Workday allows for multiple methods of authentication.
You can authenticate via WS-Security when interacting with Workday's native SOAP web services. You can find the WSDLs here to generate a request more easily via tool like SOAPui. For WSDLs, your authentication will be username@tenantname and password.
You can also authenticate to Reports as a Service (RaaS) via basic authentication through a REST request. Typically the authentication string is palced in the header and bae64 encoded. You do not need to include the @tenant name in authorization for REST requests. Basic authentication in a REST request can be achieved through an Authorization header like the following:
Authorization: base64Encoded(username:password)
If you are interested in more secure forms of authentication, Workday does provide the ability to register an API client within the tenant (search "Register API Client" inside your tenant). This allows you to further secure your connections to workday by encapsulating user authentication through OAuth2.0 or other authentication methods.