Register your application in ADP's developer portal (API Central) to receive a client_id, client_secret, and a signed X.509 certificate pair (PEM format).
Configure your HTTP client to present the client certificate on every outbound connection (mutual TLS) — the certificate is required at the transport layer for all ADP API calls.
POST to the ADP token endpoint with grant_type=client_credentials, client_id, and client_secret in the request body, while simultaneously presenting the X.509 certificate via mTLS.
Extract the access_token from the JSON response and include it as a Bearer token in the Authorization header of all subsequent API requests.
Monitor the token's expires_in value and re-authenticate before expiry to avoid 401 errors mid-integration.
Known gotchas
ADP uses certificate-based mTLS at the connection layer in addition to OAuth — sending credentials without the certificate will be rejected even if the client_id and secret are correct.
Certificates are environment-specific: sandbox certificates will not work against production endpoints and vice versa; obtain the correct certificate for each environment from API Central.
Access tokens are short-lived; build automatic token refresh into your client rather than caching a single token indefinitely.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp