Preview, govern, execute, recover
Sign in See the demo
Browse ActionPlane
Sign in See the demo
Preview before write Diffs, policy posture, and rollback readiness appear before the connector executes.
Simulation or sandbox first The product starts with a deterministic story before it asks for production trust.
Proof stays attached Approval, audit, artifacts, and recovery context stay on the same governed run.
Connector

Workday Financials

Use this checklist to move from stored Workday credentials to validated supplier-invoice and journal-entry workflows with rollback evidence.

Open in app Connect your sandbox All connectors
Overview
Workday Financials

Workday Financials should start in a customer-owned sandbox with one AP, journal, or worker workflow and a tightly scoped allowlist.

Sandbox availability

Customer-sandbox only
Staged live seam
Customer-owned sandbox
Customer-owned non-production ERP, finance, or HCM environment
First action workdayfinancials.approve-supplier-invoice
Staged live seam Workflow-specific validation and execution seams exist here, but part of the live story still stops short of a fully proven end-to-end tenant path.
Sandbox posture Customer-owned sandbox or test tenant
Next move Start with: Save connector settings.
Developer connection steps

Keep the first connector setup constrained to one environment, one identity, and one clearly reviewable workflow.

01
choose-sandbox

Choose the customer-owned sandbox

Use a customer-owned non-production environment for Workday Financials. This connector should be validated only where the reference data, approvals, and permissions resemble production.

02
create-identity

Create the least-privilege integration identity

Save the Workday Financials environment URL, OAuth client or integration-user credentials, and the supplier, supplier invoice, accounting journal, and worktag allowlists for the initial workflows.

03
configure-actionplane

Enter the connector settings and narrow allowlists in ActionPlane

Open the connector page in ActionPlane, save the environment URL and credentials, and keep the first workflow scoped to one transaction family with a small field allowlist.

04
validate-sync

Validate auth and sync metadata for the exact transaction path

Run metadata sync so ActionPlane can validate Workday Financials supplier-invoice, accounting-journal, and worktag fields before live writes.

05
run-first-sample

Run one realistic sandbox transaction before any broader rollout

Submit the Workday supplier invoice or journal-entry preset as a dry run from the dashboard and confirm that the preview, governance decision, and artifacts look correct. After that, run one live sandbox transaction and confirm the rollback or compensation evidence before going further.

Canonical sample scenario

Business context

Finance wants one AP or journal workflow that buyers and operators can review without needing founder narration.

Starting record state

A single invoice, vendor bill, journal, or worker update is isolated in a customer-owned sandbox with supporting references attached.

Requested change

Approve or post one narrowly scoped transaction with clear supplier, amount, coding, and reversal context.

Why it routes

ERP and finance actions need a customer-owned sandbox because the proof only matters when the control points match the production environment.

Expected artifacts

Request evidence, approval route, posting output, rollback or compensation context, and audit events should all remain bound to the same run.

Reset behavior

Reset depends on the customer sandbox and should restore the selected transaction or refresh the non-production fixture data.

Onboarding API
Use an authenticated ActionPlane session or bearer token. These endpoints act on the current workspace by default, so connector setup stays inside the same operator context as the UI.
GET /api/connectors/onboarding/workday-financials
GET /api/connectors/onboarding/workday-financials/metering
POST /api/connectors/onboarding/workday-financials/connect
POST /api/connectors/onboarding/workday-financials/validate
POST /api/connectors/onboarding/workday-financials/sync-metadata

Onboarding metering tracks activation progress for the connector. It is not a separate billable unit; workspace billing remains governed-run based.

Connect payload

Save the connector, validate it immediately, and sync metadata in one authenticated call. 

{
  "loginUrl": "https://impl.workday.com",
  "instanceUrl": "https://impl.workday.com",
  "clientId": "\u003Cclient-id\u003E",
  "clientSecret": "\u003Cclient-secret\u003E",
  "refreshToken": "\u003Crefresh-token-or-empty\u003E",
  "apiVersion": "2026R1",
  "isSandbox": true,
  "isEnabled": true,
  "validateAfterSave": true,
  "syncMetadataAfterSave": true,
  "managedObjects": [
    {
      "objectApiName": "supplier",
      "displayName": "Suppliers",
      "allowedFields": [
        "supplierId",
        "supplierName",
        "paymentTerms",
        "currencyCode",
        "bankAccountMask"
      ]
    },
    {
      "objectApiName": "supplierinvoice",
      "displayName": "Supplier invoices",
      "allowedFields": [
        "invoiceNumber",
        "invoiceAmount",
        "dueDate",
        "approvalStatus",
        "matchStatus"
      ]
    },
    {
      "objectApiName": "accountingjournal",
      "displayName": "Accounting journals",
      "allowedFields": [
        "externalId",
        "ledgerBook",
        "postingPeriod",
        "currencyCode",
        "journalSource"
      ]
    },
    {
      "objectApiName": "worktag",
      "displayName": "Worktags",
      "allowedFields": [
        "ledgerAccount",
        "costCenter",
        "company",
        "spendCategory",
        "region"
      ]
    }
  ]
}
curl -X POST \
  "$ACTIONPLANE_BASE_URL/api/connectors/onboarding/workday-financials/connect" \
  -H "Authorization: Bearer <session-token>" \
  -H "Content-Type: application/json" \
  --data @"connect-workday-financials.json"
Validate

Re-run auth and instance validation without resubmitting the connector payload. 

curl -X POST \
  "$ACTIONPLANE_BASE_URL/api/connectors/onboarding/workday-financials/validate" \
  -H "Authorization: Bearer <session-token>" \
  -H "Content-Type: application/json"
Sync metadata

Refresh the writable object and field catalog after credentials or allowlists change. 

curl -X POST \
  "$ACTIONPLANE_BASE_URL/api/connectors/onboarding/workday-financials/sync-metadata" \
  -H "Authorization: Bearer <session-token>" \
  -H "Content-Type: application/json"
Capabilities

Narrow AP, journal, or worker workflow rollout with explicit approval posture

Supporting artifacts and audit evidence on the same run

Go-live path centered on customer-owned sandbox validation, not generic demos

First-class onboarding API can save, validate, and sync the connector in one authenticated flow

Go live

Pick one customer-owned sandbox and one transaction family before any live integration is enabled.

Validate supporting artifacts, approval routing, and the compensation story with realistic fixture data.

Only widen to production after a buyer and an operator can both explain the same proof chain.

Known limits

ERP, finance, and HCM connectors require a customer-owned sandbox today.

Proof quality depends on realistic reference data, approval paths, and compensating controls in that sandbox.

We intentionally do not promise broad coverage until one narrow workflow has been validated end to end.