Passer au contenu principal


Workday Adaptive Planning Knowledge Center

Making Adaptive Insights API Requests with Workday Credentials

Describes how to make Adaptive Insights API Requests with Workday Credentials

Workday-synchronized users who log in to Workday and use the Adaptive Insights Worklet can run Adaptive Insights public APIs. These users must provide a token in the credentials element of Adaptive Insights API requests instead of a username and password. You can cache this token and use it until it expires. After it expires, you must get a new token.

Avant de commencer

Workday Domain and Security Groups

  • Verify the users who need API access are part of the Set Up: Adaptive Insights API Access domain and security group.

Workday Setup Tasks

  • Verify that Single Sign-On and User Sync tasks are enabled within the User Sign-on tab in the Adaptive Insights tab.
  • Verify the Public API setup task is enabled within the Public API tab in the Adaptive Insights tab.
  • Verify an integration system user (ISU) setup task created an ISU and mapped it to an Adaptive Insights user account.

Adaptive Insights User Admin

  • Verify you see the ISU beginning with PublicAPIISU_  in the users list within Administration > Users.
  • Verify this user has the level access needed for the APIs they want to run. New ISUs don't receive level access by default.

Register Workday API Client

  • Verify your Registered an API Client with Client Grant Type: JWT Bearer token in Workday.
  • Verify you copied a x.509 certificate into the x.509 Certificate in Workday.
  • For Redirection URL enter

Flow for Generating a Credential Token

  1. Use the private key and generate the JWT token by running pseudo code.
  2. Get the Bearer Token by calling the AccessToken endpoint and passing grant_type and assertion.
  1. Get the Adaptive Public API Token by calling the Workday endpoint using that bearer token.
  1. Call the Adaptive Insights API using the publicAPIToken in the credentials element.

Sample Java Application for Generating a Credentials Token

This sample Java application generates a JWT token that replaces the username and password in the credentials element of an Adaptive Insights API request.

// File:
// Copyright 2004-2019 Adaptive Insights LLC, a Workday company.
// All Rights Reserved.
// This work contains trade secrets and confidential material of
// Adaptive Insights LLC, a Workday company and its use or disclosure in whole or in part
// without the express written permission of Adaptive Insights LLC, a Workday company is prohibited.

import java.text.MessageFormat;
//import java.util.Base64;

import org.apache.commons.codec.binary.Base64;

    public class AccessAdaptiveAPI
        public static void main(String args[])
            String jwtKeyStoreFileString = "/Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre/lib/security/JWTkeystore.jks";
            String clientIDString = "BlywNDM1NmMtZTk2Mi00NTZiTWEyZjktZWM1NGJiOGQ3Yjca";
            String userIdString = "PublicAPIISU_Test";
        public void callAPI()
        public String getAdaptiveAPIToken()
            return "";
        public String getJWTToken(String privateKey, String username)
            return "";
        public void callWorkdayAPI()
        public static String GetAccessToken(String clientId, String userId, String jwtKeyStore) {

            String header = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";
            String claimTemplate = "'{'\"iss\": \"{0}\", \"sub\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";

            try {
                StringBuffer token = new StringBuffer();

                //Encode the JWT Header and add it to our string to sign

                //Separate with a period

                //Create the JWT Claims Object
                String[] claimArray = new String[4];
                claimArray[0] = clientId;
                claimArray[1] = userId;
                claimArray[2] = "wd";
                claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
                MessageFormat claims;
                claims = new MessageFormat(claimTemplate);
                String payload = claims.format(claimArray);

                //Add the encoded claims object

                //Load the private key from a keystore
                KeyStore keystore = KeyStore.getInstance("JKS");
                keystore.load(new FileInputStream(jwtKeyStore), "Workday123!".toCharArray());
                PrivateKey privateKey = (PrivateKey) keystore.getKey("Workday", "Workday123!".toCharArray());

                //Sign the JWT Header + "." + JWT Claims Object
                Signature signature = Signature.getInstance("SHA256withRSA");
                String signedPayload = Base64.encodeBase64URLSafeString(signature.sign());

                //Separate with a period

                //Add the encoded signature
                return token.toString();

            } catch (Exception e) {
            return "";

Sample C# Application for Generating a Credentials Token

This sample C# application generates a JWT token that replaces the username and password in the credentials element of an Adaptive Insights API request.

This sample code requires a NuGet page.
Required NuGet package: System.IdentityModel.Tokens.Jwt  

            var clientId = "BlywNDM1NmMtZTk2Mi00NTZiTWEyZjktZWM1NGJiOGQ3Yjca";//Client ID from workday API Client
            var isu = "PublicAPIISU_Test"; //the ISU 
            var timeout = (DateTimeOffset.UtcNow.ToUnixTimeMilliseconds() / 1000 + 300).ToString(CultureInfo.InvariantCulture);
            var environment = "wd";
            var pfxFilePath = @"C:\temp\JWTkeystore2.pfx";
            var pfxPassword = "Workday123!";

            var payload = new JwtPayload
                {"iss", clientId},
                {"sub", isu},
                {"aud", environment},
                {"exp", timeout },

            var signingCredentials = new X509SigningCredentials(new X509Certificate2(pfxFilePath, pfxPassword), SecurityAlgorithms.RsaSha256); // the matching PKCS #12 file with private key
            var jwtHeader = new JwtHeader(signingCredentials);

            var secToken = new JwtSecurityToken(jwtHeader, payload);
            var handler = new JwtSecurityTokenHandler();
            var tokenToWorkday = handler.WriteToken(secToken);

Workday Credentials in Adaptive Insights API Requests

Once you set up Workday for Adaptive Insights public API access, the credentials element of Adaptive Insights API requests use a token instead of a username and password. Basic authentication with username and password won't work.

Example Workday Credential in an Adaptive Insights API Request

<?xml version='1.0' encoding='UTF-8'?>
<call method="exportLevels" callerName="a string that identifies your client application">
    <credentials token="ID eyJhbDci0iJSUzUxMiIsUmtpZCI6IdvcmtkYXlfa2V5In0.eyJpc3KiOiJXb3JrZGFZIiwiYXV0aF90aW1lIjoxNTczMTY3NjU2LBjzeXnfynnJd.bztQzBmHeTj1amnHA-r96TdrJK0MXMghUFF1KyjxqIq6ruHU63dJp3JAJn3Eche7SEcoZBVGX4wJgna106pmCqgrrVWMf13Hg_sb_szabal2XN1KEEk1qh8z1IDlbt6qJIL_xyW3J2nNSs5ima3vJUYU5sRQXwXst0GuFWXpy464GyB4oKcscrg28X3dnPO_ytdohMKHsWkqyHQKXFQwoQezFaGy10sp4RRUj0lpOZX8C9oBHDYA58IXxGkqKLJVNPvDND6rGY5fTHQ-yxpe1nz-WqB0boiq9a-dv8b3EBzbelxj2fCPdMbng6kzygDcA2at_7BNQiyzfIovS5AG"/>
    <include versionID="3" inaccessibleValues="false"/>
    <sheet id="3" />


  • Cet article vous a été utile ?