Skip to main content

Enabling OAuth and Removing Permit List for Workforce Intelligence

Suggest edit Updated on December 9, 2020

Beginning with Workforce Intelligence 8.5, the Workforce Intelligence portal provides the option of endpoint authorization through OAuth tokens to secure Runtime routes, or the API endpoints with which Robot Runtime interacts. With this feature, the Robot Runtime endpoints are securely authorized using a client ID and client secret combination for each data collector (user with Robot Runtime installed).

Important: OAuth for Workforce Intelligence requires Robot Runtime 19.1.63 or later. 

Submit the request for OAuth credentials

  1. Log in to My Support Portal.
  2. On the My Support Portal home page, click New request > For something I need.
  3. On the Create tab, enter the request information:
    1. In the Service request field, select Other.
    2. In the Short description field, enter Approving removal of IP allow-listing restrictions; requesting OAuth credentials.
    3. In the Primary application field, enter Workforce Intelligence.

    4. In the Deployment field, select Pega Cloud.

    5. In the Environment field, enter Other.

    6. In the Other URL field, enter the URL of your Workforce Intelligence instance (for example,

    7. In the Environment type field, select Production
  4. Click Continue.
  5. On the Details tab, in the Describe the issue field, enter Provide client ID/secret.

  6. Click Continue.

  7. On the Communication preferences tab, review the contact information, and then make any necessary changes or additions.
  8. Click Finish.

Result: The Workforce Intelligence Service Delivery Team creates an internal ticket with the Pega Cloud team and schedules a meeting with you to provide you with the Workforce Intelligence OAuth credentials. 

Enable OAuth for Data Collectors

After the Workforce Intelligence Service Delivery Team provides the OAuth credentials, complete these steps to enable OAuth for data collectors. 

  1. In the CommonConfig.xml file, add a wfiOauthEnabled boolean parameter to the IntelligenceServer section, and enter true as the value.

    <Server name="Intelligence" baseURL="" enabled="true" proxyAddress="" wfiOauthEnabled="true"/>
  2. On local Runtime machines, store the credentials that you received from the Workforce Intelligence Service Delivery Team by using SCCM (System Center Configuration Manager) or a similar console.
  3. Send the credentials to the Pega.WFICredentialsLoader.exe file through standard input, using the following examples as a guide. These examples use the pipe character (|), which allows the credentials to be sent to Pega.WFICredentialsLoader.exe. The pipe character is available on your keyboard.
  • Send the credentials without referencing a file
    echo {"wfiClientId": "runtime-client", "wfiClientSecret": "runtime-secret"} | Pega.WFICredentialsLoader.exe receiveStandardInput
  • Send the credentials using a file
    type credentials.json | Pega.WFICredentialsLoader.exe receiveStandardInput

Request enablement of single sign-on (SS0)

SSO adds another layer of security beyond an email address and password for application users who open their portal to the Internet. In a non-VPN environment, application users must enter SSO credentials. See Enabling single sign-on for the Workforce Intelligence portal for details on enabling SSO.

  • Previous topic Requesting exports of Workforce Intelligence data
  • Next topic Requesting a Workforce Intelligence client ID and client secret
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us