Does Workday support SFTP for file-based integrations?

Yes. Workday supports SFTP as a transport protocol across all of its integration tools — Enterprise Interface Builder (EIB), Core Connectors, Cloud Connect, Document Transformation, and Workday Studio. You configure an external SFTP server as a delivery or retrieval endpoint in your integration settings.

What authentication methods does Workday support for SFTP?

Workday supports username and password authentication, SSH public key authentication, or both combined. SSH key authentication is the recommended method for production integrations because it eliminates password rotation overhead and provides stronger security.

Can I use one SFTP server for multiple Workday integrations?

Yes. You can create separate SFTP users and directories for each integration or vendor on a single SFTP server. This keeps files organized and limits each integration's access to only its own data. SFTPHub supports multiple SFTP users per instance for exactly this use case.

What types of files does Workday send over SFTP?

Workday can send CSV, XML, fixed-width flat files, and EDI formats (such as 834 for benefits enrollment). The file format depends on the integration type and the requirements of the receiving system. Document Transformation can convert between formats before delivery.

Do I need to allowlist Workday IP addresses on my SFTP server?

It is recommended but not strictly required. Workday publishes the IP ranges used by its integration cloud, and allowlisting those IPs on your SFTP server adds an extra layer of security. Your Workday administrator or Workday Community documentation can provide the current IP ranges for your tenant's data center.

How to Use SFTP with Workday Integrations

Workday is where your HR, payroll, and finance data lives — but it rarely stays there. Every organization running Workday needs to move files to and from external systems: payroll processors, benefits carriers, banks, compliance vendors, and more. The standard way to do this is SFTP.

Workday's integration tools — EIB, Core Connectors, Cloud Connect, and Studio — all support SFTP as a delivery and retrieval protocol. You point an integration at an SFTP server, and Workday pushes or pulls files on a schedule. No custom API code, no manual uploads.

This guide covers how Workday uses SFTP, which integration tools support it, the most common use cases, and how to set up SFTPHub as your SFTP endpoint for Workday integrations.

Why Workday Needs an External SFTP Server

Workday is a cloud-based platform. It does not include a built-in SFTP server for storing or staging files. When an integration needs to deliver a file to an outside system — or pick one up — it connects to an external SFTP server as a client.

This means your organization needs an SFTP server that is:

Always available — Workday integrations run on schedules (daily, weekly, monthly). If the SFTP server is down when an integration fires, the transfer fails.
Reachable from Workday's cloud — The server must be accessible over the internet from Workday's integration cloud IP ranges.
Secure — SFTP encrypts data in transit over SSH. Many organizations also layer PGP encryption on top for sensitive payroll and benefits files.
Organized — With dozens of integrations running, you need clear directory structures and separate credentials for different vendors and data flows.

Workday Integration Tools That Use SFTP

Workday offers several integration tools, and all of them support SFTP as a transport protocol. The right tool depends on the complexity of your integration.

Enterprise Interface Builder (EIB)

EIB is the most commonly used integration tool in Workday. It handles simple, point-to-point file-based integrations — export a custom report as CSV or XML, and deliver it to an SFTP server. EIBs can also retrieve inbound files from an SFTP server for data imports. They support both scheduled and on-demand execution.

Typical EIB use case: Export a weekly headcount report as a CSV and drop it on an SFTP server for your IT provisioning system to pick up.

Core Connectors

Core Connectors are pre-built, configurable integrations for common business scenarios. Workday provides Core Connectors for worker data, payroll, benefits, and more. Output is typically delivered via SFTP to third-party vendors like ADP, Ceridian, or benefits carriers.

Typical Core Connector use case: Send daily payroll data to your third-party payroll processor via SFTP.

Cloud Connect

Cloud Connect packages are vendor-specific integrations — Cloud Connect for Benefits, Cloud Connect for Third-Party Payroll, and others. These rely heavily on SFTP as the file transport mechanism between Workday and the vendor's system.

Typical Cloud Connect use case: Send 834 EDI enrollment files to your insurance carriers after open enrollment or qualifying life events.

Workday Studio

Studio is the most advanced integration tool, designed for complex, multi-step orchestrations. Studio integrations use SFTP Get and SFTP Put operations as assembly steps within larger workflows.

Typical Studio use case: Retrieve a bank reconciliation file from SFTP, transform it, load it into Workday, and archive the original file — all in a single integration.

Document Transformation

Document Transformation converts integration output between formats — XML to flat file, CSV to fixed-width, and more. The transformed file is then delivered to your SFTP server. This is especially useful when a vendor requires a specific legacy file format.

