Register your application in the UKG developer portal and obtain client credentials.
POST to the tenant OAuth token endpoint with your client_id and client_secret to obtain a Bearer access token.
Include the token in the Authorization header of every WFM API request: Authorization: Bearer YOUR_TOKEN.
Omit any appkey header or query parameter — as of 2024.R1 the appkey is no longer required and is ignored if present.
Refresh the access token before it expires using the same token endpoint; do not cache indefinitely.
Known gotchas
Prior to 2024.R1 some UKG WFM API calls required an appkey header; that requirement was removed in 2024.R1 and the field is now ignored — passing it causes no error but serves no purpose.
The OAuth token endpoint URL is tenant-specific; use the base URL provided in your UKG tenant configuration, not a generic placeholder.
Access tokens are short-lived; build token-refresh logic into your client rather than requesting a new token on every call.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp