This document outlines the steps required to establish a secure connection between Wisq and your Dayforce (formerly Ceridian Dayforce) environment.
CONTENTS
- Supported Authentication Methods
- Understand the Dayforce API Architecture
- Create a Web Services User Account
- Configure User Permissions
- Identify Your Environment URLs
- Choose and Configure Your Authentication Method
- Provide Credentials to Wisq
- Final Checklist
1. Supported Authentication Methods
Wisq supports two authentication methods for connecting to Dayforce.
Option A — Token-Based Authentication
- Uses a dedicated Web Services user account with a username, password, and your Dayforce company namespace
- Wisq exchanges these credentials for a short-lived JWT Bearer Token automatically — no ongoing action required after setup
- Tokens are issued by the Dayforce Identity Service and expire after 1 hour; Wisq handles renewal automatically
- This is the more secure method and avoids sending credentials with every API request
Option B — HTTP Basic Authentication
- Uses the same Web Services user account (username and password)
- Credentials are sent with each API request via standard HTTP Basic Auth headers
- Simpler to configure
Both methods require the same Web Services user account and permissions. The difference is how credentials are transmitted to Dayforce during API calls.
Start with Section 2 to understand the Dayforce API architecture. Then:
- Option A (Token-Based): Complete Sections 3–5, then Section 6A, then Section 7.
- Option B (Basic Auth): Complete Sections 3–5, then Section 6B, then Section 7.
If you are unsure which method to use, consult your Wisq Agent Operations contact.
2. Understand the Dayforce API Architecture
Dayforce exposes HCM data through a REST API using JSON payloads over HTTPS. All API requests follow this URL pattern:
https://<host>/Api/<ClientNamespace>/V1/<Resource>
| Component | Description | Example |
|---|---|---|
| Host | Your Dayforce environment hostname | ustest261.dayforcehcm.com |
| Client Namespace | Your company identifier in Dayforce (also called Company ID) | Acme_Corp |
| Resource | The API resource being accessed | Employees, Departments, Jobs |
Your Client Namespace is the company identifier you use when logging in to Dayforce. It is required for both authentication and API requests. Your Dayforce administrator will know this value.
3. Create a Web Services User Account
A Web Services user account is a dedicated Dayforce user account used exclusively for API integrations. We strongly recommend creating a dedicated account for the Wisq integration.
- Log in to Dayforce as a System Administrator.
- Navigate to HR Admin > Users (or your organization's user management area).
- Create a new user account with a descriptive username (e.g.,
Wisq_IntegrationorWisqWebService). - Assign the Web Services role feature to the account's default role. This enables the account for API access.
- Set a strong password and record it securely — you will need it for Section 6.
- Record the username for use in Section 6.
Important: The Web Services role feature must be enabled on the user's default role. Without it, the account cannot authenticate to the Dayforce API regardless of which authentication method is used.
If your organization requires periodic credential rotation, please notify Wisq before rotating so the connection can be updated without downtime.
4. Configure User Permissions
The Web Services user account must be granted the specific data access permissions required for the integration. Dayforce follows a role-based security model — permissions are assigned through security roles that control which data the account can read or modify.
Work with your Dayforce administrator to ensure the Web Services user has access to the data domains relevant to your Wisq integration. Depending on the agreed scope, this may include some or all of the following:
Read Access (View)
| Data Domain | Description | Example API Resources |
|---|---|---|
| Employee Records | Personal details, addresses, contacts, emergency contacts, HR incidents | Employees, Addresses, Contacts, EmergencyContacts, HRIncidents |
| Employment | Work assignments, employment status history, onboarding | WorkAssignments, EmploymentStatuses, OnboardingPolicies |
| Organization | Departments, organization units, jobs, positions | Departments, OrgUnits, Jobs, Positions |
| Compensation | Compensation history, pay summaries | CompensationSummary |
| Payroll | Direct deposits, tax withholding (US Federal, US State, Canadian) | DirectDeposits, USFederalTaxes, USStateTaxes, CANFederalTaxes |
| Time & Attendance | Clock punches, schedules, time-off balances | EmployeePunches, EmployeeSchedules, EmployeeBalancePeriods |
| Performance | Performance ratings and reviews | PerformanceRatings |
| Learning | Course and training program assignments | Courses, TrainingPrograms |
| Benefits | Benefits enrollment and carrier feed exports | Benefits, BenefitsCarrierFeedOngoingExports |
| Recruiting | Job posting feeds | JobFeeds |
| Reporting | Analytics datasets and saved reports | Analytics, Reports |
Write Access (Edit)
If the integration scope includes creating or updating records (e.g., updating employee information, recording clock punches, submitting time-off requests), the Web Services user must also have Edit permissions on the relevant data domains. Your Wisq Agent Operations contact will confirm which write permissions are needed.
