Re: IP Spoofing

Yup. I have set up the webhook and the custom header. But I can't figure out how to call the GET webhook from the landing page and use the response on the landing page.

You can't call webhooks from the LP. Webhooks are only called from flows (Call Webhook).

Hi Alex,

You can not call a 'webhook' from landing page. Webhook is 'only' callable from Marketo server using a smart campaign that executes on Marketo server side.

This then defeats what i'm trying to achieve.

Is there anyway I can store the API key and secret in marketo and access it securely when I make the AJAX API Calls?

Is there anyway I can store the API key and secret in marketo and access it securely when I make the AJAX API Calls?

No.

There's no way to do what you're describing securely from the client side.

It's Web Security 101: a service that can be accessed from a public page without user interaction, and which permits connections from any IP, is not secure. You've pretty much defined the problem in your architecture. Erase your sketched-out architecture and start over, this is a dead end.

Yup. We will start again. Do you have a proposed method that will work with Marketo and be secure?

Do you propose the below will work?

On the marketo landing page,

1. API Call 1  - Get user info based on user email from the external system - Returns an "access token" along with the user info.

2. API call response is used to populate the marketo form.

3. Marketo form is submitted.

4. API Call 2 - Update user info on external system by matching the user email along with the above received "access token" to authenticate that the request was made by the same user.

Unfortunately, I do not have any guide for your case as it will depend on the service provider and your business case specifics. Especially, when you have the need of 'multiple' API calls 'I guess one after other' to get all the data.

You will most likely need a custom webhook which will accept call from Marketo and manage the handshake with your external service provider to collect all the data. It can get complicated if this all is going to take some time as the web hook might have to use Marketo API calls to write the data in to Marketo if it takes long time.

Hi Alex,

Do you mean to use 'landing page domain' based restriction instead of the IP address of the visitor?

Thus the service would allow a web page to use the service only if the web page is on your website(s). If someone else copies the 'access credentials' and create web page on their domain, the service should reject the request. The unauthorized person would not be able to host their landing page on your domain(s). 

Hope this helps...