Precision Planting Panorama

Leaf connects to Precision Planting Panorama using OAuth 2.0 via AWS Cognito. Once connected, Leaf syncs growers, farms, fields, machine files, and field operations.

The recommended way to create Panorama credentials is through the one-click integration endpoint: POST /users/{leafUserId}/one-click-integration/Panorama. This handles the Cognito token exchange and sharing handshake automatically.

Prerequisites

A Precision Planting Panorama developer/partner account.
Your application’s clientId from the Panorama developer portal.
The partner’s username and password from your Panorama account.
A refreshToken obtained through the Cognito authentication flow, or use the one-click integration endpoint which handles this for you.
The grower’s organizationCode, pre-authorized to share data with your Panorama partner application (manual credential creation only).

Setup steps

Option A: One-click integration (recommended) Use the one-click integration endpoint, which handles the Cognito token exchange automatically:

POST /users/{leafUserId}/one-click-integration/Panorama

One-click start request:

{
  "clientId": "your-client-id",
  "username": "partner-username",
  "password": "partner-password",
  "clientEnvironment": "PRODUCTION",
  "sharingUrlId": "your-custom-sharing-url-id"
}

organizationCode is not requried for the one-click flow.
Set the sharingUrlId in both the one-click request body and your Panorama app key configuration.
Set the Sharing Confirmation URL to https://widget.withleaf.io in the Panorama Partner Portal so Leaf can receive the callback and complete credential attachment.
The sharingUrlId is the UUID contained in the Share Initiation URL and can be obtained through the Panorama Partner Portal under the Account Details tab.

Option B: Manual credential creation If you manage the Cognito flow yourself, POST the credentials to Leaf:

curl -X POST \
    -H 'Authorization: Bearer YOUR_TOKEN' \
    -H 'Content-Type: application/json' \
    -d '{
      "clientId": "your-client-id",
      "username": "partner-username",
      "password": "partner-password",
      "organizationCode": "grower-org-code",
      "refreshToken": "cognito-refresh-token",
      "clientEnvironment": "PRODUCTION"
    }' \
    'https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials'

Confirm the credentials are attached

Check the stored credentials for the Leaf user:

curl "https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials" \
  -H "Authorization: Bearer YOUR_TOKEN"

If this worked, Leaf returns the Panorama credential object for the Leaf user.

Credentials schema

Create request body:

Field	Type	Required	Description
`clientId`	string	Yes	Your application’s client ID from Panorama
`username`	string	Yes	The partner’s Panorama username
`password`	string	Yes	The partner’s Panorama password
`organizationCode`	string	Yes	The grower’s organization code in Panorama
`refreshToken`	string	Yes	Cognito refresh token
`clientEnvironment`	string	Yes	`STAGE` or `PRODUCTION`

Response:

{
  "id": "uuid",
  "status": "str",
  "createdTime": "yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",
  "clientId": "str",
  "username": "str",
  "organizationCode": "str",
  "clientEnvironment": "PRODUCTION",
  "accessToken": "str",
  "refreshToken": "str"
}

Endpoints

Base URL: https://api.withleaf.io/services/usermanagement/api

Action	Method	Path
Get credentials	GET	`/users/{leafUserId}/panorama-credentials`
Create credentials	POST	`/users/{leafUserId}/panorama-credentials`
Delete credentials	DELETE	`/users/{leafUserId}/panorama-credentials`
Get credential events	GET	`/users/{leafUserId}/panorama-credentials/events`

Troubleshooting

Use the events endpoint to inspect credential health:

curl -X GET \
    -H 'Authorization: Bearer YOUR_TOKEN' \
    'https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials/events'

Event logs are retained for 30 days. Once the credential is deleted or disassociated from the Leaf user, the logs are no longer available.

Common issues:

Cognito token expiry: Panorama uses AWS Cognito for auth. If the credential becomes invalid, the grower may need to re-authenticate. Using the one-click integration endpoint avoids much of this complexity.
Wrong organization code: For manual credential creation, verify the organizationCode is already authorized to share data with your Panorama partner application.
STAGE vs. PRODUCTION mismatch: Make sure clientEnvironment matches your Panorama setup.

What to do next

Field Operations Quickstart for checking synced field and operation data.
Provider Organizations if you need to review sync scope after connection.
Provider Credentials API Reference for the credential path matrix.

Getting Started

Configuration

Alerts

Leaf Users

Connecting Providers

Data Hierarchy

Machine Data

Satellite Imagery

Weather

Soil Sampling

Leaf Lake

UI Components

MCP Server

Irrigation

Beta

Administration

Sharing Data

Prerequisites

Setup steps

Confirm the credentials are attached

Credentials schema

Endpoints

Troubleshooting

What to do next

Getting Started

Configuration

Alerts

Leaf Users

Connecting Providers

Data Hierarchy

Machine Data

Satellite Imagery

Weather

Soil Sampling

Leaf Lake

UI Components

MCP Server

Irrigation

Beta

Administration

Sharing Data

Documentation Index

​Prerequisites

​Setup steps

​Confirm the credentials are attached

​Credentials schema

​Endpoints

​Troubleshooting

​What to do next

Prerequisites

Setup steps

Confirm the credentials are attached

Credentials schema

Endpoints

Troubleshooting

What to do next