory to validate any of the calls referenced in this section.

Next

Worker Sync

How Toku reads your worker roster via RaaS

Payroll Sync

How Toku tracks pay runs and payroll results