- Read worker profiles, job, and organization data
- Query time off balances and requests
- Call any Workday REST API allowed by your API client’s functional areas and the connected user’s permissions
Common use cases and example apps
| Example app | Example prompt | Description |
|---|---|---|
| Employee self-service portal | Use Workday and build a portal where each signed-in employee sees their own profile, job details, and time off balance. | Give every employee a personal HR view. The app reads the connected user’s own worker record and time off data from Workday. |
| Team directory | Use Workday and build a searchable directory of the people and teams I can see in Workday. | Browse people and org data without opening Workday. The app lists the workers and organizations the connected user is allowed to see, with search and filters. |
| Org chart explorer | Use Workday and build an org chart that shows reporting lines for my organization. | Visualize reporting structure from live Workday data. The app reads organization and worker data and renders an interactive chart scoped to the user’s access. |
| Time off dashboard | Use Workday and build a dashboard where I can review my time off balances and requests. | Track time off in one place. The app queries the connected user’s time off balances and requests and presents them in a single view. |
| Manager team view | Use Workday and build a view where managers see their direct reports and upcoming time off. | Support managers with their own team data. The app reads the reporting relationships and time off data the signed-in manager can access in Workday. |
| Custom report viewer | Use Workday and build a viewer for our Workday custom report so the team can filter and sort results. | Bring a Workday custom report into an app interface. The app calls the report under the connected user’s permissions and adds filtering and sorting on top. |
How the Workday connector works
An app user connector has two parts: a client you configure once for your workspace, and the individual sign-ins your users complete inside your published app.- The client holds the details of an API client registered in your Workday tenant: three endpoint URLs, a client ID, and a client secret. It never contains any individual user’s data.
- Each user connects their own account. The first time a user needs Workday data, your app sends them through Workday’s sign-in and consent flow. Lovable stores their tokens encrypted in the connector gateway, never exposed to your app code or to you as the builder.
- Requests go through the connector gateway, which injects the right user’s credentials, refreshes expiring tokens automatically, and inserts your tenant into REST paths so app code never needs to know it.
How to connect Workday
Who can create Workday clients depends on your plan and workspace settings. See Who can create connections. You can create multiple Workday clients using different API clients, which is useful for separating environments (for example, a sandbox and a production Workday tenant). When the client is created, anyone building in a project can ask Lovable in chat to connect it to their project.Prerequisites
Before connecting Workday, make sure you have:- A Workday account and permission to register an API client in your Workday tenant, or a Workday administrator who can do it for you
- Permission to create connections in your Lovable workspace (see Who can create connections)
- Authentication in your app (Lovable Cloud or your own), so each visitor is signed in before they connect their Workday account
All API requests made through this connector run against your Workday tenant and are governed by your Workday agreement. Billing and quota are handled directly by Workday, not Lovable.
Step 1: Register an API client in Workday
The connector authenticates through an API client you register in your own Workday tenant. Work with your Workday administrator if you don’t have access to these tasks.Configure the grant
Set Client Grant Type to Authorization Code Grant and Access Token Type to Bearer.
Leave PKCE disabled
Keep Support Proof Key for Code Exchange (PKCE) disabled. Workday issues no client secret for PKCE clients, and the connector authenticates with the client secret.
Set the redirection URI
Paste this exact value as the Redirection URI:This value applies to the app user connector. If your workspace offers Workday as an App connector (a shared workspace connection), its redirection URI is different — always copy the exact value shown in the Lovable setup form for the connection type you’re creating.
Enable non-expiring refresh tokens (recommended)
Check Non-Expiring Refresh Tokens so user connections survive idle periods. With Workday’s default 30-day timeout, users must reconnect after a month of inactivity.
Select functional areas
Under Scope (Functional Areas), select only the areas your app needs (for example, Staffing for worker data). Leave everything else at its default, and do not enable Implicit, JWT, or SAML grants.
Copy the client ID and client secret
After clicking OK, copy the Client ID and Client Secret. The secret is shown only once.
Step 2: Create the Workday client in Lovable
Name the client
In Display name, name the client (for example,
Workday production). This name is only used inside Lovable to identify the client.Paste the API client details
Fill in the fields with the values from Workday:
- Workday REST API Endpoint, Token Endpoint, and Authorization Endpoint: paste each URL exactly as shown under View API Clients.
- Client ID and Client Secret: paste the values you copied when registering the API client.
Choose who can use this client
Under Who can use this client, decide who in your workspace can use the client. You start as the only person with access:
- Only you (default): leave the access list as is; only you can use the client.
- Invite specific people: add workspace members by email; only you and the people you add can use the client.
- Invite entire workspace: click Invite entire workspace to make the client available to everyone in your Lovable workspace.
Step 3: Add the connect experience to your app
Once the client exists, tell Lovable in chat what you want, and it connects the client to your project and builds the in-app connect flow. For example:Limitations
The Workday connector cannot:- Provide a shared, workspace-wide Workday connection. Every request runs as an individual app user who has connected their own Workday account.
- Exceed the functional areas configured on the API client or the connected user’s own Workday permissions. A 403 response means the API client lacks that functional area or the user lacks access in Workday.
- Keep users connected past your tenant’s refresh token timeout unless the API client uses non-expiring refresh tokens. With the default 30-day timeout, users must reconnect after a month of inactivity.
Manage the Workday client
- Users can disconnect their own Workday account at any time, which revokes their stored tokens.
- Edit the client from Connectors → Workday to update credentials or change who can use it.
- Deleting the client removes Workday access for every user in the linked projects.