As a Technical Consultant in Professional Services - supporting our clients at Adobe, I want to make sure you’re aware of an important update to the Marketo Engage platform that will impact how your applications authenticate and integrate going forward. These changes are part of the ongoing efforts to improve security, reliability, and the long-term maintainability of our API ecosystem.
OAuth 2.0 Bearer Tokens: A Security-First Update
Historically, our API supported passing access tokens in the query string (e.g., access_token=abc123). While that method worked, it introduced significant security risks, including accidental token exposure through logging or URL sharing. In line with industry best practices and the OAuth 2.0 spec (RFC 6750), as of June 30, 2025, the API will require all tokens to be passed in the Authorization header as follows:
Authorization: Bearer abc123
This change ensures token integrity, aligns Marketo Engage with broader Adobe API standards, and prevents leakage of sensitive credentials in browser histories, referrer headers, and network logs.
How to Update Your Integration Code
For most developers, updating to the Bearer token method is straightforward. If you’re using libraries like requests in Python, axios in JavaScript, or even raw curl, the change usually involves adding a single header line.
Before:
GET /rest/v1/leads.json?access_token=abc123
After:
GET /rest/v1/leads.json
Authorization: Bearer abc123
We’ve updated our developer documentation to reflect this change, and we encourage you to test all integrations well ahead of enforcement. Starting June 30, 2025, any request with tokens in the query string will be rejected with a 401 Unauthorized error.
.png)
Adchoices