Hi Oren,
Marketo API security uses a simple yet highly secure model, based on HMAC-SHA11 signatures with messages transmitted over HTTPS. A key advantage of this model is that it provides stateless authentication.
HMAC-SHA1 signatures require the following:
A User ID (also called Access Key) that is transmitted with the service request
A Signature that is calculated using a shared secret-key and message content and is transmitted with the service request
A shared secret-key (also called Encryption Key) that is not transmitted with the service request
This security information is confirmed via Admin --> SOAP API within Marketo.
The client program will calculate the HMAC-SHA1 signature using the shared secret-key and part of the request message content. The client must include a SOAP header, AuthenticationHeaderInfo, to pass authentication information with the SOAP message.
Please refer to this article for further information: http://developers.marketo.com/documentation/soap/signature-algorithm/