Build or identify a Workday custom report in the tenant; navigate to the report, then go to Actions > Web Service > View URLs to find the RaaS endpoint URL specific to that report.
The RaaS URL follows the pattern https://{hostname}/ccx/service/customreport2/{tenant}/{owner}/{reportName}; authenticate using Workday Integration System User (ISU) credentials via HTTP Basic auth.
Append '?format=json' to the URL for JSON output, or '?format=csv' for CSV; the default response format is XML — specify format explicitly to avoid parsing issues.
Create a dedicated Integration System User in Workday with minimal required permissions, assign it the correct security domain access, and use its credentials for API calls rather than a named user's credentials.
For large reports, use the 'As Of Effective Date' and pagination parameters if the report supports them; alternatively filter the report definition itself in Workday to limit result size before calling via RaaS.
Wrap the HTTP call in retry logic — Workday tenants can be temporarily unavailable during weekly maintenance windows, which are published per-tenant in the Workday Community.
Known gotchas
RaaS URLs are tied to the specific Workday user who owns the report; if that user is deactivated or their security role changes, the URL returns 403 — always assign report ownership to a service account, not a named employee.
Workday's web services (SOAP-based) and RaaS are distinct systems; what's possible via SOAP (full CRUD via the Workday SOAP API) differs from RaaS (read-only report output) — RaaS is simpler but has no write capability.
Tenant upgrades (twice yearly) can change report output structure if any referenced fields are renamed or deprecated; build schema validation into your pipeline rather than assuming field names are stable.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp