Leaf connects to John Deere Operations Center using OAuth 2.0. Once connected, Leaf syncs fields, machine files, and field operations for the Leaf user.
Prerequisites
- A John Deere developer account. Register here.
- An application registered in the My Applications portal with the appropriate scopes and redirect URIs configured. Make sure Webhook Read and Webhook Write permissions are enabled under Operations Center - Webhook — this allows Leaf to receive real-time data notifications instead of relying solely on polling.
- Your application’s
clientKey and clientSecret from John Deere.
- A grower’s
refreshToken obtained through the John Deere OAuth 2.0 consent flow.
John Deere accounts can span multiple organizations. By default, Leaf syncs data from all organizations the account has access to. Use the organizationDataSync configuration to limit this to specific organizations.
Setup steps
- Complete the John Deere OAuth 2.0 flow to obtain a
refreshToken for the grower’s account.
- POST the credentials to Leaf:
curl -X POST \
-H 'Authorization: Bearer YOUR_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"clientKey": "your-client-key",
"clientSecret": "your-client-secret",
"refreshToken": "grower-refresh-token",
"clientEnvironment": "PRODUCTION"
}' \
'https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/john-deere-credentials'
- Leaf validates the token and begins syncing. Check credential status with
GET /users/{leafUserId}/john-deere-credentials.
Credentials schema
Create request body:
| Field | Type | Required | Description |
|---|
clientKey | string | Yes | Your application’s client key from John Deere |
clientSecret | string | Yes | Your application’s client secret |
refreshToken | string | Yes | The grower’s OAuth refresh token |
clientEnvironment | string | Yes | STAGE or PRODUCTION |
{
"id": "uuid",
"status": "str",
"createdTime": "yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",
"tokenMetadata": {"scopes": ["str"]},
"clientKey": "str",
"clientSecret": "str",
"accessToken": "str",
"refreshToken": "str",
"clientEnvironment": "PRODUCTION"
}
status field reflects the current health of the credential. If Leaf detects during background processing that the credential is no longer valid, the status changes accordingly.
Endpoints
Base URL: https://api.withleaf.io/services/usermanagement/api
| Action | Method | Path |
|---|
| Get credentials | GET | /users/{leafUserId}/john-deere-credentials |
| Create credentials | POST | /users/{leafUserId}/john-deere-credentials |
| Delete credentials | DELETE | /users/{leafUserId}/john-deere-credentials |
| Get credential events | GET | /users/{leafUserId}/john-deere-credentials/events |
Troubleshooting
Use the events endpoint to inspect credential health:
curl -X GET \
-H 'Authorization: Bearer YOUR_TOKEN' \
'https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/john-deere-credentials/events'
body, headers, statusCode, and createdDate.
Event logs are retained for 30 days. Once the credential is deleted or disassociated from the Leaf user, the logs are no longer available.
- Status changes to invalid: The grower may have revoked access in John Deere Operations Center, or the refresh token expired. Have the grower re-authorize through the OAuth flow.
- Missing organizations: If expected data isn’t appearing, check whether
organizationDataSync is set to SELECTED_ONLY and verify the correct organizations are selected.
- STAGE vs. PRODUCTION mismatch: Make sure
clientEnvironment matches the environment your John Deere app is registered in.
What to do next
