Leaf connects to Precision Planting Panorama using OAuth 2.0 via AWS Cognito. Once connected, Leaf syncs growers, farms, fields, machine files, and field operations.
The recommended way to create Panorama credentials is through the one-click integration endpoint: POST /users/{leafUserId}/one-click-integration/Panorama. This handles the Cognito token exchange and sharing handshake automatically.
Prerequisites
- A Precision Planting Panorama developer/partner account.
- Your application’s
clientId from the Panorama developer portal.
- The grower’s
username, password, and organizationCode from their Panorama account.
- A
refreshToken obtained through the Cognito authentication flow, or use the one-click integration endpoint which handles this for you.
Setup steps
Option A: One-click integration (recommended)
Use the one-click integration endpoint, which handles the Cognito token exchange automatically:
POST /users/{leafUserId}/one-click-integration/Panorama
curl -X POST \
-H 'Authorization: Bearer YOUR_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"clientId": "your-client-id",
"username": "grower-username",
"password": "grower-password",
"organizationCode": "grower-org-code",
"refreshToken": "cognito-refresh-token",
"clientEnvironment": "PRODUCTION"
}' \
'https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials'
Confirm the credentials are attached
Check the stored credentials for the Leaf user:
curl "https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials" \
-H "Authorization: Bearer YOUR_TOKEN"
Credentials schema
Create request body:
| Field | Type | Required | Description |
|---|
clientId | string | Yes | Your application’s client ID from Panorama |
username | string | Yes | The grower’s Panorama username |
password | string | Yes | The grower’s Panorama password |
organizationCode | string | Yes | The grower’s organization code in Panorama |
refreshToken | string | Yes | Cognito refresh token |
clientEnvironment | string | Yes | STAGE or PRODUCTION |
{
"id": "uuid",
"status": "str",
"createdTime": "yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",
"clientId": "str",
"username": "str",
"organizationCode": "str",
"clientEnvironment": "PRODUCTION",
"accessToken": "str",
"refreshToken": "str"
}
Endpoints
Base URL: https://api.withleaf.io/services/usermanagement/api
| Action | Method | Path |
|---|
| Get credentials | GET | /users/{leafUserId}/panorama-credentials |
| Create credentials | POST | /users/{leafUserId}/panorama-credentials |
| Delete credentials | DELETE | /users/{leafUserId}/panorama-credentials |
| Get credential events | GET | /users/{leafUserId}/panorama-credentials/events |
Troubleshooting
Use the events endpoint to inspect credential health:
curl -X GET \
-H 'Authorization: Bearer YOUR_TOKEN' \
'https://api.withleaf.io/services/usermanagement/api/users/{leafUserId}/panorama-credentials/events'
Event logs are retained for 30 days. Once the credential is deleted or disassociated from the Leaf user, the logs are no longer available.
- Cognito token expiry: Panorama uses AWS Cognito for auth. If the credential becomes invalid, the grower may need to re-authenticate. Using the one-click integration endpoint avoids much of this complexity.
- Wrong organization code: Verify the
organizationCode matches the grower’s Panorama account exactly.
- STAGE vs. PRODUCTION mismatch: Make sure
clientEnvironment matches your Panorama setup.
What to do next
