How to create a Workday REST API Integration?

When evaluating a Workday integration project, the initial assessment appears straightforward. The REST API documentation presents comprehensive endpoint coverage, OAuth 2.0 authentication follows industry standards, and the technical approach seems consistent with other enterprise system integrations.

However, real-world implementation reveals significant complexity that extends well beyond the documented APIs. Integration System User (ISU) configurations require extensive Workday-specific knowledge, OAuth token management involves platform-specific nuances, and critical HR operations often necessitate SOAP API usage alongside REST endpoints. What begins as a standard REST integration evolves into a dual-protocol implementation with substantially higher resource requirements than anticipated.

Workday integration represents a unique challenge in enterprise software development. The platform’s architecture combines legacy SOAP services with modern REST endpoints, creating integration requirements that demand expertise in both protocols. This architectural complexity, combined with Workday’s sophisticated security model and domain-specific business logic, produces implementation challenges that standard API documentation cannot adequately convey.

Why Workday Integration Requires Both REST and SOAP APIs

Workday markets its REST API as the modern solution for developers, and initially, it appears straightforward. Clean JSON responses, standard HTTP methods, and familiar OAuth 2.0 flows. You start building with confidence.

Then you discover the inconvenient truth: Workday’s REST API doesn’t cover everything you need. Critical functionality still lives exclusively in the SOAP world, and some operations require both protocols to complete a single business workflow.

If you’re looking for the Workday Financials API, you can read our guide on it here.

REST API: Modern but Incomplete

The REST API covers a growing range of endpoints, from person management to recruiting to time tracking. The JSON responses are clean, the authentication follows industry standards, and the developer experience feels familiar. For basic employee data retrieval and simple updates, it works well.

But when you need complex reporting, advanced financial transactions, or certain HR operations, you hit the REST API’s limitations. You’re forced to fall back to SOAP for functionality that simply doesn’t exist in the REST world.

Here’s a typical REST API call to retrieve employee data:

const response = await fetch(
  `https://${tenant}.workday.com/ccx/api/v1/${tenant}/workers`,
  {
    method: 'GET',
    headers: {
      Authorization: `Bearer ${accessToken}`,
      'Content-Type': 'application/json'
    }
  }
);

const workers = await response.json();

Clean and straightforward. Until you need payroll processing or complex reporting that only exists in SOAP.

SOAP API: Comprehensive but Complex

The SOAP API provides access to Workday’s full feature set. Every business object, every workflow, every edge case is available through SOAP endpoints. If you need complete Workday functionality, SOAP is unavoidable.

The trade-off is significant complexity. SOAP requests require XML construction, namespace management, and understanding of Workday’s complex data structures. Here’s what a simple employee query looks like in SOAP:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:bsvc="urn:com.workday/bsvc">
  <soapenv:Header>
    <bsvc:Workday_Common_Header>
      <bsvc:Include_Reference_Descriptors_In_Response>true</bsvc:Include_Reference_Descriptors_In_Response>
    </bsvc:Workday_Common_Header>
  </soapenv:Header>
  <soapenv:Body>
    <bsvc:Get_Workers_Request>
      <bsvc:Request_References>
        <bsvc:Worker_Reference>
          <bsvc:ID bsvc:type="Employee_ID">12345</bsvc:ID>
        </bsvc:Worker_Reference>
      </bsvc:Request_References>
      <bsvc:Response_Filter>
        <bsvc:As_Of_Effective_Date>2025-09-03</bsvc:As_Of_Effective_Date>
        <bsvc:As_Of_Entry_DateTime>2025-09-03T00:00:00Z</bsvc:As_Of_Entry_DateTime>
      </bsvc:Response_Filter>
    </bsvc:Get_Workers_Request>
  </soapenv:Body>
</soapenv:Envelope>

You’re not just building one integration. You’re creating two completely different approaches to the same system if you want the complete guide on the Wokday SOAP API documentation, check out our blog.

Authentication: The ISU Complexity

Workday’s authentication model centers around Integration System Users (ISUs), and this approach creates several challenges that aren’t immediately apparent from the documentation.

Integration System User Requirements

Every Workday integration requires an ISU, which is a dedicated user account specifically for integrations. This isn’t just a service account - it’s a full Workday user with its own security profile, permissions, and configuration requirements.

Creating an ISU involves:

Setting up the user account with specific security settings
Configuring domain security policy permissions
Creating and assigning security groups
Managing password policies and session timeouts
Registering API clients for OAuth flows

The complexity multiplies when you realize that Workday recommends limiting each ISU to a single integration system. If you’re building multiple integrations, you need multiple ISUs, each with its own configuration and maintenance overhead.

