Associating Leads with Non Marketo Form Fills

Level 6

A common question we see in consulting relates to how a customer can use a non Marketo form, but still associate that lead with a known lead in Marketo. With Marketo forms, of course, it's simple, you jhust submit the form. With Non Marketo forms, its a bit tricker, but still possible.

One reason you might do this is because you're submitting a login form, and obviously that doesnt really make sense as a Marketo Form. Not to worry!

First, lets talk about some confusing names of important items related to the Marketo Munchkin Cookie and this process

What is it?
_mrk_trkThe name of the hidden form field (more on that in a moment)
_mkto_trkThe name of the Marketo Munchkin Tracking Cookie. The cookie contains the Munchkin ID of the instance along with a unique identifier for this lead (known or anonymous.

The details on the tracking cooke are shown below. I use a plugin called "Awesome Cookie Manager" to view cookies. You can see yours by going to any site that leverages munchin


Tracking Cookie


Marketo Munchkin Cookie Value

Armed with this knowledge, we can look at the solution here. the process is straightforward and we're helped by Munchkin. When you create a form field called "_mkt_trk" within a non marketo form on a page where Munchkin code is running, Munchkin knows enough to populate the value of that form with the Munchkin Cooke value.


Cool right?

So, what does that mean? That means that in the following really simple non marketo form, youll not only receive the regular form fields.. youll also have the lead's cookie ID as well... and with THAT, you can use REST from your back end process to associate the lead.

That brings us to the second step which is associating the lead. for this youll need the marketo ID and the cookie ID. you've now got the cookie ID, and getting the Marketo ID is a simple matter of getting it from Marketo.

You'll need to call the following two REST endpoints.

first you'll use GetMultipleLeadsByFilterType, passing in the Email address to get the Marketo ID (!/Leads/... )

then, you'll use AssociateLead (!/Leads/... ), passing in that ID, and the cookie Id.

Alternatively, you can use a amazing new REST endpoint .... "push lead to marketo" which you can read about here!

Not applicable

This is super helpful. While we try to use Marketo forms as much as possible, I see where this could be a huge advantage. Thanks.


Level 10 - Community Moderator

As I understand it, the new Push Lead is the successor to this combination of Get and Associate. At least with Push you only spend 1 API call per form post instead of 2.

Still can't see how a professional organization could limit themselves to mere hundreds (if other unlimited REST or SOAP integrations are in use), 5,000 or even the full 10,000 form posts per day. The DDoS attacks of last Friday should be a wake-up call that you can't count on only a magic number of good actors to take interest in your web properties.  Between bad actors and plain ol' successful campaigns, creating a one-to-one relationship between end-user activities and API calls is a DoS waiting to happen.

Kimberly Prescott​ there's always a better way.  The Forms API (hidden submit) and Munchkin API (associateLead) are available even if you do not use a visible Marketo form.

Level 7 - Champion Alumni

To your point about the DDoS attacks, Sanford Whiteman​, do you have any advice outside of using Captcha (or similar options) in order to prevent these types of attacks?

I have searched the community and found a few suggestions but most are several years old and may not be the latest and greatest recommendation out there.

Was wondering your take and how you help to prevent these attacks.

Do you have a blog post on this topic?

to prevent bot and spam attacks.

Level 10 - Community Moderator

With a custom form, ReCAPTCHA and (to a lesser extent) the hidden-field-that-should-stay-empty method will help you detect invalid posts and not always use up Marketo API calls in response.  The hidden field method can't protect against a targeted attack, though (all I have to do is train my bot to leave that field empty).

You should implement request throttling, like mirroring the Marketo limit of 1 form post every 2 seconds per source IP address.  And of course you can maintain a cache of form data so you can see if the same data is being reposted an excessive number of times (a mildly skilled hacker would just randomize, of course).  But you can't safely get more stringent than Marketo's limit -- which is already on the edge of unacceptable -- because of shared IPs. Imagine a bunch of people signing up over WiFi from a conference center. Yet if form posts just trickle in at 7/minute from one IP, that's 10,800 per day, or more than the absolute maximum daily limit of posts using the API. 

More worrisome is that even an accidental DoS is possible with all legit traffic if you use the REST API to submit. I'm sure at your place you don't want to have a cap of 10,000 (assuming no other integrations are running) form posts per day, period.

I don't have a blog post up yet on this topic. I think using ReCAPTCHA together with the Marketo Forms API to submit is the right call.   Marketo has done a good job understanding the real way that forms are used and tracked, and the REST API really isn't supposed to be an alternative.

Not applicable

Sanford, I work for a internet security company so this is very timely. I think you should write a blog post. This information is hugely valuable and many people probably don't even realize how they may be opening themselves up to attacks. I like the Rest API idea to reduce the risk. Thanks.

Level 10 - Community Moderator

I definitely want to blog this up. Unfortunately, it's the only topic on which I'm actively antagonistic w/r/t Marketo-recommended technology, so it'd be a downer of a post! Hard for me to muster an "It'll be okay as long as you take these N precautions" message when in some cases there's a max of 1,000 form fillouts/day (after you subtract other integrations) and your site ends up like the early 90s in terms of traffic capacity....

Level 6

Thanks for your comment Sanford. My schedule is pretty rough, so I only just had the chance to write the second half of this blog, which was, in fact "Push Lead to Marketo"

Level 6

Very informative article and comments overall guys. Thanks, this is something I'm trying to implement and this information will be invaluable.

Level 6

Sanford Whiteman‌ Make sure you read the part starting with "Note regarding anonymous activities" on the push to marketo article on the developer site

Developer Site: 

Swagger Doc:!/Leads... 

Level 10 - Community Moderator

Read it years ago and have referenced it many times.