To access any Workiva API’s, users will need an API grant for authorization. As an Org Security Admin, you create an API grant for a user, you’ll be able to edit the grant’s details or delete the grant. However, only the user will be able to view their grant’s secret by regenerating the grant in their user profile.
Create an API grant
To begin creating an API grant:
- In the top right, click the user icon and select Organization Admin from the Admin dropdown.
- Select Security and click on the Provisioning tab.
- Click Add Identity or API.
- Select API Grant in the dropdown.
- Enter the following information for the API grant:
- For Client Name, enter a name that will help you identify this grant.
- For Workspace, enter the workspace that this grant will be attributed to.
- For Workiva Username, enter the username of the user who needs the grant for the API. Only this user will be able to view this API grant’s secret in My profile > Security.
Note: For security purposes, if you later change the Workiva Username, the current secret will become invalid, and only the new user will have access to the new secret.
- For Scopes, specify the action(s) the system can take on behalf of the user. For example, with the Spreadsheets API, add Spreadsheets (Read) and Spreadsheets (Write) so the user can access and edit spreadsheets.
- For Expires, set when the grant should expire, based on your organization's security policies and preferences.
- If necessary, enter a comma-separated list of IP addresses to the IP Allowlist for the grant.
- Click Add Grant to finish.
Manage API grants
You can edit a specific grant’s details or delete the grant by clicking the respective action in the Actions dropdown.
View API grant secret
Only the user who’s specified in the API grant’s details can view their grant’s secret by going to My Profile, selecting the Security tab, then clicking Regenerate in the Actions dropdown next to the grant. The user can only view the secret once, so they’ll need to copy down the secret in a secure place. If they lose the secret, they’ll need to regenerate the secret again.
Note: The secret begins with "wk_secret:"