# Connections
SUMMARY
- Workato connects to apps to build recipes, with each connection reusable across multiple recipes.
- Connections require the "Create Connections" privilege and use the app's authentication API with various methods like OAuth or Basic authentication.
- Workato's data access is tied to the user's permissions, and connections can be made within the recipe editor or through the connection wizard.
- Multiple app instances require distinct connections.
Watch a quick video guide
A connection authorizes a recipe to interact with apps through triggers and actions.
When you start building a recipe, the first step is establishing a connection between Workato and an app.
Each connection is associated with one instance of the app, such as a user account, and can be re-used across recipes.
# Basics
- Who can create connections?
- How does Workato access my connections?
- What data can Workato access in my connections?
# Who can create connections?
You must have the Create Connections privilege to create a connection.
Refer to the Create connections section for instructions.
# How does Workato access my connections?
Workato typically uses the app's authorization/authentication API to establish the connection, using one of the following methods:
- OAuth 2.0
- OAuth 1.0 (and variations)
- Basic authentication (username and password)
- API key or secret
As part of this step, you provide Workato with the permission to access data from the app. The permissions granted to Workato usually correspond with those of the user authorizing the app.
Refer to the connector documentation for your app for more information on how to connect it to Workato.
# What data can Workato access in my connections?
Workato can only access the same data the user authorizing the connection has access to.
For example, if you only have access to view accounts in Salesforce and you create a Salesforce connection in Workato, Workato can only view accounts.
# Create connections
There are two ways to connect apps in Workato:
CUSTOM OAUTH PROFILES
You can use custom OAuth profiles when you create connections to supported apps. This lets you control scopes, branding, app ownership, and more.
# In the recipe editor
Complete the following steps to add a connection while in the recipe editor:
In the recipe editor, click an app from the side menu.
Click the trigger or action you plan to use.
Follow the prompts and setup guide for the app.
# In the connection wizard
You can access the connection wizard from several locations in Workato:
- Assets > Create > Connection
- Assets > Recipes > Create > Connection
- Any project > Create > Connection
# Use connections in recipes
ESTABLISH CONNECTIONS FIRST
You must establish a valid connection to each app you plan to integrate with Workato before you can configure any recipe triggers or actions.
# Multiple app instances, one recipe
Most users typically have one or two instances of an app, such as one instance for production and another instance for testing.
When you have multiple instances of an app, you should create multiple connections in Workato. Each connection should authenticate to each instance of the app.
Most connectors only allow one connection per app, per recipe. You can use secondary connectors if you need to work with two separate instances of an app.
SECONDARY CONNECTORS
Workato doesn't support secondary connectors for all Workato connectors.
If the apps you plan to use don't have secondary connectors, then you can only use one connection per app, per recipe.
If you try to connect to multiple instances of an app that doesn't support secondary connectors within the same recipe, Workato prevents you from doing so. When you create the second connection, it automatically overrides your first connection and replaces it with the second connection.
For example, consider a scenario where you have a trigger called New email in Gmail that uses the My Gmail account connection. If a subsequent step in the recipe also involves a Gmail action, it must use the same connection. If you attempt to use a different connection, such as My second Gmail account, Workato updates the New email in Gmail trigger's connection to My second Gmail account.
# Runtime user connections
AVAILABLE IN CALLABLE & WORKBOT RECIPES
The runtime user connections feature is only available in Callable or Workbot recipes.
Recipes perform actions based on the credentials used to authorize the connection by default. However, you can use the Runtime user connection feature to swap out connections when a recipe runs.
For example, if you have a recipe that creates opportunities in Salesforce. The Salesforce connection currently uses a Sales Manager's credentials. Even though other sales reps are creating opportunities, all opportunities will show as created by the Sales Manager.
Learn more in the Runtime user connections documentation.
# Connection errors
On occasion, app connections can become invalid. These are the most common reasons:
Modified credentials
If credentials were changed in the app and not in Workato, the connection may become invalid.
Insufficient permissions
In this case, the user authorizing the connection doesn't have the permissions to access required data or perform certain actions.
If you encounter an invalid connection error:
Verify the authorizing user's permissions
Verify that the user who is authorizing the connection has sufficient permissions.
Verify that the connection's credentials are correct
Double-check that the password, API key, etc. is entered correctly.
Re-authorize the connection
If you've verified the user's permissions and credentials, try re-connecting the connection.
Design-time errors for app connection errors
# Best practices
# Create a dedicated user for Workato
Create a dedicated app user for Workato to ensure that recipes aren't dependent on the account of a human user. If someone leaves the company, recipes continue to run.
Creating a dedicated Workato user also allows you to tailor the permissions Workato has in the app and reduce security risk.
Apps have different granularity when it comes to defining user roles and permissions. Refer to the connector documentation for your app for more information.
# Use sandbox credentials for development
We recommend that you use sandbox (or non-production) credentials for your connections when developing and testing recipes. Using test data during development ensures that live data isn't accidentally altered.
Refer to the Use connections in recipes section for more information.
Last updated: 7/2/2025, 1:17:39 PM