Locate your Workday tenant's SOAP endpoint URL from the Workday Community or admin console; it follows the pattern https://<host>/ccx/service/<tenant>/<service>/<version>
Construct a SOAP envelope with a WS-Security UsernameToken header containing your integration system user (ISU) credentials — username and password — and the service-specific SOAP body
For the Human_Resources service, call Get_Workers with a Request_References or Request_Criteria element to scope the response; include Response_Filter for pagination using Page and Count fields
Iterate pages: inspect the total_pages value in the Response_Results element and repeat the request incrementing the Page value until all pages are consumed
Use an Integration System User (ISU) account with only the domain security policies required for the specific web service — avoid using a named-user account for integrations
Known gotchas
Workday SOAP API versions are tied to the endpoint URL; calling an older version URL against a tenant on a newer release can cause fields to be silently absent or operations to fail — always use the latest supported version URL your integration has been tested against
WS-Security PasswordDigest is supported but adds complexity; use PasswordText only over HTTPS, and ensure your HTTP client enforces TLS certificate validation to prevent credential exposure
Workday enforces strict security domain grants; a response with no workers and no error often means the ISU lacks the necessary security group membership rather than a genuine empty result set
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp