This tutorial walks through the John Deere OAuth flow: creating a developer application, obtaining user tokens, and attaching credentials to a Leaf user so Leaf can sync field boundaries, machine files, and field operations from John Deere Operations Center.
The fastest way to connect John Deere is through Magic Link or Leaf Link, which handle the OAuth UI for you. This tutorial is for developers who need to build the OAuth flow into their own application. Before you start
Step 1: Create a John Deere application
Sign in to the John Deere developer portal, navigate to My Applications, and click Create Application.
Fill in your company information and select the APIs you need:
| Leaf product | Required John Deere APIs |
|---|
| Base | Organizations, Webhook |
| Field boundaries | Clients, Farm, Field, Boundaries |
| Machine files / field operations | Field Operations, Files |
| Prescriptions (beta) | Files |
| Machines (beta) | Machines |
Enable webhook permissions
Leaf uses John Deere webhooks to receive real-time notifications when grower data changes, which means faster data delivery than polling alone. You need to explicitly request webhook access for your application:
- In My Applications, select your application and click Request Access.
- Navigate to Precision Tech → Application, open the Operations Center - Webhook menu.
- Check both Webhook Read and Webhook Write.
- Click Submit Request. Approval typically takes a few hours.
Without webhook permissions, Leaf still syncs data on a polling schedule (at least every 24 hours), but new data won’t arrive in near-real-time.
Step 2: Get the authorization URL
Redirect the grower to John Deere’s OAuth consent page. Leaf provides a helper endpoint that constructs the URL:
curl -X POST "https://johndeere-oauth2-helper.withleaf.io/get_url" \
-H "Content-Type: application/json" \
-d '{
"clientKey": "your-john-deere-app-id",
"clientSecret": "your-john-deere-secret",
"clientRedirectUrl": "https://your-app.com/callback"
}'
clientRedirectUrl with a code parameter in the URL.
Step 3: Exchange the code for tokens
Use the redirect URL (including the code) to get the user’s tokens:
curl -X POST "https://johndeere-oauth2-helper.withleaf.io/get_token" \
-H "Content-Type: application/json" \
-d '{
"clientKey": "your-john-deere-app-id",
"clientSecret": "your-john-deere-secret",
"responseUrl": "https://your-app.com/callback?code=abc123",
"clientRedirectUrl": "https://your-app.com/callback"
}'
refreshToken. You’ll attach it to the Leaf user in the next step.
Step 4: Grant organization access
The grower must explicitly share their organizations with your application. Redirect them to:
https://connections.deere.com/connections/{yourJohnDeereAppId}/select-organizations?redirect_uri={yourRedirectUrl}
Step 5: Attach credentials to the Leaf user
curl -X POST "https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/john-deere-credentials" \
-H "Authorization: Bearer YOUR_LEAF_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"clientKey": "your-john-deere-app-id",
"clientSecret": "your-john-deere-secret",
"refreshToken": "the-refresh-token-from-step-3",
"clientEnvironment": "STAGE"
}'
clientEnvironment to STAGE for sandbox testing or PRODUCTION once John Deere has approved your app for production. Leaf manages token refresh automatically after this point.
Step 6: Confirm the credentials are attached
curl "https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/john-deere-credentials" \
-H "Authorization: Bearer YOUR_LEAF_TOKEN"
John Deere sandbox rules: one test account, no more than five connected organizations, under 150,000 API calls/month, and no longer than 18 months in sandbox. Violating these can get your app revoked.
What you built
You completed the John Deere OAuth flow and attached credentials to a Leaf user. Leaf now syncs field boundaries, machine files, and field operations from John Deere Operations Center. Data will appear in field operations queries once processing completes.
For more details on the credentials schema and endpoints, see the John Deere provider guide and the provider credentials API reference. 