We recommend granting only the minimum permissions required for the agreed integration scope. Permissions can be expanded later if the scope changes.
5. Identify Your Environment URLs
Dayforce uses different hostnames for different customer environments. You will need to identify the correct hostname for your environment.
API Host
Your Dayforce API hostname is the server your environment runs on. Common patterns include:
<company>.dayforcehcm.com (production) ustest<NNN>.dayforcehcm.com (test/sandbox environments)
To find your API host:
- Check the URL in your browser when logged in to Dayforce — the hostname portion (before
/mydayforce) is typically your API host. - Alternatively, consult your Dayforce administrator or Ceridian support contact.
Important: Do not use a login-only URL. The API host must be the Dayforce application server hostname (e.g.,
ustest261.dayforcehcm.com), not a generic login portal.
Identity Server (Token-Based Auth Only)
If using Token-Based Authentication (Option A), you also need the Identity Server URL for your environment:
| Environment | Identity Server URL |
|---|---|
| Production | https://dfid.dayforcehcm.com/connect/token |
| Test / Sandbox | https://dfidtst.np.dayforcehcm.com/connect/token |
Your Dayforce administrator can confirm which environment your organization uses.
6. Choose and Configure Your Authentication Method
Complete the section below that matches your chosen authentication method.
Option A — Token-Based Authentication
No additional Dayforce configuration is required beyond the Web Services user account and permissions you set up in Sections 3–4.
How It Works
Wisq authenticates by exchanging your Web Services credentials for a short-lived JWT access token from the Dayforce Identity Service. The token is then used as a Bearer Token on all subsequent API requests. Wisq handles token acquisition and renewal automatically.
Credentials Summary — Token-Based Authentication
| Wisq Connection Field | What to Provide |
|---|---|
| Connection Name | A friendly identifier (e.g., "Acme Corp – Dayforce") |
| API Host | Your Dayforce environment hostname (e.g., ustest261.dayforcehcm.com) |
| Client Namespace | Your Dayforce company identifier (Section 2) |
| Identity Server URL | Production or Test identity server URL (Section 5) |
| Username | The Web Services user account username (Section 3) |
| Password | The Web Services user account password (Section 3) |
Proceed to Section 7 to transmit these credentials securely to Wisq.
Option B — HTTP Basic Authentication
No additional Dayforce configuration is required beyond the Web Services user account and permissions you set up in Sections 3–4.
How It Works
Wisq sends the Web Services username and password with every API request using standard HTTP Basic Authentication (Base64-encoded username:password in the Authorization header).
Credentials Summary — Basic Authentication
| Wisq Connection Field | What to Provide |
|---|---|
| Connection Name | A friendly identifier (e.g., "Acme Corp – Dayforce") |
| API Host | Your Dayforce environment hostname (e.g., ustest261.dayforcehcm.com) |
| Client Namespace | Your Dayforce company identifier (Section 2) |
| Username | The Web Services user account username (Section 3) |
| Password | The Web Services user account password (Section 3) |
Proceed to Section 7 to transmit these credentials securely to Wisq.
7. Provide Credentials to Wisq
Because this integration involves privileged API access, credentials must be transmitted securely.
For both authentication methods, you are transmitting a username, password, and environment details that grant access to your Dayforce HCM data. These are highly sensitive and must be transmitted using one of the secure methods below.
Preferred Method: Encrypted Email
Examples:
- Proton Mail
- Microsoft Purview Message Encryption
- Mimecast Secure Messaging
Send to your Wisq Agent Operations contact.
Please do not send credentials in plain text email, chat platforms, or ticket systems.
8. Final Checklist
Token-Based Authentication
- [ ] Web Services user account created with a strong password (Section 3)
- [ ] Web Services role feature enabled on the account's default role (Section 3)
- [ ] User permissions configured for required data domains (Section 4)
- [ ] API Host identified (Section 5)
- [ ] Client Namespace (Company ID) recorded (Section 2)
- [ ] Identity Server URL confirmed — Production or Test (Section 5)
- [ ] Username recorded
- [ ] Password saved securely
- [ ] Credentials transmitted securely to Wisq (Section 7)
Basic Authentication
- [ ] Web Services user account created with a strong password (Section 3)
- [ ] Web Services role feature enabled on the account's default role (Section 3)
- [ ] User permissions configured for required data domains (Section 4)
- [ ] API Host identified (Section 5)
- [ ] Client Namespace (Company ID) recorded (Section 2)
- [ ] Username recorded
- [ ] Password saved securely
- [ ] Credentials transmitted securely to Wisq (Section 7)
Need Assistance?
If your IT team would like support during configuration, Wisq's Agent Operations team is happy to join a working session.
Confidential — For Client IT Teams Only