For additional security of your Pega Robot Runtime 19.1.63 or later, enable endpoint authorization through OAuth tokens to secure Robot Runtime routes or the API endpoints with which interacts. With this feature, the Robot Runtime endpoints are securely authorized by using a client ID and client secret combination for each data collector (user with Robot Runtime installed).

Take note of the following details:

• Workforce Intelligence uses client credentials rather than user credentials.
• You can turn the authorization method on or off after setting up client credentials.
• By default, Workforce Intelligence does not collect data for any data collectors that are assigned to the Unknown Team. Users that you added to the Unknown Team before Workforce Intelligence 8.5 automatically inherit the no data collection configuration unless they are assigned to a custom configuration.
• Any custom configurations that you assign override the no data collection configuration for imported users and any new users that you manually create in the application.
• The Allow list is still available.

1. Request Robot Runtime credentials from the Workforce Intelligence Service Delivery Team.
   For instructions on how to make this request, see Requesting a Workforce Intelligence client ID and client secret.
2. In the CommonConfig.xml file, in the Intelligence Server section, add a wfiOauthEnabled boolean field, and then set the value to true, as shown in the following example:

   <Server name="Intelligence" baseURL="https://acme.wfi.pega.com" enabled="true"
   proxyAddress="" wfiOauthEnabled="true"/>

3. On local Robot Runtime workstations, store the credentials that you received from the Workforce Intelligence Service Delivery Team by using System Center Configuration Manager (SCCM) or a similar console.
   The executable file expects a command-line argument called receiveStandardInput, which is a flag that tells the program to expect data from standard input. The following examples show valid methods for transferring the credentials to the Pega.WFICredentialsLoader.exe file by using standard input.
   For example:
   To store the credentials without referencing a file, use the following format:

   echo {"wfiClientId": "runtime-client", "wfiClientSecret": "runtime-secret"} | Pega.WFICredentialsLoader.exe receiveStandardInput

   For example: To store the credentials by using a file, use the following format:

   type credentials.json | Pega.WFICredentialsLoader.exe receiveStandardInput

   Note: In this example, the credentials.json file contains the credentials.
   Result: The results are displayed in the command-line console, and in the configured RuntimeLog destination. A success message indicates that the system saved the credentials.
4. If you receive an error message, correct the error, and then repeat step 3.
   The following table lists the errors that you might encounter:

   OAuth error messages and resolutions

   Error message	Cause
   Unable to save WFI OAuth credentials. ClientId and clientSecret params not found.	The receiveStandardInput command-line argument was not found or the ID and secret JSON keys are incorrectly typed.
   Unable to save WFI OAuth credentials. Both WFI OAuth clientId and clientSecret params required.	The client ID or client secret is missing.
   Unable to save WFI OAuth credentials. Intelligence server not enabled.	The Intelligence server in the CommonConfig.xml file is not enabled. The following example shows how to enable this server: <Server name="Intelligence" baseURL="https://acme.wfi.pega.com" enabled="true" proxyAddress="" wfiOauthEnabled="true"/>

• Implementation