Can one get lead data from the Marketo Lead Database API by using the token in the `_mkto_trk` cookie?

nahcp · ‎04-21-2025

I'd like to identify users on our website using Marketo data. I am curious if one can fetch lead data using the data stored in the `_mkto_trk` cookie. It appears that the cookie is storing both an ID (Munchkin ID?) and a token. Can either of these be used to fetch the lead that's associated with that particular user?

There seem to be several posts that hint at this, but neither of the suggested implementations work:
https://nation.marketo.com/t5/product-discussions/submitting-munchkin-cookie-as-mkto-trk-through-lea...

https://nation.marketo.com/t5/product-discussions/marketo-api-to-get-user-email-using-filter-type-mu...

Based on the last post above, I'd assume hitting the leads endpoint like this would work:

{MARKETO_ENDPOINT}/v1/leads.json?access_token=${ACCESS_TOKEN}&filterType=cookies&filterValues=${COOKIE_TOKEN}

However, when hitting that API, I get a successful request but `result` returns an empty array. Am I doing this wrong or is this simply not possible with the API?

SanfordWhiteman · ‎04-22-2025

The problem with this model is doing individual lookups by cookie in response to end user activity makes you vulnerable to a trivial DoS attack. Integrations that attempt this have catastrophic effects on Marketo instances, and it’s not recommended. (Note even without anything malicious, you have a self-DoS if you look up every newly set cookie for thousands of legit visitors per day.)

If you’re only using it for a one-time backfill on a fixed number of cookies, it may be feasible. But I still wouldn’t do a direct lookup. Instead, do a bulk export that includes the cookies field. Then do your lookup offline, i.e. import the CSV into a database and query it.

By the way, the scalable way to do this kind of thing is to use my cross-domain pre-fill JS, which doesn’t use any API calls. Search for “SimpleDTO.”

View solution in original post

SanfordWhiteman · ‎04-21-2025

Let's step back for a moment to make sure we don't have an XY Problem.

What is the exact business need you're trying to meet? Be as detailed as possible.

nahcp · ‎04-22-2025

Sure thing!

We have a website that uses Marketo and a separate analytics provider for tracking traffic and user behavior. Currently, users/visitors in the latter are identified by a unique hash. However, if a user has any Marketo lead data associated with it, we would want to push that data to our analytics provider (associate the hash with things like email, name, company, etc.). Hence the idea of fetching lead data from the Marketo API via the `_mkto_trk` cookie.

It's worth noting that we can achieve this by grabbing the data when user's submit forms and then pushing it to our analytics provider. That said, this would only give us data moving forward. The above idea would address capturing user data for users that have already filled out a form.

Does that makes sense? Happy to expand on any of that.

SanfordWhiteman · ‎04-22-2025

The problem with this model is doing individual lookups by cookie in response to end user activity makes you vulnerable to a trivial DoS attack. Integrations that attempt this have catastrophic effects on Marketo instances, and it’s not recommended. (Note even without anything malicious, you have a self-DoS if you look up every newly set cookie for thousands of legit visitors per day.)

If you’re only using it for a one-time backfill on a fixed number of cookies, it may be feasible. But I still wouldn’t do a direct lookup. Instead, do a bulk export that includes the cookies field. Then do your lookup offline, i.e. import the CSV into a database and query it.

By the way, the scalable way to do this kind of thing is to use my cross-domain pre-fill JS, which doesn’t use any API calls. Search for “SimpleDTO.”

nahcp · ‎04-22-2025

Thank you so much for clarifying! Super helpful.