Two-Step Authentication with Webhooks

Marketo Employee
Marketo Employee

When using webhook connections with Marketo, you will often come across an API connection with a two-step process. The first connection needs to send the authentication information, after which you get back an access token, and then that token needs to be provided in the second (and any other subsequent) queries to provide the necessary authentication. Both the Marketo and SFDC REST APIs follow this model. Marketo's Webhook functionality, though, is only a one-step process, so it's necessary to employ separate Webhook configurations to get this to work.


The first step is to create a new custom field on the Person object to hold the access token value. This field will hold the temporary, generated access token value between webhook connections.



Next step is to create a Webhook just to do the initial authentication step. It will save the returned token value in the Access Token field. Here is an example that connects to SFDC:



The last step is to create the Webhook that does the actual work with the remote API. Here I setup one that can update a Lead's Sync_To_Marketo__c field. Note the custom headers that pass captured Access Token value through on the Authorization header.



1 Comment
Level 10 - Community Moderator

This has 2 different race conditions though:

  1. You must only trigger the 2nd webhook when Webhook is Called has fired for the 1st webhook. Can't be just two Call Webhook steps in a row.
  2. The access token can expire after the 1st webhook writes it to a field and before the 2nd has attempted to use the value. It's easy to make this happen when running a large batch-to-request-campaign. So you also need an exception-handling campaign that can tell you when the 2nd Webhook is Called returned an error.