We’re building an automated workforce planning integration that posts headcount projections to UKG Pro via REST API. The integration worked fine in our sandbox environment, but production consistently returns 401 Unauthorized errors.
Our OAuth2 token generation appears successful, and we can authenticate to other endpoints. However, when posting to /api/v1/workforce/planning/headcount, we get immediate 401 responses:
POST /api/v1/workforce/planning/headcount
Authorization: Bearer eyJhbGc...
Content-Type: application/json
Response: 401 Unauthorized
{"error": "insufficient_permissions"}
This blocks our automated data synchronization from our financial planning system. We’re on UKG Pro 2022.2 in a multi-tenant configuration. The OAuth2 scopes include workforce:write and planning:manage. Has anyone encountered tenant-specific authentication requirements for workforce planning APIs?
Multi-tenant workforce planning APIs have strict security requirements in UKG Pro. Let me break down the complete authentication flow:
OAuth2 Token Requirements:
Your token must include tenant context during generation, not just as a header. When requesting the OAuth2 token, include the tenant identifier in your token request:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
scope=workforce.planning.write&
tenant_context={your-tenant-id}
Required Headers:
Every workforce planning API call needs:
Authorization: Bearer {token-with-tenant-context}
X-Tenant-ID: {your-tenant-id}
Content-Type: application/json
API Permissions and Scopes:
Verify your OAuth2 client has these exact scopes:
workforce.planning.write (not just workforce:write)compliance.data.access (required for headcount data)tenant.context.read (allows tenant validation)
The key issue is that standard OAuth2 tokens don’t automatically include tenant context for workforce planning endpoints. You must explicitly pass tenant information during token generation AND in request headers. This is a compliance requirement for multi-tenant deployments to prevent cross-tenant data access.
Verification Steps:
- Retrieve your tenant ID from
/api/v1/tenant/info or admin console
- Update your OAuth2 token request to include
tenant_context parameter
- Add
X-Tenant-ID header to all workforce planning API calls
- Verify your client has all three required scopes in Integration Hub
- Test with a simple GET request to
/api/v1/workforce/planning/metadata first
If you’re still getting 401 errors after these changes, check the audit logs in UKG Pro (Reports > System Audit > API Access Logs) - they’ll show exactly which permission check is failing. Common issues include service accounts lacking workforce planning role assignments or OAuth2 clients registered in the wrong tenant context.
Thanks for the suggestions. I checked our OAuth2 client configuration and we do have workforce.planning.write scope enabled. However, I don’t see any documentation about the X-Tenant-ID header requirement. Where would I find our tenant ID value? Is this something configured during the UKG Pro implementation, or can I retrieve it programmatically through an API call?
The 401 with insufficient_permissions typically means your token lacks required scopes OR you’re missing tenant context headers. In multi-tenant UKG Pro environments, workforce planning APIs need explicit tenant identification. Try adding the X-Tenant-ID header to your requests with your organization’s tenant identifier. Also verify your OAuth2 client has workforce.planning.write scope specifically - the generic workforce:write might not cover planning endpoints. Check your API client registration in the UKG Pro admin console under Integration Hub > API Clients.
Your tenant ID should be available in the UKG Pro admin console under System Configuration > Organization Settings > API Configuration. It’s usually a UUID format. You can also retrieve it via the /api/v1/tenant/info endpoint using your existing OAuth2 token - that endpoint typically works with basic authentication. Once you have the tenant ID, include it in all workforce planning API calls as a custom header.
I’ve seen similar authentication issues with multi-tenant UKG Pro deployments. The workforce planning module often requires additional context beyond standard OAuth2 tokens. Check if your API client configuration includes tenant-specific permissions - sometimes the default OAuth2 setup doesn’t automatically grant access to workforce planning endpoints even when other APIs work fine.
One thing to watch out for - if you’re using service account authentication rather than user-delegated OAuth2 flows, you need to ensure the service account has explicit permissions for workforce planning data access. We ran into this where our service account could read employee data but couldn’t write to planning modules. The permissions are separate in the Role Management section. Also, double-check that your production OAuth2 client ID matches what’s registered in the production tenant - sometimes people accidentally use sandbox credentials in production configs.