OAuth 2.0 Configuration Challenges

For REST API access, you need OAuth 2.0, which requires registering API clients in Workday. This process involves:

API Client Registration: Creating a client with specific scopes and permissions
Refresh Token Management: Generating non-expiring refresh tokens tied to your ISU
Token Exchange: Implementing the OAuth flow to get access tokens
Permission Scoping: Ensuring your API client has access to the required domains

Here’s what the OAuth token exchange looks like:

const tokenResponse = await fetch(
  `https://${tenant}.workday.com/ccx/oauth2/token`,
  {
    method: 'POST',
    headers: {
      Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`,
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: new URLSearchParams({
      grant_type: 'refresh_token',
      refresh_token: refreshToken
    })
  }
);

The challenge isn’t the OAuth flow itself; it’s the Workday-specific configuration requirements and the complex permission model that determines what your integration can access.

Dual Authentication Requirements

Since you need both REST and SOAP, you’re managing two authentication approaches:

REST: OAuth 2.0 with bearer tokens
SOAP: ISU username/password authentication

This creates additional complexity in credential management, token refresh logic, and error handling across different authentication mechanisms.

Rate Limiting and Performance Constraints

Workday implements rate limiting that can significantly impact integration performance, and the limits are more restrictive than many developers expect.

The 10 Requests Per Second Reality

According to implementation partners and developer community discussions, Workday can only handle 10 calls per second and drops any beyond that.

For bulk data operations, employee onboarding, or real-time synchronization scenarios, this rate limit becomes a significant bottleneck. You’re forced to implement complex queuing mechanisms, retry logic, and batch processing to work within these constraints.

Performance Variations Between Protocols

SOAP requests are notoriously slow in Workday environments. Developers report that SOAP requests can take 90 seconds, whether retrieving 1 record or 100 records. The XML processing overhead and complex business logic in SOAP operations create performance challenges that don’t exist with REST endpoints.

This performance disparity means you can’t simply choose the most feature-complete protocol (SOAP) for everything. You need to optimize protocol selection based on performance requirements versus functionality needs.

Data Model Complexity and Versioning

Workday’s data model reflects the complexity of enterprise HR systems, and this complexity creates integration challenges that extend beyond simple CRUD operations.

Hierarchical Data Structures

Workday organizes data in complex hierarchical structures that don’t map cleanly to typical REST patterns. Employee records contain nested organizational data, compensation structures, and historical information that requires an understanding of Workday’s specific data model.

For example, retrieving an employee’s current compensation might require navigating through:

Worker reference data
Position information
Compensation plan assignments
Effective dating structures
Organizational hierarchies

Versioning and API Evolution

Workday maintains multiple API versions (currently up to v44.2 for SOAP), and different endpoints may have different versioning requirements. The platform uses both major and minor version numbers, with breaking changes resulting in new major versions.

This versioning complexity means you need to:

Track multiple API versions across different endpoints
Plan for migrations when versions are deprecated
Handle backward compatibility requirements
Monitor for new features and endpoints

Sandbox and Testing Challenges

Unlike many SaaS platforms, Workday doesn’t provide free sandbox environments, creating testing challenges that impact development timelines and costs.

Limited Testing Access

Workday only provisions sandbox access to paid customers on certain plans. This means you need a commercial relationship with Workday just to properly test your integration. For many development teams, this represents a significant barrier to building and validating integrations.

Without sandbox access, you’re often testing against production systems or limited demo environments, increasing the risk of data issues and integration failures.

Data Complexity in Testing

Even with sandbox access, creating realistic test data requires a deep understanding of Workday’s business logic and data relationships. You need to understand:

Chart of organizational structures
Position hierarchies and reporting relationships
Compensation and benefits configurations
Time tracking and absence policies
Regional compliance requirements

This isn’t development work, it’s HR consulting. Your engineering team shouldn’t need to become Workday configuration experts to build an integration.

Security Group and Permission Management

Workday’s security model is highly granular, creating configuration complexity that goes far beyond typical API key management.

Domain Security Policies

Every integration requires configuring domain security policies that control access to specific Workday functional areas. These policies must be configured for each security group that contains your ISU, and the permissions vary significantly across different Workday modules.

Common domains include:

Integration Build and Debug
System Configuration
Worker Data (various levels)
Organization Data
Compensation and Payroll
Time Tracking
Recruiting and Talent

Each domain has different permission levels (Get, Put, Delete) and different data access restrictions.

