Hi,
I am integrating with Workday using an OAuth2 connector and are hitting a recurring lockout I can't pin down. Hoping someone has seen this pattern.
Setup:
- Auth Config: OAuth2
- Grant Type: Refresh Token Grant
- Credentials in use: client ID, client secret, refresh token
What happened:
1. We were getting "permission denied" on one new specific REST endpoint (GET /workers/{ID}/directReports) while all other Workday API calls worked fine.
2. Working with our Workday team, we rotated the connector credentials — new client ID, new client secret, new refresh token — and the Workday team also made some configuration changes on their side.
3. After that, everything worked, including the directReports endpoint.
4. But a few hours later all the APIs failed. The API client was locked in Workday and we got:
{
"error": "invalid_client"
}
5. The Workday team unlocked it, everything worked again, and then it locked again after about an hour. This has now repeated several times.
Questions:
- Has anyone seen recurring invalid_client lockouts like this after rotating credentials?
- Could a stale copy of the old credentials (e.g. a second environment or another integration sharing the same API client) be racking up failed auth attempts and locking the client?
- Does this API client use a non-expiring refresh token, or could refresh-token rotation/expiry be causing repeated failures?
- What's the best way to read the API client's authentication/sign-on audit logs in Workday to find the source of the failed attempts?
Any pointers on root cause or where to look would be hugely appreciated. Thanks!