Authenticate via ADP Marketplace OAuth and access the Workers API

Verified steps

1. Register your application in the ADP Marketplace developer portal; ADP uses client certificate-based mutual TLS (mTLS) in addition to OAuth 2.0 — you must generate a CSR, submit it to ADP, and receive a signed certificate to use in API calls.
2. Obtain an access token by POSTing to https://accounts.adp.com/auth/oauth/v2/token with grant_type=client_credentials, using your client ID, client secret, and the mutual TLS certificate in the TLS handshake.
3. Base URL for the Workers API is https://api.adp.com/hr/v2/workers; include 'Authorization: Bearer {access_token}' in all requests.
4. GET /hr/v2/workers returns a paginated list of workers; use '$top' and '$skip' OData-style query parameters for pagination, and '$filter' for filtering by status or other fields.
5. Access token lifetime is limited — typically one hour; implement token refresh logic using client credentials grant before the token expires.
6. ADP's API responses use a deep nested JSON structure following their own data model (HCM-related standards); extract values from paths like 'workers[].person.legalName.formattedName' rather than expecting flat schemas.