Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar
SOLVED

Marketo access token - GET/ POST

Go to solution
Babu_Chikati
Level 3
Level 3
Monday
Monday

Marketo access token - GET/ POST

Hi,

I noticed Marketo has GET/POST endpoint to get access token, but both endpoints  accepting query parameters only, Is there any reason?

<URL>/identity/oauth/token?client_id=<Client Id>&client_secret=<Client Secret>&grant_type=client_credentials

 clientid and secret are exposed to internet when pass them as query parameters, is there any better approach to prevent from exposing clientid and secret?

 

Thanks,

Babu

0 Likes
59
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
Tuesday
Tuesday

Re: Marketo access token - GET/ POST

It's not more secure in any way!

The path and query of an https:// URL are never passed in plain text. Ever. They are as secure as the body of a https:// request. You would need to hack the TLS connection in both cases, which is vanishingly unlikely for a server-to-server connection.

I recommend you fire up a network monitor and watch the TLS connection. You'll never see query parameters in plain text, because that's not how the protocol works. Everything is encrypted except for the hostname (and even *that* will be encrypted if the client and server support ESNI or ECH).

View solution in original post

0 Likes
33
Reply
4 REPLIES 4
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
Monday
Monday

Re: Marketo access token - GET/ POST

 clientid and secret are exposed to internet when pass them as query parameters

In what way are they “exposed”?

 

Anyone who can intercept the TLS connection between your back end server and Marketo (if that’s truly what your company is concerned about) can read the entire HTTP transaction. No difference whether credentials are in the URL or the body.

0 Likes
47
Reply
Babu_Chikati
Level 3
Level 3
Tuesday
Tuesday

Re: Marketo access token - GET/ POST

Thank you, Sanford!

"exposed" I mean client id and client secret is visible in plain text in an URL.

That is true I agree with you,  but plain text in an URL is more vulnerable than hacking a network protocol. 

Could be more stringent than just having plain text in an URL.

May be something like  on the lines of not supporting access token in query parameter to call any of Web APIs from June 2025.

 

Thanks,

Babu

0 Likes
43
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
Tuesday
Tuesday

Re: Marketo access token - GET/ POST

It's not more secure in any way!

The path and query of an https:// URL are never passed in plain text. Ever. They are as secure as the body of a https:// request. You would need to hack the TLS connection in both cases, which is vanishingly unlikely for a server-to-server connection.

I recommend you fire up a network monitor and watch the TLS connection. You'll never see query parameters in plain text, because that's not how the protocol works. Everything is encrypted except for the hostname (and even *that* will be encrypted if the client and server support ESNI or ECH).

0 Likes
34
Reply
Babu_Chikati
Level 3
Level 3
6 hours ago
6 hours ago

Re: Marketo access token - GET/ POST

Thank you, Sanford.

 

Thanks,

Babu

0 Likes
6
Reply
Home