Retrieving Candidate Attachments from Workday Using the Apideck Proxy API

This guide explains how to retrieve candidate attachments (resumes, CVs, and other files) from Workday using the Apideck Proxy API.

Before you can access attachments, your Integration System User (ISU) must have the correct domain and business process permissions.

Make sure your Integration System Security Group has access to:

• Candidate Data: Job Application

• Candidate Data: Attachments

• Manage Pre-Hire Process: Manage Pre-Hires

You also need to adjust Business Process Security:

• Go to Edit Business Process Security Policy

• Select the Job Application business process

• Open the Who Can Do Actions on Initiating Actions tab

• Add your security group to:

  • Get_Candidates (Web Service)

  • Get_Candidate_Attachments (Web Service)

• Activate the pending security policy changes

Apideck forwards your SOAP request to Workday and automatically injects {username}, {password}, {tenant_id} and {wsdl_url} (coming soon) from the Vault connection settings.

https://impl-services1.wdXX.myworkday.com/ccx/service/{tenant_id}/Recruiting/v40.0

curl --location 'https://unify.apideck.com/proxy' \
--header 'x-apideck-app-id: YOUR_APP_ID' \
  --header 'x-apideck-consumer-id: YOUR_CONSUMER_ID' \
  --header 'x-apideck-service-id: workday' \
  --header 'Authorization: Bearer YOUR_API_KEY' \
  --header 'Accept: application/soap' \
  --header 'Content-Type: application/soap' \
  --header 'x-apideck-downstream-method: POST' \
  --header 'x-apideck-downstream-url: https://impl-services1.wd12.myworkday.com/ccx/service/{tenant_id}/Recruiting/v40.0' \

  --data-raw '<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wd="urn:com.workday/bsvc">
    <soapenv:Header>
        <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:UsernameToken wsu:Id="UsernameToken-">
                <wsse:Username>{username}@{tenant_id}</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">{password}</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
        <wd:Get_Candidates_Request>
            <wd:Response_Group>
                <wd:Include_Reference>true</wd:Include_Reference>
            </wd:Response_Group>
        </wd:Get_Candidates_Request>
    </soapenv:Body>
</soapenv:Envelope>

What the response looks like

Workday embeds attachments directly inside the SOAP response as Base64-encoded strings. It does not provide downloadable URLs - the file must always be reconstructed from Base64.

Example snippet:

<wd:Resume_Attachment_Data>
    <wd:ID>RESUME_ATTACHMENT-16-56</wd:ID>
    <wd:Filename>John Doe CV.docx</wd:Filename>
    <wd:File_Content>UEsDBBQABgAIAAAAIQDKiaDbhQEAAKYGAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC...</wd:File_Content>
    <wd:Mime_Type_Reference>
        <wd:ID wd:type="Content_Type_ID">application/vnd.openxmlformats-officedocument.wordprocessingml.document</wd:ID>
    </wd:Mime_Type_Reference>
</wd:Resume_Attachment_Data>

Key elements you’ll use:

• The attachment filename

• The Base64-encoded file content

• The MIME type, indicating the file format

If no attachments are returned:

• Check domain permissions, especially Candidate Data: Attachments

• Ensure Business Process Security changes were activated correctly

• Verify your ISSG is added to all required SOAP actions