# App connections
As the first step in the recipe building process, you must establish a connection between Workato and an app. This allows Workato to send and receive data from the app. Each connection corresponds to one app instance (such as a user account); recipe builders can reuse the same connection across multiple recipes.
You must establish a valid connection before you configure triggers and actions to retrieve data necessary for recipe construction, such as custom objects and fields, picklist values, and other meta-data.
# Connecting your app to Workato
Connect to an app by authenticating with the app via Workato and giving Workato permission to access the data.
There are two ways to connect your app:
- As part of creating a recipe: open a new recipe, select an app, and select a trigger or action.
- To establish several app connections: navigate to the Assets > Connections view and click Create connection
Workato typically uses the app's authorization/authentication API to establish the connection, using one of the following methods:
- OAuth 2.0
- OAuth 1.0 (and variations)
- Basic authentication
- API key or secret
As part of this step, you provide Workato with the permission to access data from the app. The exact permissions granted to Workato usually correspond with the permissions of the connected app user.
For more information on connecting to a specific app, refer to the specific connector documentation.
# Example: Authentication flow for Salesforce
The following recipe requires both Salesforce and a Zendesk connection, both of which use OAuth 2.0. The Connection tab within the recipe shows further details about the app connections.
Recipe syncing new/updated Salesforce accounts to Zendesk as organizations. Example recipe (opens new window)
The following shows the Connections tab. Zendesk is connected, but the Salesforce connector has no connection established yet.
Recipe without a Salesforce connection established
Clicking on the Connect button generates a popup that requests for Salesforce login credentials. Salesforce utilizes the standard OAuth 2.0 authentication flow, so usernames and passwords are provided only to Salesforce. Providing these credentials assure Salesforce that the user is giving permission for Workato to access their Salesforce data.
After you provide credentials, Salesforce appears as Connected. Now you can use this connection to create and run the recipe.
# Integration user
We recommend that you create a dedicated integration user account in the app to connect with Workato. Since this account is not associated with a human user, recipes will continue to run seamlessly if the recipe builder changes their login credentials or leaves the company. Additionally, it ensures Workato can access the necessary data to run a recipe and reduces the security risk of having to give a human user additional permissions than necessary for their role in the company.
Apps have different granularity when it comes to defining user roles and permissions. Refer to the specific connector documentation for more information on the required permissions.
# Using connections
Typically a company may only have a single instance of an app and they may have another instance for testing. Thus, a user would need just one connection for multiple recipes that work with the same app instance.
In cases where there are more than one app instance to connect to (such as when working with sandboxes and production organizations or teams), multiple connections should be created, with each connection authenticated with each separate instance.
Most Workato connectors allow only one connection to an app within a recipe. There are some connectors which allow you to work with two app instances within the same recipe.
Refer to secondary connectors to find out more.
# App connection errors
On occasions, app connections can become invalid due to several reasons:
- app credentials were changed and the connection wasn't updated correspondingly in Workato
- connected user doesn't have the right set of permissions to read/write selected records
- permissions of the connected user was changed to a reduced scope
In such cases, reconnecting, or verifying that the connected user has permissions to read/write records used in the recipes should successfully re-establish the connection.
Design-time errors for app connection errors