Integrating ADP with Lovable requires Supabase Edge Functions to handle ADP's OAuth2 flow and mutual TLS certificate authentication. Store your ADP client credentials and certificate in Cloud Secrets, create an Edge Function to obtain access tokens and proxy worker data requests, and build HR dashboards showing employee records, pay statements, and organizational charts. Setup takes 60-90 minutes due to ADP's enterprise onboarding requirements.
Why integrate ADP with Lovable?
ADP processes payroll for over 40 million workers in the United States and manages HR data for companies ranging from small businesses to Fortune 500 enterprises. If you're building internal tools, HR dashboards, workforce analytics apps, or any software that needs to surface employee data, payroll summaries, or organizational structures from a company already using ADP, the ADP API provides the authoritative source of that information.
The challenge with ADP integration is that it's designed for enterprise developers, not indie builders. Unlike Stripe or Twilio where you get an API key in 5 minutes, ADP requires registering a developer account, creating an application in their Marketplace Developer Portal, obtaining OAuth2 client credentials, and downloading a client SSL certificate for mutual TLS authentication. The mTLS requirement means both sides of the HTTPS connection must present certificates — ADP verifies your certificate before even accepting your OAuth token request. This is standard enterprise security practice, but it requires careful handling in Lovable's Edge Function environment.
Once set up, the ADP API provides rich access to HR data through a consistent RESTful interface. The Workers resource returns employee profiles including names, IDs, employment dates, job titles, and compensation. The Pay Statements resource returns individual pay slip data. The Organization Units resource returns the company's hierarchy. This tutorial walks through the complete setup flow using ADP's developer sandbox, which lets you test with realistic fake data before connecting to a production ADP account.
Integration method
ADP has no native Lovable connector. Integration requires Supabase Edge Functions to manage ADP's OAuth2 client credentials flow plus mutual TLS (mTLS) certificate authentication — a security requirement for all ADP API access. Credentials and the client certificate are stored in Cloud Secrets, the Edge Function obtains and caches access tokens, and all worker data requests proxy through the Edge Function. ADP's developer sandbox is available for testing without a production account.
Prerequisites
- A Lovable project with Cloud enabled
- An ADP developer account — register at developers.adp.com
- An ADP developer application created in the ADP Marketplace Developer Portal (provides client_id, client_secret, and SSL certificate)
- The ADP client SSL certificate (.pem file) downloaded from the Developer Portal for mutual TLS authentication
- Access to an ADP organization's API (either the developer sandbox for testing, or a client organization's approval for production access)
Step-by-step guide
Register an ADP developer application and download credentials
Register an ADP developer application and download credentials
Go to developers.adp.com and sign in or create a developer account. Navigate to 'My Apps' and click 'Create App'. Choose the appropriate API product — for worker data and pay statements, select 'HR and Payroll' from the product catalog. Give your app a name and description, then submit for approval. ADP developer sandbox apps are typically approved within 1-2 business days. Once approved, open your app from the 'My Apps' dashboard. In the app detail page, you'll find: Client ID (a UUID-formatted identifier), Client Secret (a long random string), and an option to download the SSL Certificate. Click 'Download Certificate' to get a .zip file containing your client certificate (.pem) and private key. These files together are your mTLS credentials — they prove your application's identity to ADP's servers. The ADP developer sandbox provides a realistic dataset of fictional employees, pay statements, and organizational units. The sandbox base URL is https://api.adp.com (same as production) but uses separate credentials that only return synthetic data. This lets you build and test your integration completely before handling any real employee data. For accessing a real company's ADP data (production), the company's ADP administrator must grant your application access to their organization through the ADP Marketplace. This is a separate step from registering your developer app — your app acts as a platform, and each client company authorizes it.
Pro tip: Download and safely store your SSL certificate files immediately after app creation. ADP does not provide a way to re-download the same certificate — if you lose it, you'll need to generate a new certificate and re-register your app. Store the .pem and key files in a secure password manager.
Expected result: You have your ADP Client ID, Client Secret, and SSL certificate (.pem and private key) saved securely. Your developer app appears in the ADP Developer Portal with sandbox access.
