The Workiva Developer API is secured using an OAuth 2.0 Client Credentials
Grant implementation. This
authentication flow follows three steps:
- Obtain a client id and client secret.
- Using the client id and client secret, make a POST request to the
oauth2/token endpoint to exchange these credentials for a bearer
- When accessing the REST API, use the bearer token to authenticate.
Keep in mind that the consumer key/secret pair and the bearer token itself
grant access to make requests on your behalf. These values should be
considered as sensitive as passwords and must not be shared or distributed to untrusted parties.
This manner of authentication is only secure if SSL is used. Therefore,
all requests must use HTTPS.
Making Authenticated Requests
Step 1. Obtain a Client Id and Client Secret
First, make sure you have your client id and client secret handy. Store these
Step 2. Exchange Client Credentials for a Bearer Token
The client id and client secret must be exchanged for a bearer token by issuing
a POST request to
- The request must be a HTTPS POST request.
- The request must include a Content-Type header with the value of
- The body of the request must include
POST /iam/v1/oauth2/token HTTP/1.1
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 19:41:37 GMT
"scope": "data_tables|r data_tables|w",
The value associated with the
access_token field in the response is the
bearer token to use on subsequent requests.
Step 3. Authenticate API requests with the Bearer Token
The bearer token obtained in Step 2 is used to issue requests to Workiva
Developer API endpoints. To use the bearer token, construct a normal HTTPS
request and include an Authorization header with the value of
Authorization: Bearer ey...