As an alternative, the REST API docs, say that you can call methods that are marked as whitelisted, but none of our required actions mentioned above seems to be whitelisted in the workflow.py source file on github (I would post the link but there’s a link limit for new users)
Or are we looking in the wrong place and what we really should be doing is using the Document API  to achieve our objectives?
The API requires whitelisting for RPC calls, but not for normal REST calls (create, read, update, delete, etc.) from your descriptions, it sounds like you should be able to do what you want to do with a simple POST call. Is there any reason not to go that way?
it sounds like you should be able to do what you want to do with a simple POST call
i presume you mean a simple POST call to the /api/resource/:workflow/ endpoint?
if so, then yeah, that is the way that we were thinking of.
we just wasn’t sure if there was additional logic, which is usually abstracted away from the end user by the API, that had to called in order for the workflow to work as expected. e.g. other tables / references / entities / etc. that also needs to be updated.
Whitelisted methods can be more abstracted, but REST calls are just pure object lifecycle claims. The workflow doctype has two child tables, but those just become part of the json representation of the object you’re creating.