In Workiva, generating an access token (specifically an OAuth2 bearer token) is a two-step process: you first create an API Grant to get credentials, then use those credentials to request the actual token.
1. Create an API Grant
Important: You must be a Workspace Owner to perform this step.
To get a Client ID & Secret:
- Click your ID icon in the upper right corner of the Workiva page and then select Workspace settings.
- Select the Security tab and then click Create API Grant.
- On the Update Grant page, complete the following fields:
- Enter a Client Name and the Workiva Username the grant will act on behalf of.
- Select "OAuth2 Client Credentials" as the Client Type.
- Select the required Scopes (permissions) for the API endpoints you plan to use.
- Set the Expires date.
- Unless specifically required by your organization, you can ignore the Ip Allowlist field.
- Click Add Grant.
Important: Copy the Client ID and Client Secret immediately, as the secret will not be shown again.
2. Retrieve the Bearer Token
Once you have your credentials, you must exchange them for a short-lived access token by making a POST request to the Workiva IAM service.
-
Endpoint:
https://api.app.wdesk.com(the is the default for the USA; other regions have different endpoints). -
Headers: Set
Content-Typetoapplication/x-www-form-urlencoded. -
Body Parameters:
-
grant_type:client_credentials -
client_id: [Your Client ID] -
client_secret: [Your Client Secret]
-
- Expiration: Workiva bearer tokens are typically valid for 10 minutes. You must periodically refresh them for long-running processes.
SEC EDGAR Next Tokens
If you are generating tokens specifically for SEC filing (EDGAR Next), these are different from standard API tokens:
- These tokens (Filer API Token and User Token) are created on the SEC's EDGAR Filer Management dashboard.
- Once obtained, you can manage them in Workiva under SEC Reporting > Manage EDGAR Next Tokens.