Common Use Cases for Workday + SFTP

Nearly every Workday implementation relies on SFTP for at least some of these file-based integrations:

Payroll

Send payroll input files (earnings, deductions, hours) to third-party processors like ADP, Ceridian, or Paychex
Receive payroll results and journal entries back for posting to Workday
Deliver NACHA-format bank files for direct deposit
Transmit tax filing data to tax service providers

Benefits Administration

Send 834 EDI enrollment files to medical, dental, vision, and life insurance carriers
Transmit 401(k) contribution files to retirement plan administrators (Fidelity, Vanguard)
Deliver FSA/HSA contribution and claims files
Send COBRA administration files

Finance & Banking

Deliver general ledger journal entries to ERP or accounting systems
Exchange bank reconciliation files (BAI2 format)
Send accounts payable payment files (ACH, wire transfers, ISO 20022)
Transmit invoice and purchase order data to procurement systems

HR & IT

Feed employee data to Active Directory and identity management systems for provisioning and deprovisioning
Send new hire data to background check vendors
Export headcount and organizational data to analytics platforms
Deliver user feeds to learning management systems and badge/access control systems

Compliance & Reporting

Generate and deliver ACA (1094-C/1095-C) reporting files to filing services
Export EEO-1 and OSHA reporting data
Transmit audit files for SOC 2, HIPAA, and SOX compliance

How to Connect Workday to an SFTP Server

The configuration happens in two places: your SFTP server (where you set up credentials and directories) and Workday (where you point the integration at the server).

Step 1: Set Up Your SFTP Server

You need an SFTP server that Workday can reach over the internet. With SFTPHub, setup takes under two minutes:

Create an account at SFTPHub and choose a plan based on your storage needs.
Create an SFTP instance from your dashboard. This gives you a hostname and port.
Create an SFTP user for Workday with either password or SSH key authentication. SSH keys are recommended for production integrations.
Create directories on the SFTP server for each integration (e.g., /payroll/outbound, /benefits/enrollment). Workday does not create directories automatically.

If you have multiple vendors or integration categories, consider creating separate SFTP users for each one. This keeps credentials isolated and makes it easier to audit which system accessed which files. SFTPHub plans support multiple SFTP users per instance.

Step 2: Configure the Integration in Workday

The exact steps vary by integration tool (EIB, Core Connector, etc.), but the SFTP transport configuration is similar across all of them:

Open the integration in Workday (search for your EIB, Core Connector, or Studio integration).
Go to the transport/delivery settings and select SFTP as the protocol.
Enter the connection details:
- Hostname — your SFTPHub server address
- Port — the port shown on your SFTPHub instance detail page (default: 22)
- Remote directory — the path on the SFTP server where files should be placed or retrieved
Enter credentials — username and password, or upload the SSH private key for key-based authentication.
Set the schedule — daily, weekly, monthly, or triggered by a Workday business event.
Test the connection — Workday provides a test option to verify connectivity before going live.

Step 3: Authentication Options

Workday supports three SFTP authentication methods:

Username + Password — The simplest option. Works for initial testing, but requires periodic password rotation.
Username + SSH Key — Workday generates or accepts an SSH key pair. The public key is installed on the SFTP server. This is the recommended method for production — no passwords to rotate, stronger security, and better auditability.
Username + Password + SSH Key — Both factors required. Maximum security, but adds operational complexity.

SFTPHub supports both password and SSH key authentication. You can configure the authentication method per SFTP user — use password auth for testing and SSH keys for production, or use both simultaneously.

Security Considerations

IP Allowlisting

Workday's integration cloud connects to your SFTP server from specific IP ranges. Workday publishes these ranges (which vary by data center and pod) in their Community documentation. For an extra layer of security, you can configure your SFTP server's firewall to only accept connections from Workday's published IP ranges.

PGP Encryption

SFTP encrypts data in transit, but some vendors and compliance requirements call for file-level encryption as well. Workday supports PGP encryption and decryption natively — you upload PGP public keys to Workday for encrypting outbound files, and PGP private keys for decrypting inbound files. This is commonly required for payroll and benefits data.

Credential Management

Workday stores SFTP credentials in its Integration System Security (ISS) configuration. Integrations run under dedicated Integration System Users (ISUs) — service accounts that are separate from human user accounts. This keeps credentials isolated and auditable.

Why Use Managed SFTP for Workday?

