Register your application in ADP's API Central portal and obtain OAuth 2.0 client credentials plus the mTLS certificate.
Authenticate using the client credentials flow (with mutual TLS) to obtain a Bearer access token from the ADP token endpoint.
Call GET /hr/v2/workers to retrieve a list of workers; use query parameters to filter or paginate as needed.
To retrieve a specific worker, call GET /hr/v2/workers/{aoid} where aoid is the Associate OID.
Include the header Accept: application/json;masked=false in requests where you need unmasked sensitive fields such as full date of birth.
Known gotchas
By default, sensitive fields (SSN last four digits, birth date) are masked — you must explicitly set Accept: application/json;masked=false to see them, and your app must have the corresponding data-access permission.
ADP requires mutual TLS (mTLS) for all API requests — presenting only a client ID and secret without the X.509 certificate will result in authentication failure.
The Associate OID (aoid) is ADP's internal identifier and is not the employee ID visible in the Workforce Now UI; map these carefully when syncing with external systems.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp