Skip to main content
Workday is an enterprise platform for HR, finance, and workforce management. The Workday connector lets your Lovable app read Workday HCM data such as workers, organizations, and time off through an API client registered in your own Workday tenant. Workday is available as an app user connector: each end user of your published app connects their own Workday account, and every request runs with that user’s own Workday permissions. There is no shared, workspace-wide Workday connection. With Workday, your app can:
  • Read worker profiles, job, and organization data
  • Query time off balances and requests
  • Call any Workday REST API allowed by your API client’s functional areas and the connected user’s permissions
It’s a good fit for employee self-service tools, HR dashboards, directories, and org charts where each person sees exactly what they can see in Workday.

Common use cases and example apps

Example appExample promptDescription
Employee self-service portalUse Workday and build a portal where each signed-in employee sees their own profile, job details, and time off balance.Give every employee a personal HR view.
The app reads the connected user’s own worker record and time off data from Workday.
Team directoryUse Workday and build a searchable directory of the people and teams I can see in Workday.Browse people and org data without opening Workday.
The app lists the workers and organizations the connected user is allowed to see, with search and filters.
Org chart explorerUse Workday and build an org chart that shows reporting lines for my organization.Visualize reporting structure from live Workday data.
The app reads organization and worker data and renders an interactive chart scoped to the user’s access.
Time off dashboardUse Workday and build a dashboard where I can review my time off balances and requests.Track time off in one place.
The app queries the connected user’s time off balances and requests and presents them in a single view.
Manager team viewUse Workday and build a view where managers see their direct reports and upcoming time off.Support managers with their own team data.
The app reads the reporting relationships and time off data the signed-in manager can access in Workday.
Custom report viewerUse Workday and build a viewer for our Workday custom report so the team can filter and sort results.Bring a Workday custom report into an app interface.
The app calls the report under the connected user’s permissions and adds filtering and sorting on top.

How the Workday connector works

An app user connector has two parts: a client you configure once for your workspace, and the individual sign-ins your users complete inside your published app.
  • The client holds the details of an API client registered in your Workday tenant: three endpoint URLs, a client ID, and a client secret. It never contains any individual user’s data.
  • Each user connects their own account. The first time a user needs Workday data, your app sends them through Workday’s sign-in and consent flow. Lovable stores their tokens encrypted in the connector gateway, never exposed to your app code or to you as the builder.
  • Requests go through the connector gateway, which injects the right user’s credentials, refreshes expiring tokens automatically, and inserts your tenant into REST paths so app code never needs to know it.
Access is the intersection of two things: the functional areas selected on the API client in Workday, and the connected user’s own Workday security. Neither the app nor Lovable can widen either one.

How to connect Workday

Who can create Workday clients depends on your plan and workspace settings. See Who can create connections. You can create multiple Workday clients using different API clients, which is useful for separating environments (for example, a sandbox and a production Workday tenant). When the client is created, anyone building in a project can ask Lovable in chat to connect it to their project.

Prerequisites

Before connecting Workday, make sure you have:
  • A Workday account and permission to register an API client in your Workday tenant, or a Workday administrator who can do it for you
  • Permission to create connections in your Lovable workspace (see Who can create connections)
  • Authentication in your app (Lovable Cloud or your own), so each visitor is signed in before they connect their Workday account
All API requests made through this connector run against your Workday tenant and are governed by your Workday agreement. Billing and quota are handled directly by Workday, not Lovable.

Step 1: Register an API client in Workday

The connector authenticates through an API client you register in your own Workday tenant. Work with your Workday administrator if you don’t have access to these tasks.
1

Run the Register API Client task

In Workday, search for and run the Register API Client task.
2

Configure the grant

Set Client Grant Type to Authorization Code Grant and Access Token Type to Bearer.
3

Leave PKCE disabled

Keep Support Proof Key for Code Exchange (PKCE) disabled. Workday issues no client secret for PKCE clients, and the connector authenticates with the client secret.
4

Set the redirection URI

Paste this exact value as the Redirection URI:
This value applies to the app user connector. If your workspace offers Workday as an App connector (a shared workspace connection), its redirection URI is different — always copy the exact value shown in the Lovable setup form for the connection type you’re creating.
5

Enable non-expiring refresh tokens (recommended)

Check Non-Expiring Refresh Tokens so user connections survive idle periods. With Workday’s default 30-day timeout, users must reconnect after a month of inactivity.
6

Select functional areas

Under Scope (Functional Areas), select only the areas your app needs (for example, Staffing for worker data). Leave everything else at its default, and do not enable Implicit, JWT, or SAML grants.
7

Copy the client ID and client secret

After clicking OK, copy the Client ID and Client Secret. The secret is shown only once.
8

Copy the endpoints

Run the View API Clients task and copy the Workday REST API Endpoint, Token Endpoint, and Authorization Endpoint for your new API client. You paste each one as is into Lovable in the next step.
The client secret functions like a password. Keep it secure and never share it publicly. You’ll need it in the next step.

Step 2: Create the Workday client in Lovable

1

Open Workday in Connectors

Go to Connectors and select Workday.
2

Add the client

Click Add connection and choose App user connector.
3

Name the client

In Display name, name the client (for example, Workday production). This name is only used inside Lovable to identify the client.
4

Paste the API client details

Fill in the fields with the values from Workday:
  1. Workday REST API Endpoint, Token Endpoint, and Authorization Endpoint: paste each URL exactly as shown under View API Clients.
  2. Client ID and Client Secret: paste the values you copied when registering the API client.
5

Choose who can use this client

Under Who can use this client, decide who in your workspace can use the client. You start as the only person with access:
  • Only you (default): leave the access list as is; only you can use the client.
  • Invite specific people: add workspace members by email; only you and the people you add can use the client.
  • Invite entire workspace: click Invite entire workspace to make the client available to everyone in your Lovable workspace.
See Who can manage connections for more information.
6

Create the client

Click Create client.

Step 3: Add the connect experience to your app

Once the client exists, tell Lovable in chat what you want, and it connects the client to your project and builds the in-app connect flow. For example:
The first time a user taps Connect, your app sends them to Workday to sign in and approve access. After that, the app reads Workday data as that user. When the client is created, anyone building in a project can ask Lovable in chat to connect it to their project (based on configured client-level access). Your published apps can then let each user connect their own Workday account and read their HCM data.

Limitations

The Workday connector cannot:
  • Provide a shared, workspace-wide Workday connection. Every request runs as an individual app user who has connected their own Workday account.
  • Exceed the functional areas configured on the API client or the connected user’s own Workday permissions. A 403 response means the API client lacks that functional area or the user lacks access in Workday.
  • Keep users connected past your tenant’s refresh token timeout unless the API client uses non-expiring refresh tokens. With the default 30-day timeout, users must reconnect after a month of inactivity.
If a user revokes authorization on the Workday side, they need to reconnect in your app before API calls can succeed again.

Manage the Workday client

  • Users can disconnect their own Workday account at any time, which revokes their stored tokens.
  • Edit the client from ConnectorsWorkday to update credentials or change who can use it.
  • Deleting the client removes Workday access for every user in the linked projects.
See Integration security for how credentials are stored, rotated, and deleted.