Hi,
My company has recently started integration work on Marketo. We were earlier using Pardot-Salesforce to capture formdata , now the same needs to replaced with Marketo using their REST API.
!
Going through the documentation I dont see any REST API which shows that I can POST data to a form( I have successfully created a form and able to submit data by embedding it in a form) and also linking the form data to the Form Landing Page . The Lead or Form is actually shown as a Member only if I use the Form landing page to post data to it. Though the data is shown under the Marketing studio , if I like search based on email Id
Question
1- How should I replace my existing codebase to use the Marketo Forms , with minimal coding effort.
2- Which endpoint should I use to POST the form data to Marketo. I am sorry I have gone through the documentation twice and implemented a few code examples , But I am not sure which endpoint I should use. I can see that the embed form POSTS data to .marketo.com/index.php/leadCapture/save2 ?
If nothing works , I am going to use this endpoint , though this is not documented in REST documentation.
2- Is it possible to Link the Form's Data (emailId? ) to the actual form ?
@Beth Corby
Solved! Go to Solution.
You actually shouldn't be using the REST API at all for this task because you'll be opening a DoS vulnerability. Using an API call in response to untrusted user input (a public form post) is a no-no because your daily limit is infinitesimal. A malicious but unskilled actor could use all your calls in a 1/2 hour, and you can't provide proper service to legit users without keeping your input rates high enough to be abused by bad actors. (Note you need a minimum of 2 calls to roughly mirror what a true form post does.)
The /save2 endpoint is even more of a liability from the server side than the API because you're limited to one request every 2 seconds, which doesn't model real-world concurrency.
Instead, you should use the client-side (browser-side) Forms API to submit data in the background to Marketo. This triggers all the proper Form events that a Marketo user expects to use in Smart Campaigns and conversion reporting, and has no rate limit worries.
You actually shouldn't be using the REST API at all for this task because you'll be opening a DoS vulnerability. Using an API call in response to untrusted user input (a public form post) is a no-no because your daily limit is infinitesimal. A malicious but unskilled actor could use all your calls in a 1/2 hour, and you can't provide proper service to legit users without keeping your input rates high enough to be abused by bad actors. (Note you need a minimum of 2 calls to roughly mirror what a true form post does.)
The /save2 endpoint is even more of a liability from the server side than the API because you're limited to one request every 2 seconds, which doesn't model real-world concurrency.
Instead, you should use the client-side (browser-side) Forms API to submit data in the background to Marketo. This triggers all the proper Form events that a Marketo user expects to use in Smart Campaigns and conversion reporting, and has no rate limit worries.
We have the forms protected with client side recaptcha , we also have server side implementation of reCaptcha to confirm the recaptcha token , so I guess we have the DOS vector covered
Can you please share more details on the client-side (browser-side) Forms API ?
We have the forms protected with client side recaptcha , we also have server side implementation of reCaptcha to confirm the recaptcha token
Do you think this will prevent a hacker to look at the page source, extract you API logging information and start posting ugly data to your database, and completely exhaust your API quota within a few hours and saturating the limit of 100 API calls per 20 seconds? You are very optimistic...
Read http://developers.marketo.com/javascript-api/forms/
-Greg
Agree that if you're validating the reCAPTCHA on your server and then intending to hit the true REST API endpoints (Sync and Associate) after that, you're mostly safe with regard to Marketo API limits. (Though now you're charging your server with all those outbound requests to Google, and you should measure what your true capacity is as a result. Outbound reCAPTCHA verifies are probably your new bottleneck in the case of an attack.)
Anyway, the reCAPTCHA won't make the /save2 endpoint workable server-to-server. Its capacity is too low for that.
Greg has pointed you to the Forms 2.0 API docs. Calling the Forms API from a third-party form is as simple as:
Hi Sanford,
What is the true capacity for the /save2 endpoint ? "The /save2 endpoint is even more of a liability from the server side than the API because you're limited to one request every 2 seconds, which doesn't model real-world concurrency." - Is there any link which documents this ?
Instead, you should use the client-side (browser-side) Forms API to submit data in the background to Marketo. This triggers all the proper Form events that a Marketo user expects to use in Smart Campaigns and conversion reporting, and has no rate limit worries. - I imported the embed code to check the URL to which the form submits data - https://<>.com/index.php/leadCapture/save2 Is the /save2 endpoint , same as this URL , I just want to make sure we are on the same page regarding the /save2 endpoint URL??
Sorry , I have missed to add a important point here. We already have a REST API consumption based framework available in our website , which has multiple forms submitting data to PARDOT. PARDOT supplies a form handler URL for each form to which we can POST data from our servers , after recaptcha validation on our server.
We would like to reuse this same framework to integrate with Marketo , as we have a tight deadline in which we go live with marketo and pardot license stops.
So I would really like to use the /save2 endpoint , but i am not sure if there would be any issues on using this endpoint in terms of API rate limitations
It is the same /save2 endpoint I'm talking about and the limit is 1 post/2s per source IP.
That's why it's fully scalable for real-world client load, but not intended as a server-to-server API, since you will have one (or at most a few) source IPs in your server infrastructure.
If you must use a server API, then use the 2 published endpoints indicated above because they can handle real-world concurrency (barring contention with other API consumers, of course, since limits are across your instance not per API account).
Hi, For this line - you must use a server API, then use the 2 published endpoints indicated above
You meant - Sync and Associate API for server -to-server calls ?
You meant - Sync and Associate API for server -to-server calls ?
Yes.
hi @sanford Whiteman,
1- I can get the LEAD API to create a lead record(sync) in Marketo , but is it possible to associate the Lead record with the Form or FormId ?
I didnt try this with the associate API , because it needs a cookie parameter , I am still trying to figure out how to fetch the Cookie from a webpage. Currently i am testing this as a POC on a windows console application.
2- The Lead API , does not accept duplicate data set. before creating a lead , Should we first check if the lead exists ? and if yes , then tell the user the same.
Thanks !
Abhay