Multi-Tenant Complexity

For integrations that need to work across multiple Workday tenants, the security configuration multiplies exponentially. Each tenant may have different:

Security group structures
Domain policy configurations
Custom object definitions
Regional compliance requirements
Organizational hierarchies

What works in one tenant may fail completely in another, even with identical integration code.

Integration Maintenance Overhead

Getting a Workday integration working is just the beginning. The ongoing maintenance requirements are significant and often underestimated.

API Updates and Changes

Workday regularly releases updates that can affect API behavior, data structures, and authentication requirements. Since you’re likely using both REST and SOAP APIs, you’re monitoring changes across two different API paradigms with different update schedules.

ISU Management

ISUs require ongoing maintenance:

Password policy compliance (if using username/password auth)
Security group membership updates
Permission reviews and adjustments
Token renewal for OAuth flows
Monitoring for account lockouts or security policy violations

Error Handling Complexity

Error responses differ significantly between REST and SOAP APIs. SOAP errors are wrapped in complex XML structures with Workday-specific error codes, while REST errors follow more standard HTTP patterns but may not provide the same level of detail.

Building robust error handling requires understanding both error paradigms and implementing different retry strategies for different types of failures.

The Unified API Alternative

After experiencing these integration challenges, the value proposition of unified APIs becomes clear. Instead of navigating Workday’s complexity directly, platforms like unified API providers abstract away the protocol differences, authentication complexity, and maintenance overhead.

Single Protocol Interface

Unified APIs present a consistent REST interface regardless of whether the underlying Workday operation uses REST or SOAP. You write one integration that works across all Workday functionality, without needing to understand which protocol is used behind the scenes.

// Through a unified API - same code for all operations
const employees = await unifiedAPI.hr.employees.list({
  provider: 'workday',
  limit: 100,
  filters: {
    department: 'Engineering',
    active: true
  }
});

Authentication Abstraction

Unified APIs handle the ISU configuration, OAuth setup, and credential management upstream. Your integration sees a consistent authentication model regardless of the complexity behind the scenes.

Performance Optimization

Unified API providers implement their own queuing, rate limiting, and retry logic optimized for each platform’s constraints. They handle the 10 requests per second limitation, implement appropriate batching strategies, and manage protocol selection for optimal performance.

Maintenance Handled Upstream

The unified API provider handles API version updates, authentication changes, and platform-specific modifications. Your integration code remains stable while the underlying Workday connections evolve.

Making the Integration Decision

For senior developers evaluating Workday integration approaches, consider the total cost of ownership:

Direct Integration Costs:

6–12 weeks initial development for dual-protocol support
ISU setup and ongoing management across multiple tenants
Sandbox environment costs and access limitations
Complex security group and permission configuration
Ongoing maintenance for both REST and SOAP APIs
Performance optimization and rate limit handling

Unified API Benefits:

Single protocol integration (typically 2–4 days)
Authentication and credential management handled upstream
Built-in rate limiting and performance optimization
Consistent error handling and retry logic
Automatic handling of API updates and changes

The unified API approach becomes particularly compelling when you consider that Workday is rarely the only system you need to integrate. If you’re building HR integrations, you likely need to support multiple HRIS platforms, each with its own complexity.

Workday Integration Best Practices

If you proceed with direct Workday integration, follow these practices to minimize complexity:

Start with Clear Requirements

Define exactly which Workday modules and operations you need before beginning development. This determines whether you can stay within REST API limitations or need SOAP functionality.

Plan for Dual Authentication

Design your authentication handling to support both OAuth 2.0 and username/password flows from the beginning, rather than retrofitting SOAP authentication later.

Implement Robust Rate Limiting

Build queuing and retry mechanisms into your integration architecture from day one. The 10 requests per second limit will affect your design decisions throughout the project.

Invest in Proper Testing

Budget for Workday sandbox access and the time required to create realistic test data. Proper testing infrastructure is essential for reliable Workday integrations.

The Future of Workday Integration

Workday continues to expand REST API coverage, but the timeline for full feature parity with SOAP remains unclear. The platform’s complexity reflects the sophisticated nature of enterprise HR operations, and this complexity isn’t going away.

For development teams focused on delivering business value rather than becoming Workday integration experts, unified API platforms offer a path to faster implementation and lower maintenance overhead.

The question isn’t whether Workday integration is possible; it’s whether you want to spend your development resources mastering Workday’s intricacies or building features that differentiate your product.

Enterprise HR integration has evolved beyond the capability of individual development teams to build and maintain efficiently. The smart approach is leveraging platforms that have already solved these complex integration challenges, allowing your team to focus on what actually drives your business forward.