Many organizations start with a self-hosted SFTP server for Workday integrations and quickly run into operational pain:

Self-Hosted SFTP

• Server patching and security updates
• Monitoring uptime and disk space
• Managing firewall rules for Workday IPs
• No redundancy — single point of failure
• SSH key rotation across dozens of integrations
• File cleanup and retention policy management

SFTPHub Managed SFTP

• No server to manage, patch, or monitor
• Cloud-backed storage with high availability
• Multiple SFTP users for vendor isolation
• SSH key and password authentication
• Predictable monthly pricing from $7/mo
• Set up in under two minutes

With a managed SFTP service, your team focuses on configuring integrations in Workday rather than maintaining infrastructure. When a payroll deadline hits at 2 AM, you need the SFTP server to be running — not waiting for someone to restart it.

Organizing Multiple Workday Integrations

A mid-sized Workday deployment easily has 20–50 SFTP-based integrations. Keeping them organized prevents operational headaches:

Separate SFTP users per vendor or integration category — Give your payroll processor, benefits carriers, and bank each their own SFTP user. If one vendor's credentials are compromised, the blast radius is limited.
Use clear directory structures — Organize by function and direction: /payroll/outbound, /payroll/inbound, /benefits/enrollment, /finance/gl-journals.
Use file naming conventions with dates — Workday supports dynamic file naming with timestamps (e.g., payroll_20260322_daily.csv). This prevents files from overwriting each other and makes troubleshooting easier.
Implement retention policies — Archive or delete files after a defined period. Do not let years of payroll files accumulate on the SFTP server.

Choosing the Right SFTPHub Plan for Workday

The right plan depends on how many integrations you run, how large your files are, and how long you retain them:

Micro ($7/mo, 5 GB) — Small organizations with a handful of integrations and short file retention. Good for getting started or running a pilot.
Growth ($45/mo, 100 GB) — Mid-sized deployments with daily payroll, benefits, and HR feeds. Supports 2 instances and 10 SFTP users for vendor isolation.
Professional ($99/mo, 500 GB) — Larger organizations with extensive integrations, longer retention, and multiple vendor connections. 5 instances and 25 SFTP users.
Business ($199/mo, 1 TB) — Enterprise deployments with high-volume file transfers, full audit retention, and dozens of vendor endpoints. 20 instances and 100 SFTP users.

Most Workday-focused teams start with the Growth plan and move up as they add integrations. File sizes for typical Workday integrations (payroll, benefits, GL journals) are small — usually kilobytes to low megabytes — so storage consumption is driven more by retention periods than individual file sizes.

Frequently Asked Questions

Does Workday support SFTP or only FTP?

Workday uses SFTP (SSH File Transfer Protocol), not plain FTP or FTPS. SFTP runs over SSH and encrypts both authentication and data in transit. Your SFTP server must support the SFTP protocol — SFTPHub does by default.

Can Workday both push and pull files via SFTP?

Yes. Workday can push (deliver/upload) files to an SFTP server and pull (retrieve/download) files from one. The direction is configured per integration. Most outbound integrations (payroll, benefits, reports) push files. Inbound integrations (bank reconciliation, timesheet imports) pull files.

What port does Workday use for SFTP?

Workday defaults to port 22 for SFTP, but supports custom ports. SFTPHub assigns a port when you create an instance — enter this port in your Workday integration configuration.

How do I troubleshoot a failed Workday SFTP integration?

Check Workday's integration event logs for the specific error. Common issues include: incorrect hostname or port, expired or mismatched credentials, the remote directory not existing on the SFTP server, and firewall rules blocking Workday's outbound IPs. SFTPHub instances are always reachable from Workday's cloud, so connectivity is rarely the issue with managed SFTP.

Can I use the same SFTP server for Workday and other systems?

Absolutely. Many organizations use a single SFTPHub instance for Workday integrations alongside other systems that need SFTP (e.g., Google Ads, CRM exports, data warehouse loads). Create separate SFTP users for each system to maintain isolation.

Key Takeaways

Workday relies on external SFTP servers for file-based integrations across payroll, benefits, finance, HR, and compliance.
All Workday integration tools (EIB, Core Connectors, Cloud Connect, Studio) support SFTP as a transport protocol.
SSH key authentication is recommended for production Workday integrations — stronger security, no passwords to rotate.
Create separate SFTP users and directories for each vendor or integration category to maintain isolation and auditability.
SFTPHub provides managed, always-on SFTP that eliminates the operational burden of self-hosted servers — starting at $7/month.