Yep, right here: http://developers.marketo.com/blog/external-page-prefill/
I have tried using jQuery and I get a "No Access Control Origin" when asking for json, and if I try with jsonp I get this error 'Uncaught SyntaxError: Unexpected token :' in the response.
You must not call the REST API directly from the client side. That's even worse than the DoS vulnerability that you create by using the API at all.
Sounds like Kenny Elkington should update the blog to ensure users are aware of the risks involved - especially as I'm seeing more and more references to this blog post due to the increased need to use pre-fill on non-Marketo LPs. Or better yet, update it with a more secure approach. Just curious, the API call needs to be made for anyone that visits the form page, correct - since there's no way to determine whether or not a lead is KNOWN without doing so. And then if the call returns values (or doesn't return an error), we know the lead is KNOWN. Correct?
I would love it if the landscape of supported/suggested technologies could change.
There's a scalable, secure, reliable, yet not officially supported way to accomplish this. Unfortunately, I doubt I could get Marketo proper to agree that this is the way so I don't describe it here. It would appear to be a hack (I call it elegant!) compared to the seemingly intuitive API method, but the problem is the API method really isn't ready for prime time.
And yep, the first reason (though not the only one) that the API-based solution is such a tasty invitation for a DoS attack is that you're expending API calls even when the lead is anonymous. To avoid this, you can use hidden form with Known Lead HTML enabled to determine if the lead is known (or you could call an undocumented endpoint directly, but I won't advise that here). But honestly that just improves the scalability for non-malicious situations. Once someone is trying to hack you this won't make a difference.