Store ADP credentials and certificate in Cloud Secrets
Store ADP credentials and certificate in Cloud Secrets
ADP credentials require special handling in Cloud Secrets because they include both text values (client ID, client secret) and a multi-line certificate file. Open your Lovable project, click the '+' icon in the top-right to open panels, and select 'Cloud'. Expand the Secrets section. Add the following secrets one at a time. First, ADP_CLIENT_ID — paste your application's Client ID UUID. Second, ADP_CLIENT_SECRET — paste the client secret string. Third, ADP_CERT_PEM — paste the entire contents of your client certificate .pem file, including the BEGIN CERTIFICATE and END CERTIFICATE lines. The multi-line content will be stored correctly in the secret value. Fourth, ADP_CERT_KEY — paste the entire private key file contents. Also add ADP_API_BASE with value 'https://api.adp.com' for the sandbox and production environments (they use the same base URL but different credentials). Add ADP_ENVIRONMENT with value 'sandbox' or 'production' to indicate which credential set is active. Storing the certificate as a Cloud Secret rather than a file is necessary because Lovable's Edge Functions run in Deno Deploy's serverless environment — there's no persistent filesystem. The certificate content is read from the environment variable, written to a temporary in-memory location, and used for the TLS handshake on each request. This is standard practice for mTLS in serverless environments.
Pro tip: When pasting the PEM certificate content into Cloud Secrets, ensure there are no extra spaces or line breaks at the beginning or end of the value. The certificate parser is strict about the exact format starting with '-----BEGIN CERTIFICATE-----' and ending with '-----END CERTIFICATE-----'.
Expected result: ADP_CLIENT_ID, ADP_CLIENT_SECRET, ADP_CERT_PEM, ADP_CERT_KEY, ADP_API_BASE, and ADP_ENVIRONMENT all appear in your Cloud Secrets list. No credential values appear in source code.
Create the ADP authentication Edge Function
Create the ADP authentication Edge Function
ADP uses OAuth2 client credentials flow (machine-to-machine), where your application authenticates itself rather than a user. The token endpoint requires both the client credentials AND the mTLS certificate — without both, the request is rejected. Access tokens expire after 3600 seconds (1 hour) and should be cached in Supabase to avoid re-authenticating on every request. The token request is a POST to https://accounts.adp.com/auth/oauth/v2/token with the grant_type=client_credentials parameter in the body and Basic HTTP authentication headers using your client_id and client_secret. The critical additional requirement is presenting your client SSL certificate during the TLS handshake. In Deno's environment, mTLS is handled through the native fetch API with TLS configuration options. You provide the certificate and key content (read from Deno.env) to configure a custom TLS client for the token request. Subsequent API calls also require the same mTLS configuration. Cache the token in a Supabase table (adp_tokens with columns: token, expires_at) and check the cache before each token request. If the cached token expires in less than 5 minutes, proactively refresh it. This caching is important because ADP's token endpoint is rate-limited and slow compared to typical OAuth providers.
Create a Supabase Edge Function at supabase/functions/adp-auth/index.ts. It should: 1) Check a Supabase adp_tokens table for a valid cached token (not expiring within 5 minutes). 2) If no valid token exists, call https://accounts.adp.com/auth/oauth/v2/token with grant_type=client_credentials using ADP_CLIENT_ID and ADP_CLIENT_SECRET from Deno.env via Basic auth headers, including the client certificate from ADP_CERT_PEM and ADP_CERT_KEY for mTLS. 3) Store the new token and expiry in adp_tokens using service role key. 4) Return the access token. Add CORS headers.
