Skip to main content
Question

Workday OAuth2 (Refresh Token Grant) API client repeatedly locks — recurring {"error": "invalid_client"}

  • June 26, 2026
  • 0 replies
  • 4 views

Forum|alt.badge.img

Hi,

I am  integrating with Workday using an OAuth2 connector and are hitting a recurring lockout I can't pin down. Hoping someone has seen this pattern.

Setup:
- Auth Config: OAuth2
- Grant Type: Refresh Token Grant
- Credentials in use: client ID, client secret, refresh token

What happened:
1. We were getting "permission denied" on one new specific REST endpoint (GET /workers/{ID}/directReports) while all other Workday API calls worked fine.
2. Working with our Workday team, we rotated the connector credentials — new client ID, new client secret, new refresh token — and the Workday team also made some configuration changes on their side.
3. After that, everything worked, including the directReports endpoint.
4. But a few hours later all the APIs failed. The API client was locked in Workday and we got:
   {
     "error": "invalid_client"
   }
5. The Workday team unlocked it, everything worked again, and then it locked again after about an hour. This has now repeated several times.

Questions:
- Has anyone seen recurring invalid_client lockouts like this after rotating credentials?
- Could a stale copy of the old credentials (e.g. a second environment or another integration sharing the same API client) be racking up failed auth attempts and locking the client?
- Does this API client use a non-expiring refresh token, or could refresh-token rotation/expiry be causing repeated failures?
- What's the best way to read the API client's authentication/sign-on audit logs in Workday to find the source of the failed attempts?

Any pointers on root cause or where to look would be hugely appreciated. Thanks!