SOLVED

Re: Web personalisation with SOAP API

Go to solution
Margot_Killoran
Level 1

Web personalisation with SOAP API

Hi Community

 

We have been working on a custom built integration between our website (powered by Squiz Matrix CMS) and Marketo to create a website personalisation layer to make our website more dynamic. Before we go live, we wanted to check our integration is both best practice and secure for Marketo.

 

Our integration takes the munchkin ID of incoming visitors to the site if available, performs a lookup via the SOAP API on the record to determine specific known attributes, and uses this information to serve up personalised content and passing it to Google Analytics. In the future as we look to enhance personalisation, we may also store this information in a data store.

 

 

We looked at using the munchkin API, but this did not provide a definitive method for getting lead data back to our CMS. The lead data we are requiring are audience attributes so we can group audiences for specific messages on our website and also feed that data through to GTM for additional behavioural tracking/analysis. Our CMS (Squiz Matrix) provides an out of the box integration through SOAP https://matrix.squiz.net/manuals/marketo/chapters/marketo-bridge that we plan to use.

 

Can anyone offer their assessment of how secure/safe this setup will be for Marketo as we have heard there can be security issues using SOAP API.

 

If there are indeed security issues we would like to know a) what they are so we can feed this back to Squiz, b) in what specific cases can we use SOAP API, and c) what alternative method is available for us to consider.

 

We have looked at Marketo's website personalisation product, but it is out of our budget.

 

Thanks very much!

 

1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Web personalisation with SOAP API

Like Jay says, your problems start way before security.  An app that is using an API call merely because a new cookie is presented is doomed due to API limits.

 

As for SOAP, it isn't that the call itself from your back end to Marketo is "insecure." It's that you're required to have the SOAP API credentials stored on your back end server, which means you're offering root access to Marketo to whoever happens to have access to that server (accidentally, maliciously, or a combination of the 2).

 

REST API credentials are more granular and I can't see why anyone wouldn't be using REST here for the same purpose. You will still have to allow the person to access the lead database, of course: that permission is non-negotiable. But you can prevent all writes and all access to other objects.

 

I would not use any integration that still requires your SOAP API credentials in 2020. It's a sign that it is not maintained, professional code.

 

As for the general concept of looking up known lead attributes from your website, you can use my well-known Pre-Fill code for this, which uses no API calls. 

View solution in original post

3 REPLIES 3
Jay_Jiang
Level 10

Re: Web personalisation with SOAP API

Can't provide an assessment on security, but if your website gets more than 50k hits a day you're going to be out of API calls. Personalisation can be achieved in other ways that doesn't chew up your API calls like this.

SanfordWhiteman
Level 10 - Community Moderator

Re: Web personalisation with SOAP API

Like Jay says, your problems start way before security.  An app that is using an API call merely because a new cookie is presented is doomed due to API limits.

 

As for SOAP, it isn't that the call itself from your back end to Marketo is "insecure." It's that you're required to have the SOAP API credentials stored on your back end server, which means you're offering root access to Marketo to whoever happens to have access to that server (accidentally, maliciously, or a combination of the 2).

 

REST API credentials are more granular and I can't see why anyone wouldn't be using REST here for the same purpose. You will still have to allow the person to access the lead database, of course: that permission is non-negotiable. But you can prevent all writes and all access to other objects.

 

I would not use any integration that still requires your SOAP API credentials in 2020. It's a sign that it is not maintained, professional code.

 

As for the general concept of looking up known lead attributes from your website, you can use my well-known Pre-Fill code for this, which uses no API calls. 

Margot_Killoran
Level 1

Re: Web personalisation with SOAP API

Thanks @SanfordWhiteman  and @Jay_Jiang . We will use the pre-fill code as you suggest. Appreciate the advice!