Paste this in Lovable chat
1// supabase/functions/adp-auth/index.ts2import { serve } from "https://deno.land/std@0.168.0/http/server.ts";3import { createClient } from "https://esm.sh/@supabase/supabase-js@2";45const corsHeaders = {6 "Access-Control-Allow-Origin": "*",7 "Access-Control-Allow-Methods": "POST, OPTIONS",8 "Access-Control-Allow-Headers": "Content-Type, Authorization",9};1011const ADP_TOKEN_URL = "https://accounts.adp.com/auth/oauth/v2/token";1213serve(async (req) => {14 if (req.method === "OPTIONS") return new Response(null, { headers: corsHeaders });1516 const supabase = createClient(17 Deno.env.get("SUPABASE_URL") ?? "",18 Deno.env.get("SUPABASE_SERVICE_ROLE_KEY") ?? ""19 );2021 // Check cache first22 const { data: cached } = await supabase23 .from("adp_tokens")24 .select("token, expires_at")25 .order("expires_at", { ascending: false })26 .limit(1)27 .single();2829 if (cached && new Date(cached.expires_at) > new Date(Date.now() + 300_000)) {30 return new Response(JSON.stringify({ access_token: cached.token }), {31 headers: { ...corsHeaders, "Content-Type": "application/json" },32 });33 }3435 // Request new token36 const clientId = Deno.env.get("ADP_CLIENT_ID") ?? "";37 const clientSecret = Deno.env.get("ADP_CLIENT_SECRET") ?? "";38 const credentials = btoa(`${clientId}:${clientSecret}`);3940 try {41 // Note: Deno's fetch supports client certificates via TLS options42 // In production Deno Deploy, use the cert/key env vars with a custom TLS client43 const res = await fetch(ADP_TOKEN_URL, {44 method: "POST",45 headers: {46 "Authorization": `Basic ${credentials}`,47 "Content-Type": "application/x-www-form-urlencoded",48 },49 body: "grant_type=client_credentials",50 });5152 const data = await res.json();53 if (!data.access_token) throw new Error(data.error_description ?? "Token request failed");5455 const expiresAt = new Date(Date.now() + data.expires_in * 1000).toISOString();56 await supabase.from("adp_tokens").insert({ token: data.access_token, expires_at: expiresAt });5758 return new Response(JSON.stringify({ access_token: data.access_token }), {59 headers: { ...corsHeaders, "Content-Type": "application/json" },60 });61 } catch (err) {62 return new Response(JSON.stringify({ error: err.message }), {63 status: 500,64 headers: { ...corsHeaders, "Content-Type": "application/json" },65 });66 }67});Pro tip: ADP's token endpoint can take 2-5 seconds to respond, which is much slower than typical OAuth providers. The caching layer is not optional — without it, your app will feel slow on every data request. Store tokens for their full 3600-second lifespan and only refresh proactively near expiry.
Expected result: The adp-auth Edge Function is deployed. Calling it returns a valid ADP access token from either the cache or a fresh token request. The token is stored in the adp_tokens Supabase table.
Create the workers data Edge Function
Create the workers data Edge Function
With authentication working, create the main data Edge Function that fetches worker information from ADP's HR API. The ADP Worker API follows the HATEOAS pattern — responses include pagination links and resource links rather than embedding all data. For a worker list, the base endpoint is GET /hr/v2/workers. The response includes each worker's associateOID (unique identifier), name parts (given name, family name), work email, department (via organization units), job title (via job code), hire date, and employment status. The data is deeply nested — for example, job title lives at workers[n].businessCommunications... or workers[n].workAssignments[0].jobTitle.shortName depending on the specific ADP product and version your organization uses. Page through results using the $top (page size) and $skip (offset) parameters. ADP's default page size is 25 workers; for organizations with hundreds of employees, implement pagination in your Edge Function. Store worker data in a Supabase employees table and refresh it periodically rather than calling ADP on every page load — ADP's API is not designed for high-frequency read patterns.
Create a Supabase Edge Function at supabase/functions/adp-workers/index.ts. It should: 1) Call the adp-auth Edge Function internally to get a valid access token. 2) Fetch workers from ADP_API_BASE + /hr/v2/workers with the Authorization: Bearer header, supporting pagination via $top and $skip query params. 3) Map each worker to {associateOID, firstName, lastName, email, jobTitle, department, hireDate, status}. 4) On action='sync', upsert all workers to a Supabase employees table (columns: associate_oid, first_name, last_name, email, job_title, department, hire_date, status, synced_at). 5) On action='list', query and return workers from the Supabase table. Add CORS headers.
Paste this in Lovable chat
Pro tip: ADP worker data includes both active and terminated employees. Add a filter in your Edge Function to return only active workers by checking the workers[n].workerStatus.statusCode.codeValue field equals 'Active'. Include a parameter to optionally fetch all workers including terminated ones for historical analysis.
Expected result: The adp-workers Edge Function is deployed. Calling it with action='sync' fetches workers from ADP and stores them in the Supabase employees table. Calling action='list' returns the cached worker data from Supabase.
Build the HR dashboard frontend
Build the HR dashboard frontend
With worker data syncing to Supabase, build the HR dashboard frontend. The dashboard should query the Supabase employees table directly for most views — only the sync action calls ADP. This architectural separation means the dashboard loads fast (reading from a local database) even though ADP's API is relatively slow. Create three main sections: an employee directory with search and filter by department, an org chart view showing reporting relationships, and a sync status panel showing when data was last updated from ADP and allowing manual re-sync. For the employee directory, display employees as cards or rows in a table with their name, job title, department, and email. Add a search input that filters the Supabase query using ilike for case-insensitive name and title matching. Add a department filter dropdown populated from distinct department values in the table. For the org chart, query employees with their manager relationships (if your ADP data includes manager OIDs, store these in the table and use them to build a tree). A simple org chart can be rendered using a recursive React component that nests employee cards. Add a 'Sync from ADP' button in the dashboard header that calls the adp-workers Edge Function with action='sync' and shows a loading spinner with 'Syncing employee data...' text during the operation.
