Summary and recommendation
Workiva exposes a REST Platform API at https://api.app.wdesk.com/platform/v1 authenticated via OAuth 2.0 (client_credentials or authorization_code flows).
Separate scopes gate read and write access for both users (iam:users:read, iam:users:write) and groups (iam:groups:read, iam:groups:write);
all scopes must be explicitly granted to the OAuth client by a workspace administrator.
All user operations are workspace-scoped to the OAuth client's associated workspace-cross-workspace automation requires separate client credentials per workspace.
This API is the foundation for building an identity graph that maps Workiva users, their roles, and group memberships across workspaces into a unified access model.
Pagination uses an opaque nextPageToken cursor with a maximum page size of 100;
do not construct token values manually.
Rate-limit thresholds and Retry-After behavior are not published in official documentation as of the research date-contact Workiva support before designing high-frequency polling loops.
API quick reference
| Has user API | Yes |
| Auth method | OAuth 2.0 (client credentials and authorization code flows) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise |
Authentication
Auth method: OAuth 2.0 (client credentials and authorization code flows)
Setup steps
- Log in to Workiva and navigate to the Developer Portal (developers.workiva.com).
- Create an API client application to obtain a client_id and client_secret.
- Request an access token via POST to https://api.app.wdesk.com/iam/v1/oauth2/token using client_credentials grant.
- Include the returned Bearer token in the Authorization header for all API requests.
- Ensure the client application has been granted the required scopes by a workspace administrator.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| iam:users:read | Read user profiles and list users in the workspace. | GET /users, GET /users/{id} |
| iam:users:write | Create, update, and deactivate users in the workspace. | POST /users, PATCH /users/{id}, DELETE /users/{id} |
| iam:groups:read | Read group membership and group details. | GET /groups, GET /groups/{id} |
| iam:groups:write | Create and manage groups and group membership. | POST /groups, PATCH /groups/{id} |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique Workiva-assigned user identifier. | system-generated | immutable | Used as path parameter in user-specific endpoints. |
| string | User's primary email address; used as login identifier. | required | allowed | Must be unique within the workspace. | |
| firstName | string | User's given name. | required | allowed | |
| lastName | string | User's family name. | required | allowed | |
| displayName | string | Full display name shown in the Workiva UI. | optional | allowed | Often derived from firstName + lastName. |
| active | boolean | Whether the user account is active. | optional (defaults true) | allowed | Setting to false deactivates the user without deleting. |
| roles | array |
List of workspace roles assigned to the user. | optional | allowed | Role identifiers are workspace-specific. |
| createdAt | string (ISO 8601) | Timestamp when the user was created. | system-generated | immutable | |
| updatedAt | string (ISO 8601) | Timestamp of last modification. | system-generated | system-generated | |
| workspaceId | string | Identifier of the workspace the user belongs to. | system-assigned | immutable |
Core endpoints
List Users
- Method: GET
- URL:
https://api.app.wdesk.com/platform/v1/users - Watch out for: Pagination uses nextPageToken; iterate until token is absent or empty.
Request example
GET /platform/v1/users?pageSize=50
Authorization: Bearer {token}
Response example
{
"data": [{"id":"usr_abc","email":"jane@example.com","firstName":"Jane","active":true}],
"nextPageToken": "tok_xyz"
}
Get User
- Method: GET
- URL:
https://api.app.wdesk.com/platform/v1/users/{userId} - Watch out for: Returns 404 if user does not exist in the authenticated workspace.
Request example
GET /platform/v1/users/usr_abc
Authorization: Bearer {token}
Response example
{
"id": "usr_abc",
"email": "jane@example.com",
"firstName": "Jane",
"lastName": "Doe",
"active": true
}
Create User
- Method: POST
- URL:
https://api.app.wdesk.com/platform/v1/users - Watch out for: Email must be unique; duplicate email returns 409 Conflict.
Request example
POST /platform/v1/users
Authorization: Bearer {token}
Content-Type: application/json
{"email":"new@example.com","firstName":"New","lastName":"User"}
Response example
{
"id": "usr_new1",
"email": "new@example.com",
"active": true,
"createdAt": "2024-01-15T10:00:00Z"
}
Update User
- Method: PATCH
- URL:
https://api.app.wdesk.com/platform/v1/users/{userId} - Watch out for: Partial updates only; omitted fields are unchanged.
Request example
PATCH /platform/v1/users/usr_abc
Authorization: Bearer {token}
Content-Type: application/json
{"active":false}
Response example
{
"id": "usr_abc",
"active": false,
"updatedAt": "2024-06-01T12:00:00Z"
}
Delete User
- Method: DELETE
- URL:
https://api.app.wdesk.com/platform/v1/users/{userId} - Watch out for: Deletion is permanent. Consider setting active=false for reversible deprovisioning.
Request example
DELETE /platform/v1/users/usr_abc
Authorization: Bearer {token}
Response example
HTTP 204 No Content
List Groups
- Method: GET
- URL:
https://api.app.wdesk.com/platform/v1/groups - Watch out for: Group membership details require a separate GET /groups/{id}/members call.
Request example
GET /platform/v1/groups
Authorization: Bearer {token}
Response example
{
"data": [{"id":"grp_1","name":"Finance Team","memberCount":12}],
"nextPageToken": null
}
Add User to Group
- Method: POST
- URL:
https://api.app.wdesk.com/platform/v1/groups/{groupId}/members - Watch out for: User must already exist in the workspace before being added to a group.
Request example
POST /platform/v1/groups/grp_1/members
Authorization: Bearer {token}
Content-Type: application/json
{"userId":"usr_abc"}
Response example
HTTP 201 Created
{"groupId":"grp_1","userId":"usr_abc"}
Remove User from Group
- Method: DELETE
- URL:
https://api.app.wdesk.com/platform/v1/groups/{groupId}/members/{userId} - Watch out for: Does not deactivate the user; only removes group membership.
Request example
DELETE /platform/v1/groups/grp_1/members/usr_abc
Authorization: Bearer {token}
Response example
HTTP 204 No Content
Rate limits, pagination, and events
Rate limits: Workiva's public documentation does not explicitly publish specific rate-limit thresholds or tier-based limits for the Platform API.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: No explicit rate-limit values, headers, or Retry-After behavior documented in official sources as of research date. Contact Workiva support for current limits.
Pagination method: token
Default page size: 100
Max page size: 100
Pagination pointer: pageToken
Webhooks available: No
Webhook notes: Workiva's public Platform API documentation does not describe a webhook or event-subscription system for user lifecycle events as of the research date.
Alternative event strategy: Poll GET /users with updatedAt filtering or use SCIM provisioning via an IdP for event-driven user lifecycle management.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise
Endpoint: https://api.app.wdesk.com/scim/v2
Supported operations: GET /Users, GET /Users/{id}, POST /Users, PUT /Users/{id}, PATCH /Users/{id}, DELETE /Users/{id}, GET /Groups, POST /Groups, PATCH /Groups/{id}, DELETE /Groups/{id}
Limitations:
- Requires Enterprise plan; not available on lower tiers.
- SCIM token is generated within Workiva admin settings and is workspace-scoped.
- IdP-side connector configuration (e.g., Okta, Azure AD) must use the Workiva-provided SCIM base URL and bearer token.
- SCIM provisioning does not automatically grant document-level permissions; workspace role assignment is separate.
- Workiva does not publish a native Okta or Entra SCIM app in their gallery; configuration is done via generic SCIM 2.0 connector in the IdP.
Common scenarios
Provisioning a new employee requires: (1) obtain a Bearer token via POST /iam/v1/oauth2/token;
(2) POST /platform/v1/users with email, firstName, lastName;
(3) capture the returned user id;
(4) POST /platform/v1/groups/{groupId}/members to assign group membership.
Check for an existing user via GET /users?email= before creation-duplicate email returns 409 Conflict.
For deprovisioning, PATCH /platform/v1/users/{userId} with {"active": false} is the preferred reversible action;
DELETE is permanent and cannot be undone via API, so reserve it for post-retention-review cleanup only.
For Enterprise accounts, SCIM 2.0 is available at https://api.app.wdesk.com/scim/v2 using a static bearer token generated in the Workiva admin UI-this token is separate from OAuth 2.0 credentials and is workspace-scoped.
Workiva does not publish a pre-built IdP gallery app;
configure SCIM via a generic SCIM 2.0 connector in Okta or Azure AD.
Note that SCIM group push does not automatically grant document-level permissions inside Workiva;
workspace role assignment remains a separate step.
Provision a new employee via REST API
- Obtain OAuth 2.0 access token via POST to /iam/v1/oauth2/token with client_credentials grant.
- POST /platform/v1/users with email, firstName, lastName to create the user account.
- Capture the returned user id.
- POST /platform/v1/groups/{groupId}/members with the new userId to assign group membership.
- Optionally PATCH /platform/v1/users/{userId} to assign workspace roles.
Watch out for: If the email already exists in the workspace, POST /users returns 409; check for existing users with GET /users?email= before creating.
Deprovision a departing employee
- GET /platform/v1/users?email={email} to resolve the user's id.
- PATCH /platform/v1/users/{userId} with {"active": false} to immediately disable access.
- Optionally DELETE /platform/v1/users/{userId} for permanent removal after data retention review.
Watch out for: Deactivation (active=false) is preferred over deletion to preserve audit trails; deletion is irreversible.
Set up SCIM auto-provisioning via IdP (Enterprise)
- Confirm workspace is on the Enterprise plan.
- In Workiva Admin, navigate to Security > SCIM Provisioning and generate a SCIM bearer token.
- Note the SCIM base URL: https://api.app.wdesk.com/scim/v2.
- In your IdP (e.g., Okta or Azure AD), configure a generic SCIM 2.0 application using the Workiva SCIM base URL and bearer token.
- Map IdP user attributes to SCIM attributes (userName → email, name.givenName → firstName, etc.).
- Enable provisioning features: Create Users, Update User Attributes, Deactivate Users.
- Test with a pilot user before enabling for all users.
Watch out for: Workiva does not have a pre-built IdP gallery app; use the generic SCIM 2.0 connector. Group push via SCIM does not automatically grant document permissions inside Workiva.
Why building this yourself is a trap
The most consequential caveat is the irreversibility of DELETE /platform/v1/users/{userId}-any automation that calls DELETE rather than PATCH active=false will permanently remove user records with no API-level recovery path. OAuth 2.0 tokens are short-lived; omitting token refresh logic will cause silent failures in long-running provisioning jobs.
The SCIM bearer token and OAuth 2.0 tokens are entirely separate credentials with different generation paths and rotation requirements-conflating them in a single secrets store without clear labeling is a common integration error. Role identifiers in the roles array are workspace-specific strings;
always retrieve valid role IDs via GET /roles before assignment rather than hardcoding values. Webhooks for user lifecycle events are not available in the public Platform API; event-driven workflows must fall back to polling GET /users with updatedAt filtering or rely on IdP-side SCIM push as the trigger mechanism.
Automate Workiva workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
