Product UpdatesStatus PageWorkato Academy
English
Get a trial
MCP server registry
Prebuilt MCP servers

# Workday End User MCP server

The Workday End User MCP server enables your LLM to access employee self-service workflows within Workday HCM through natural conversation. It provides tools to manage everyday HR tasks by allowing you to check your profile and reporting chain, view your team if you're a manager, check time-off balances, submit or cancel time-off requests, and approve or reject requests without requiring direct interaction with the Workday interface.

# Uses

Use the Workday End User MCP server when you plan to perform the following actions:

  • View your employee profile, including job title, manager, and contact details
  • Check who your direct manager is
  • View your complete reporting chain
  • See your direct reports if you're a manager
  • Check your time-off balances by type
  • View your time-off request history and status
  • Submit new time-off requests
  • Cancel pending time-off requests
  • View time-off requests for your direct reports
  • Approve or reject time-off requests for team members
  • List available time-off types
  • Get details about specific time-off plans

# Example prompts

  • What's my job title and who is my manager?
  • Show me my complete reporting chain.
  • Who are my direct reports?
  • How much PTO do I have available?
  • Show me my time-off request history.
  • Request 3 days of vacation for next week.
  • Cancel my pending PTO request.
  • Who on my team has pending time-off requests?
  • Approve Mei's vacation request.
  • What types of time off can I request?

# Workday End User MCP server tools

The Workday End User MCP server provides the following tools:

Tool Description
get_my_profile Retrieves the employee's core worker profile information.
get_my_manager Retrieves the employee's direct manager information.
get_my_reporting_chain Retrieves the employee's upward reporting hierarchy.
list_my_direct_reports Retrieves a manager's direct reports and their core profile information.
get_my_time_off_balances Retrieves the employee's time-off balances grouped by type.
list_my_time_off_requests Retrieves the employee's time-off requests across all states.
submit_time_off_request Submits a new time-off request for the employee.
cancel_time_off_request Cancels a pending time-off request.
list_team_time_off_requests Retrieves time-off requests for a manager's direct reports.
action_time_off_request Approves or rejects a time-off request for a direct report.
list_time_off_types Retrieves the employee's available time-off types.
get_time_off_plan Retrieves configuration details for a specific time-off type.

# Install the Workday End User MCP server

Complete the following steps to install a prebuilt MCP server to your project:

1

Sign in to your Workato account.

2

Go to AI Hub > MCP servers.

3

Click + Create MCP server.

4

Go to the Start with a template section and select the prebuilt MCP server you plan to use.

5

Click Use this template.

6

Provide a name for your MCP server in the MCP server name field.

7

Go to the Connections section and connect to your app account.

8

Select the connection type you plan to use for the MCP server template.

  • User's connection: MCP server tools perform actions based on the identity and permissions of the user who connects to the application. Users authenticate with their own credentials to execute the skill.
  • Your connection: This option uses the connection established by the recipe builder and follows the same principles as normal app connections.

Select your connection typeSelect your connection type

VERIFIED USER ACCESS AUTHENTICATION REQUIREMENTS

Only app connections that use OAuth 2.0 authorization code grant are available for user's connection. Refer to Verified user access for more information.

9

Complete the app-specific connection setup steps in the following section.

# Workday End User tenant ID configuration

You must configure the tenant ID for your Workday End User MCP server at the project level.

Complete the following steps to configure your tenant ID:

View the Workday End User tenant ID configuration steps
1

Sign in to your Workato account and go to Projects.

2

Go to the project that contains your MCP server.

3

Click the Settings tab.

Click the Settings tabClick the Settings tab.

4

Select Project properties.

5

Go to the WORKDAY_TENANT_ID property and click the Edit (pencil) icon.

Click the Edit (pencil) iconClick the Edit (pencil) icon.

6

Go to the Value field and enter your Workday tenant ID. You can find your tenant ID in your Workday URL. For example, your tenant ID is acme_company if your URL is https://impl.workday.com/acme_company/d/home.html

# Workday connection setup

The Workato Workday connector is categorized into three distinct types: the main Workday connector, the Workday Web Services connector, and the Workday REST connector. Each type follows a similar authentication pattern but differs slightly in support capabilities and functionalities.

We recommend that you create an Integration System User (ISU) before you integrate your Workday with Workato. An ISU ensures that all integration operations are logged under a designated user, separate from regular workflow processes. This is essential as changes to a regular worker’s security profile or their termination could disrupt integrations reliant on their account. Limit each ISU to a single integration system, such as Workato, for enhanced security.

The Workday REST API requires authentication through an OAuth client setup. This means you must register a Workday API client if your integration includes Workday custom objects.

# Register Integration System User in Workday

Your Integration System User (ISU) must be assigned the required permissions to create a successful integration. You may receive a 403 error if your ISU has insufficient permissions.

403 error Error message when ISU doesn't have enough permissions

A 403 error may indicate that the ISU lacks the required domain-level permissions. Refer to the Grant domain access to security group section to ensure that your ISU is granted the appropriate permissions.

View ISU setup steps

# Create an Integration System User

Complete the following steps to create an ISU in Workday:

1

Type Create Integration System User into Workday's search bar and select the task from the results.

Search for Create Integration System User task in Workday Search for Create Integration System User task in Workday

2

Enter a username and set a password in the Create Integration System User task.

Create integration system user Create Integration System User

3

Set Session Timeout Minutes to 0 to prevent the ISU from timing out.

4

Select the Do Not Allow UI Sessions checkbox to enhance security by restricting UI logins.

5

Go to the Maintain Password Rules task.

6

Exempt the integration system user from password expiration by adding them to the System Users exempt from password expiration field.

Exempt ISU user from password expiration Exempt ISU from password expiration

# Create an integration security group

Complete the following steps to create either an unconstrained or constrained integration system security group and then assign your newly created ISU:

1

Search for Create Security Group in Workday and select the corresponding task.

Select the Create Security Group task in Workday Select the Create Security Group task in Workday

2

Locate the Type of Tenanted Security Group field, and select and name your security group. Workday offers two types of integration system security groups:

  • Integration System Security Group (Unconstrained): Allows group members to access all data instances secured by the group.

  • Integration System Security Group (Constrained): Grants access to a subset of data instances based on context.

Choose the security group type in Workday Choose the security group type

Contact your Workday integration partner before selecting an option to ensure that the appropriate security group type is used for your integration.

3

Assign members to your newly created security group. You must add the ISU you registered in the preceding steps. You must also specify the organization scope if you plan to use a constrained group.

Add ISU to the security group Add ISU to the security group

4

Select Done to save all changes.

# Grant domain access to security group

Complete the following steps to grant your security group access to the domains required for your integration:

1

Search for Maintain Permissions for Security Group in Workday and select the task.

Select the Maintain Permissions for Security Group task Select the Maintain Permissions for Security Group task

2

Choose the security group you created from the Source Security Group list to modify the permissions.

Choose the created security group Select the created security group

3

Click OK to confirm your selection.

4

Go to the Maintain Permissions for Security Group > Domain Security Policy Permissions tab and assign the necessary permissions for each domain, such as GET and PUT operations.

Assign perissions for each domain Assign permissions for each domain

5

Ensure the security group has GET permissions for the following domain security policies:

  • Integration Build
  • Integration Process
  • Integration Debug
  • Integration Event
  • Worker Data: Current Staffing Information
  • Worker Data: Public Worker Reports
6

Click OK to apply the permissions.

7

Click Done to save your changes.

# Activate security policy changes

You must activate permissions you assign to your policy.

Complete the following steps to activate security policy changes:

1

Type Activate Pending Security Policy Changes into Workday's search box and select the task.

Search for the Activate Pending Security Policy Changes task in Workday Search for the Activate Pending Security Policy Changes task

2

Start the Activate Pending Security Policy Changes task by entering a reason for your audit in the comment field, then click OK.

Enter a comment Enter a comment for audit purposes

3

Select the Confirm checkbox to complete the task and click OK.

Create integration system user Activate the policy changes

# Register a new API client for integrations

This step is required only if you plan to work with custom objects in Workday.

Ensure you meet the following prerequisites before you begin registering a new API client for integrations in Workday:

Complete the following steps to register an API client for integrations in Workday:

1

Search for Register API Client for Integrations in Workday's search field.

Select the Register API client for integrations task Select the Register API client for Integrations task

2

Select the Register API Client for integrations task to access the registration page.

Register API client for integrations Register API client for integrations

3

Enter a name for your API client in the Client Name field.

4

Select the Non-Expiring Refresh Tokens option.

5

Specify the scope of access for the API client. Ensure to include the Integration scope, which covers essential domain security policies such as Integration Build, Integration Debug, Integration Process, and Integration Event. Including this scope is a minimum requirement for establishing a connection with Workday, in addition to any specific call operations required for your integration.

6

Click OK to generate the Client ID and Client Secret.

Generate API client credentials Generate API client credentials

7

Save the Client Secret and Client ID.

8

Click Done.

# Generate a non-expiring refresh token

Complete the following steps to create a non-expiring refresh token for your API client:

1

Type View API Clients in the search field in Workday.

2

Open the View API Clients report from the search results.

Access the report Access the View API Clients report

3

Go to the API Clients for Integrations tab.

4

Select the API client you registered in the preceding steps.

5

Click the ellipsis (...) next to the client name and choose API Client > Manage Refresh Tokens for Integrations for token management.

Select the option to manage refresh tokens Manage refresh tokens for the API client

6

Input the Workday account of a user authorized to access the custom report in the Workday Account field.

Input an authorized Workday account Enter an authorized Workday account

7

Click OK.

8

Go to the Delete or Regenerate Refresh Token page and select the Generate New Refresh Token option.

Generate a new refresh token Generate a new refresh token

9

Click OK.

10

Copy the refresh token from the Successfully Regenerated Refresh Token page.

Copy the generated refresh token Copy the generated refresh token

11

Click Done to complete the process.

# Find your token endpoint URL

Complete the following steps to find your token endpoint URL in Workday:

1

Enter View API Clients into the search field in Workday.

2

Access the View API Clients report from the search results.

3

Save the URLs listed in the Token Endpoint and Authorization Endpoint fields. These URLs are required for the OAuth 2.0 connection.

Save the token endpoint and authorization endpoint URLs Save the token endpoint and authorization endpoint URLs

# OAuth 2.0 authentication

Complete the following steps to configure your Workday connection in Workato using OAuth 2.0 authentication:

View OAuth 2.0 authentication steps

OAuth 2.0 authentication is required if you plan to work with the Workday REST API or custom objects. We recommend that you avoid using the deprecated Hybrid authentication method.

1

Enter a unique Connection name to identify your Workday account in Workato.

Workday connection Label your connection

2

Use the Location drop-down to select the project or folder to store this connection.

3

Choose OAuth 2.0 as the Authentication type. This method is required for working with custom objects and for querying data using Workday Query Language (WQL) with the Workday REST API.

4

Select the Workday web services version appropriate for your Workday tenant. We recommend choosing the newest version available for access to the latest features and updates.

5

Locate and enter your Tenant ID. You can find your tenant ID in your Workday URL. For example, your tenant ID is sample_company if your URL is https://impl.workday.com/sample_company/d/home.htmld.

6

Provide the WSDL URL associated with your Workday services.

7

Enter the Client ID and Client Secret from your API client settings.

8

Provide your Refresh token if using an API client for integrations.

9

Enter your Authorization endpoint and Token endpoint from your API Client settings to complete the OAuth flow.

10

Select the Workday tenant timezone that matches your Workday tenant's settings. Workday uses Pacific Standard Time (PST) by default.

11

Click Advanced settings to configure the Advanced XML payload for multiple ID values.

Workato wraps each value in fields with multiple values within its own container by default when constructing the XML from your input.

For example:

<languages><language>english</language></languages><languages><language>chinese</language></languages>

Workato unwraps these values and presents them in a single container if you set the value to Yes:

<languages><language>english</language><language>chinese</language></languages>

Consider enabling this when you encounter invalid payload errors.

12

Review the information you entered to ensure it is correct.

13

Click Connect to initiate the authorization process and complete the connection setup.

# Basic authentication

Complete the following steps to set up your Workday connection in Workato with basic authentication:

View Basic authentication steps
1

Enter a unique Connection name to identify your Workday account in Workato.

Workday connection Label your connection

2

Use the Location drop-down to select the project or folder to store this connection.

3

Select Basic as the Authentication type. This method uses your Workday username and password for integration.

4

Locate and enter your Tenant ID. You can find your tenant ID in your Workday URL. For example, your tenant ID is sample_company if your URL is https://impl.workday.com/sample_company/d/home.htmld.

5

Provide the WSDL URL associated with your Workday services.

6

Provide your Workday Login name and Password.

7

Select your Workday tenant timezone that matches your Workday tenant's settings. Workday uses Pacific Standard Time (PST) by default.

8

Click Advanced settings to configure the Advanced XML payload for multiple ID values if required. Fields with multiple values are wrapped within a container by default. Set this option to yes to unwrap the values.

9

Review the information you entered to ensure it's correct.

10

Click Connect to initiate the authorization process and complete the connection setup.

# How to use Workday End User MCP server tools

Refer to the following sections for detailed information on available tools:

# get_my_profile tool

The get_my_profile tool retrieves your worker profile information, including job title, manager, location, contact details, employment status, and hire date. Your LLM uses this tool to retrieve information about your employee profile.

Try asking:

  • What's my job title?
  • Show me my employee profile.
  • Who is my manager?
  • What's my work location?
  • When did I start working here?

# get_my_manager tool

The get_my_manager tool retrieves your direct manager information. Your LLM uses this tool to retrieve your manager's information.

Try asking:

  • Who is my manager?
  • Show me my direct manager's information.
  • Who do I report to?
  • Get my manager's contact details.

# get_my_reporting_chain tool

The get_my_reporting_chain tool retrieves your upward reporting hierarchy. Your LLM uses this tool to retrieve your management hierarchy or to see who your manager reports to.

Try asking:

  • Show me my complete reporting chain.
  • Who does my manager report to?
  • What's my management hierarchy?
  • Show me the chain of command up to the CEO.

# list_my_direct_reports tool

The list_my_direct_reports tool retrieves your direct reports and their profile information. Your LLM uses this tool to see who reports to you or view your team.

Try asking:

  • Who are my direct reports?
  • Show me my team.
  • List everyone who reports to me.
  • Get the profiles of my direct reports.

# get_my_time_off_balances tool

The get_my_time_off_balances tool retrieves your time-off balances grouped by type. Your LLM uses this tool to check your PTO, vacation, or sick leave balances.

Try asking:

  • How much PTO do I have available?
  • Show me my vacation balance.
  • What's my sick leave balance?
  • How many days off do I have remaining?

# list_my_time_off_requests tool

The list_my_time_off_requests tool retrieves your time-off requests across all states. Your LLM uses this tool to view your PTO history or to check the status of your request.

Try asking:

  • Show me my time-off request history.
  • What PTO requests do I have pending?
  • List all my vacation requests from this year.
  • What's the status of my time-off requests?

# submit_time_off_request tool

The submit_time_off_request tool submits a new time-off request. Your LLM uses this tool to request time off.

Try asking:

  • Request 3 days of vacation for next week.
  • Submit a PTO request for December 20-22.
  • Request sick leave for tomorrow.
  • I need to take vacation from March 1-5.

# cancel_time_off_request tool

The cancel_time_off_request tool cancels a pending time-off request. Your LLM uses this tool to cancel a pending request.

Try asking:

  • Cancel my pending PTO request.
  • Cancel my vacation request for next week.
  • Remove my time-off request for March 1-5.
  • I need to cancel my pending sick leave request.

# list_team_time_off_requests tool

The list_team_time_off_requests tool retrieves time-off requests for your direct reports. Your LLM uses this tool to see who is out or which requests are pending for your team.

Try asking:

  • Who on my team has pending time-off requests?
  • Show me vacation requests from my direct reports.
  • What PTO requests need my approval?
  • Who on my team is taking time off next week?

# action_time_off_request tool

The action_time_off_request tool approves or rejects a time-off request for a direct report. Your LLM uses this tool to approve or reject a team member's request.

Try asking:

  • Approve Josh's vacation request.
  • Reject the PTO request from Marco with a note about coverage.
  • Approve the time-off request for March 1-5.
  • I need to deny this sick leave request.

# list_time_off_types tool

The list_time_off_types tool retrieves your available time-off types. Your LLM uses this tool when you need to know what types of time off are available.

Try asking:

  • What types of time off can I request?
  • Show me all available PTO types.
  • What are my time-off options?
  • List the different types of leave I can take.

# get_time_off_plan tool

The get_time_off_plan tool retrieves configuration details for a specific time-off type. Your LLM uses this tool to retrieve details about a specific time-off plan.

Try asking:

  • What are the details of the vacation plan?
  • Show me the sick leave policy details.
  • Get information about the parental leave plan.
  • What's the accrual rate for PTO?

# Getting started

View and manage your MCP server tools in the Overview page Tools section. Tool management provides the following capabilities:

TOOLS MUST BE STARTED

Your LLM can only access active tools in your MCP server connector.

Stripe Billing Operations
Zoom Meetings


Last updated: 3/11/2026, 4:49:13 PM

On this page