Leaf connects to Precision Planting Panorama using OAuth 2.0 via AWS Cognito. Once connected, Leaf syncs growers, farms, fields, machine files, and field operations.
The recommended way to create Panorama credentials is through the one-click integration endpoint: POST /users/{leafUserId}/one-click-integration/Panorama. This handles the Cognito token exchange and sharing handshake automatically.
Prerequisites
- A Precision Planting Panorama developer/partner account.
- Your application’s
clientId from the Panorama developer portal.
- The partner’s
username and password from your Panorama account.
- A
refreshToken obtained through the Cognito authentication flow, or use the one-click integration endpoint which handles this for you.
- The grower’s organizationCode, pre-authorized to share data with your Panorama partner application (manual credential creation only).
Setup steps
Option A: One-click integration (recommended)
Use the one-click integration endpoint, which handles the Cognito token exchange automatically:
POST /users/{leafUserId}/one-click-integration/Panorama
{
"clientId": "your-client-id",
"username": "partner-username",
"password": "partner-password",
"clientEnvironment": "PRODUCTION",
"sharingUrlId": "your-custom-sharing-url-id"
}
organizationCode is not requried for the one-click flow.- Set the
sharingUrlId in both the one-click request body and your Panorama app key configuration.
- Set the Sharing Confirmation URL to
https://widget.withleaf.io in the Panorama Partner Portal so Leaf can receive the callback and complete credential attachment.
- The
sharingUrlId is the UUID contained in the Share Initiation URL and can be obtained through the Panorama Partner Portal under the Account Details tab.
Option B: Manual credential creation
If you manage the Cognito flow yourself, POST the credentials to Leaf:
curl -X POST \
-H 'Authorization: Bearer YOUR_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"clientId": "your-client-id",
"username": "partner-username",
"password": "partner-password",
"organizationCode": "grower-org-code",
"refreshToken": "cognito-refresh-token",
"clientEnvironment": "PRODUCTION"
}' \
'https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials'
Confirm the credentials are attached
Check the stored credentials for the Leaf user:
curl "https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials" \
-H "Authorization: Bearer YOUR_TOKEN"
Credentials schema
Create request body:
| Field | Type | Required | Description |
|---|
clientId | string | Yes | Your application’s client ID from Panorama |
username | string | Yes | The partner’s Panorama username |
password | string | Yes | The partner’s Panorama password |
organizationCode | string | Yes | The grower’s organization code in Panorama |
refreshToken | string | Yes | Cognito refresh token |
clientEnvironment | string | Yes | STAGE or PRODUCTION |
{
"id": "uuid",
"status": "str",
"createdTime": "yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",
"clientId": "str",
"username": "str",
"organizationCode": "str",
"clientEnvironment": "PRODUCTION",
"accessToken": "str",
"refreshToken": "str"
}
Endpoints
Base URL: https://api.withleaf.io/services/usermanagement/api
| Action | Method | Path |
|---|
| Get credentials | GET | /users/{leafUserId}/panorama-credentials |
| Create credentials | POST | /users/{leafUserId}/panorama-credentials |
| Delete credentials | DELETE | /users/{leafUserId}/panorama-credentials |
| Get credential events | GET | /users/{leafUserId}/panorama-credentials/events |
Troubleshooting
Use the events endpoint to inspect credential health:
curl -X GET \
-H 'Authorization: Bearer YOUR_TOKEN' \
'https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials/events'
Event logs are retained for 30 days. Once the credential is deleted or disassociated from the Leaf user, the logs are no longer available.
- Cognito token expiry: Panorama uses AWS Cognito for auth. If the credential becomes invalid, the grower may need to re-authenticate. Using the one-click integration endpoint avoids much of this complexity.
- Wrong organization code: For manual credential creation, verify the
organizationCode is already authorized to share data with your Panorama partner application.
- STAGE vs. PRODUCTION mismatch: Make sure
clientEnvironment matches your Panorama setup.
What to do next
