Extract soap api credentials for webhook use

Extract soap api credentials for webhook use

Hi, I am using an integration which sends request to my application with webhhok and syncs the result using SOAP API.
Different Marketo users can use it so i need to know when calling the soap api to which user to send the data in soap api.
I need to know the encryption key, user id and end point.
What is the best way to do this?
Should i send these parameters in the webhook Payload Template or does any one have an idea of a better way to do this?
Also, is there a way to extract these parameters dynamically using the the token feature?

Thanks,
17 Comments
Anonymous
Not applicable
I tried it in the post data and not in the url, so i don't know.
this is what i used:
...."externalUser":{{system.soapId}},"externalKey":{{system.soapKey}}
and it worked
Anonymous
Not applicable
Folks,
The release normally gets rolled out pod by pod, so it is likely that Amnon's subscription has the latest release, but InsideView's does not.  I would try again late Friday evening or next week.

Amnon - We have a token for system.munchkinId, which you can use to create the soap endpoint.  The pattern is always https://<system.munchkinId>.mktoapi.com/soap/mktows/2_1
Raj
Anonymous
Not applicable
Hi,

I tried to use the system.soapId and system.soapKey but it doesn't work. I looked into the token's list and they are not there, so is there anything I need to do/configure to have them?

Arthur

PS: I setup the SOAP Api already
Anonymous
Not applicable
Arthur
A recent security audit flagged these as vulnerabilities in the product, because these tokens when placed on Landing Pages (LP)s could lead to the compromise of the SOAP credentials.  Unfortunately, there is no easy way for us to expose these tokens to only webhooks, so we pulled this feature out to protect our customers from this security hole.

The system.munchkinId token is still available, so here is what we recommend you to do -

1. Ask customers to provide their soapId and soapKey offline to you and map it to their munchkinId.  When the webhook call is made, your service will have to do a lookup of the soapId and soapKey from your tables
2. Ask customers to create program tokens that hold the soapId and soapKey and use it in the webhook.  Please make sure that they do NOT place these tokens on LPs

We will also be introducing REST APIs with oAuth tokens later this year, which would enable partner applications such as yours to work well without asking for the real credentials.
Anonymous
Not applicable
Thank you Raj for the quick reply,

That's actually what I would have done before reading this thread, I just thought you made it accessible and that I could use it instead.
Just a question regarding the endpoint, once the SOAP API setup, will it always stay the same? If so, I think it's easier to store it on our side as well instead of asking the client to add a token in the url or POST data.

I look forward to the release of the REST APIs.

Regards,

Arthur
Anonymous
Not applicable
Yes, it is relatively stable, so feel free to store it on your side
kh-lschutte
Community Manager
Status changed to: Under review