Beta. This is a deploy-only connector: Runlayer hosts the MCP server, and
it authenticates to your Workday tenant using an OAuth 2.0 API client that
your Workday administrator registers.
Tools and required scopes
Each tool calls a specific Workday REST API service. On your API client, enable the Scope (Functional Area) that secures the services for the tools you plan to use.Functional-area names can vary slightly by Workday version. The authoritative
requirement for any operation is the Secured by section of that API in
your tenant’s Workday REST API reference. The table maps each tool group to
the API service it calls (which is fixed) and the functional area that
typically secures it.
| Workday API service | Scope (Functional Area) | Tools |
|---|---|---|
absenceManagement (v3) | Time Off and Leave | request_time_off, correct_time_off_entry, get_time_off_details, get_time_off_entry, get_time_off_balances, get_eligible_absence_types, validate_time_off_dates, get_leaves_of_absence |
timeTracking (v5) | Time Tracking | create_time_clock_event, get_time_clock_events, create_worker_time_block, update_worker_time_block, delete_worker_time_block, get_worker_time_block, get_worker_time_totals |
common (v1) | Tenant Non-Configurable | list_workers, get_worker, get_direct_reports, get_worker_organizations, get_managed_orgs, get_worker_history, get_time_off_plans, create_business_title_change, create_job_change, list_supervisory_organizations, get_supervisory_organization, get_org_workers, list_organizations, get_job_change_reasons |
staffing (v7) | Staffing | initiate_org_assignment_change, get_org_assignment_change, update_org_assignment_business_unit, create_worker_skill_items, get_worker_skill_items |
person (v4) | Personal Data | get_personal_information, get_home_address, get_preferred_name, get_home_contact_change, add_home_phone_number, get_work_contact_change, update_work_contact_change, submit_work_contact_change |
businessProcess (v1) | Business Process Administration | list_events, get_event, get_event_in_progress_steps, get_event_remaining_steps, get_event_comments, cancel_event, rescind_event, list_event_steps, get_event_step, approve_event_step, deny_event_step, send_back_event_step, complete_todo_step, list_business_process_types |
benefitEnrollmentEventOfferings (v1) | Benefits Administration | get_enrollment_event, list_enrollment_events |
Some services read data secured by more than one functional area (for example
organization data under
common). If a tool returns a permission error after
connecting, check that API’s Secured by requirements and add the missing
functional area or security-group access.Setup
Task names and screens vary by Workday version. Your Workday administrator
should follow the tenant’s own documentation for Register API Client for
Integrations and the View API Clients report. The steps below describe
what Runlayer needs.
Register an OAuth 2.0 API client in Workday
Have your Workday administrator confirm the tenant has OAuth 2.0 Clients
Enabled, then register an API client configured for the Authorization
Code Grant. The connector authenticates as a public client using PKCE,
so no client secret is required.Under Scope (Functional Areas), select the areas for the tools you plan
to use (see the table above).
Enable refresh tokens
Confirm the API client is configured to issue refresh tokens. Without
one, Runlayer cannot renew access silently and users must re-authenticate
each time the access token expires. Refresh-token behavior is set on the API
client; use your tenant’s Workday documentation to confirm the correct
settings for an interactive Authorization Code client.
Register the Runlayer callback URL
Add Runlayer’s OAuth callback URL to the API client as an allowed redirect
URI (and allowed web origin if your tenant enforces origin checks), exactly
and with no trailing slash:
Collect the API client values
From the View API Clients report, record: Client ID,
Authorization Endpoint, Token Endpoint, and Workday REST API
Endpoint.
Add the connector in Runlayer
In Runlayer, go to My connectors, find Workday, and click Add
connector. Enter the values from the previous step (see
Configuration Reference), then click Deploy
Server.
Configuration Reference
Required:| Variable | Description |
|---|---|
WORKDAY_TENANT | Your Workday tenant name (case-sensitive), e.g. the tenant segment in your Workday URLs |
WORKDAY_BASE_URL | The host only of your Workday REST API Endpoint (scheme + host, e.g. https://<your-workday-host>). Do not include the /ccx/api/v1/<tenant> path — the connector adds it. Including the full path causes tool calls to fail with “not found” errors |
WORKDAY_OAUTH_CLIENT_ID | The Client ID from the API client |
WORKDAY_AUTHORIZATION_URL | The Authorization Endpoint from the API client |
WORKDAY_TOKEN_URL | The Token Endpoint from the API client |
The authorization, token, and REST API hosts are not always the same
(common on implementation/sandbox tenants). Use the exact endpoint values from
the View API Clients report rather than assuming they share a host.
Troubleshooting
Tool calls fail with 404 or 'not found'
Tool calls fail with 404 or 'not found'
Check
WORKDAY_BASE_URL. It must be the host only (scheme + host, no path), not
the full REST API Endpoint that includes /ccx/api/v1/<tenant>. Including the
path causes it to be duplicated and the request to 404.Users must re-authenticate frequently / no refresh token
Users must re-authenticate frequently / no refresh token
This usually means the API client is not issuing a refresh token. Ask your
Workday administrator to confirm refresh tokens are enabled for the client (see
Setup, Step 2). Runlayer stores and uses whatever the token endpoint returns; if
no refresh token is issued, sessions cannot be renewed silently.
A tool returns a permission error after connecting
A tool returns a permission error after connecting
Confirm the Scope (Functional Areas) on the API client cover that tool’s API
service (see the table above), and that the connecting user’s Workday security
groups grant access to the underlying data.