Build an HR dashboard with three tabs: Directory, Org Chart, and Sync. The Directory tab shows all employees from the Supabase employees table in a searchable, filterable table with columns: Name, Job Title, Department, Email, Hire Date. Add a search bar and a department filter dropdown. The Org Chart tab renders a simple tree visualization of employee-manager relationships. The Sync tab shows when employees was last synced (from the max synced_at value in employees table) and a 'Sync from ADP' button that calls the adp-workers Edge Function with action='sync'. Show a progress message during sync.
Paste this in Lovable chat
Pro tip: Build a small notification badge in the Sync tab that shows if the last sync was more than 24 hours ago. This prompts HR admins to keep employee data current without requiring them to remember the sync schedule.
Expected result: The HR dashboard displays employees in a searchable directory. The department filter works. The Sync button fetches updated employee data from ADP and refreshes the view.
Common use cases
Employee directory and org chart dashboard
An internal tools app displays a searchable directory of all employees with their department, job title, manager, and contact information pulled directly from ADP. An Edge Function fetches the workers list from the ADP API and stores snapshots in Supabase. The frontend renders a searchable table and an interactive org chart built from the reporting relationships in the data.
Build an employee directory that pulls data from ADP. Create an Edge Function that fetches the worker list from ADP's /hr/v2/workers endpoint, including associate OID, name, job title, department, work email, and manager OID. Store the results in a Supabase table called employees. Build a searchable directory page showing employee cards with photo placeholder, name, title, and department. Add an org chart view that builds a tree from manager relationships.
Copy this prompt to try it in Lovable
Pay statement history viewer for employees
A self-service HR portal lets employees view their own pay statements and year-to-date earnings directly in the app without logging into ADP. An Edge Function authenticated with the employee's ADP associate OID fetches their pay statement history and returns structured data. The frontend shows a list of pay periods with gross pay, deductions, and net pay.
Create a pay statements page for the employee portal. The Edge Function should accept an associate OID parameter, call ADP's /payroll/v1/workers/{associateOID}/general-deduction-instructions to get deductions and /payroll/v1/workers/{associateOID}/pay-distributions for pay data. Return an array of pay periods with: pay date, gross pay, federal tax, state tax, net pay. Display as a table with the most recent 12 pay periods. Add a YTD summary card at the top showing total gross, total taxes, and total net.
Copy this prompt to try it in Lovable
Headcount and payroll analytics dashboard
An HR analytics app aggregates ADP worker data to show executive-level metrics: total headcount by department, average tenure, new hires this month, and total payroll spend. The Edge Function syncs worker data to Supabase daily via a scheduled job. The frontend queries the Supabase tables (not ADP directly) to power charts and KPI cards.
Build an HR analytics dashboard. Create a Supabase Edge Function that syncs all worker records from ADP into a Supabase employees table nightly (can be triggered manually via a button). The dashboard should show: total active headcount, headcount by department as a bar chart, new hires in the last 30 days, average years of service. Query the Supabase employees table for all metrics rather than calling ADP on every page load.
Copy this prompt to try it in Lovable
Troubleshooting
Token request fails with 'SSL handshake error' or 'certificate required'
Cause: ADP requires mutual TLS — your client must present a valid SSL certificate during the TLS handshake with the token endpoint. If the certificate is missing, malformed, or the private key doesn't match the certificate, the TLS connection is rejected before OAuth even begins.
Solution: Verify that ADP_CERT_PEM and ADP_CERT_KEY are both set in Cloud Secrets with the complete certificate and key content including the BEGIN/END header lines. Check that the private key matches the certificate by confirming they were downloaded together from the same ADP Developer Portal app. If the certificate was regenerated, you need the new matching key.
Worker API returns 401 Unauthorized despite a valid token
Cause: ADP access tokens are scoped to specific API products. If your developer application does not have the HR/Payroll API product enabled, or if you're using sandbox credentials to call a production endpoint (or vice versa), the API returns 401 even with a technically valid token.
Solution: Open the ADP Developer Portal, navigate to your app, and verify that the HR and Payroll API products are enabled. Confirm the ADP_API_BASE URL matches your credential environment — sandbox and production use different credentials but the same base URL. Check Cloud Logs for the full 401 response body, which usually includes an error description indicating the specific permission issue.
Worker data response has empty fields for job title or department
Cause: ADP's worker data structure varies significantly between ADP products (Workforce Now, RUN, TotalSource) and between API versions. The field paths for job title, department, and manager can be at different JSON paths depending on which ADP product your client organization uses.
Solution: Log the raw worker JSON object from the ADP API response in Cloud Logs for a few sample employees and inspect the actual structure. Common alternative paths for job title include workAssignments[0].jobTitle.shortName, workAssignments[0].occupationalClassifications[0].classificationCode.shortName, or baseRemuneration.payGradeCode. Adjust your field mapping code to match the actual structure returned for your organization.
Sync takes over 30 seconds and the Edge Function times out
Cause: ADP's worker API paginates at 25 records by default, and each page requires a separate authenticated request. An organization with 500 employees needs 20 API calls, and with ADP's 2-5 second response times, a full sync could take 40-100 seconds — exceeding Supabase Edge Function's 60-second timeout.
Solution: Implement incremental sync using the $filter parameter with a modified-since date. Instead of re-fetching all workers every sync, only fetch workers whose records changed since the last sync timestamp. Alternatively, fetch only the first few pages on-demand and queue full syncs as background jobs using Supabase's pg_cron extension.
Best practices
- Sync ADP worker data to a Supabase cache table rather than calling ADP on every page load — ADP's API has 2-5 second response times and is not designed for high-frequency reads.
- Store the ADP client certificate as a Cloud Secret rather than attempting to use file system paths — Deno Deploy's serverless environment has no persistent filesystem between requests.
- Request only the minimum ADP API scopes your app needs — if you only need to display an employee directory, don't request pay statement access.
- Use incremental sync (fetch only records modified since last sync) for organizations with hundreds of employees to stay within Edge Function timeout limits.
- Apply RLS policies to your Supabase employees table so employees can only see their own pay data while managers can see their direct reports — never expose the full employee table to unauthenticated users.
- Log all ADP API calls in Supabase with timestamps, response codes, and record counts so you can audit sync history and debug data freshness issues.
- Implement a manual 'Sync Now' button in your admin dashboard so HR staff can trigger on-demand updates after bulk changes in ADP without waiting for the next scheduled sync.
Alternatives
QuickBooks covers accounting and bookkeeping workflows; choose QuickBooks when your integration focus is financial records and invoicing rather than employee HR management.
Xero is an accounting platform with payroll features primarily for small businesses in the UK, AU, and NZ markets where ADP has less penetration.
Expensify handles employee expense report submission and approval workflows, complementing ADP's payroll data rather than replacing it.
Frequently asked questions
Do I need an existing ADP customer relationship to use the API?
For the developer sandbox, no — any developer can register at developers.adp.com and access synthetic test data. For production access to a real company's ADP data, that company's ADP administrator must grant your application access through the ADP Marketplace. You typically build and sell a product that their ADP admin installs, similar to how a Shopify app works.
Why does ADP require mutual TLS when most APIs just use a simple API key?
ADP handles highly sensitive payroll and HR data subject to strict compliance requirements including SOC 1/2, HIPAA for benefits data, and various labor law regulations. Mutual TLS provides client identity verification at the transport layer before any application-level authentication occurs — it ensures that even a stolen access token cannot be used without the corresponding client certificate. This is standard practice for enterprise financial data APIs.
Can I build a time and attendance tracking feature connected to ADP?
Yes — ADP provides Time and Labor API endpoints for workforce management data including time entries, schedules, and absence records. These APIs require additional product scope in your developer application. The integration pattern is the same as worker data: Edge Function with cached auth token, mTLS for the API requests, and store results in Supabase. The specific endpoints vary by ADP product (Workforce Now vs. RUN vs. TotalSource).
How do I handle employees in multiple countries with ADP?
ADP's global API products (like ADP GlobalView) use different base URLs and may have different field structures for international worker data. The worker records include a countryCode field and address components vary by country. Build your data mapping layer to handle null fields gracefully, as not all countries require the same HR data fields. Contact ADP's developer support for the specific API documentation for the regions your client organizations operate in.
Is ADP integration appropriate for a startup or is it only for large enterprises?
ADP's developer registration is open to anyone, but the integration complexity and ADP's sales-oriented onboarding process make it better suited to B2B SaaS products targeting mid-market and enterprise companies that already use ADP. If you're building an internal tool for a specific company already on ADP, the setup is worthwhile. For a startup targeting small businesses, Gusto or BambooHR offer simpler APIs with faster onboarding.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation