I'm trying to create an external page form that prefills the fields with the leads name, email, company etc. I've set up a LaunchPoint and got my token. I can make a call to my endpoint using the ID from a cookie and return the leads info. BUT after awhile (1 hour?) the token expires.
How is this supposed to work? If the token expires after a time, how am I supposed to set this up?
Solved! Go to Solution.
Hi Philip, the token expires for the same reason that logins time out, for security if a session is somehow hijacked. You'll need to implement a system which reauthenticates with your credentials when the token expires: http://developers.marketo.com/documentation/rest/authentication/
Hi Philip, the token expires for the same reason that logins time out, for security if a session is somehow hijacked. You'll need to implement a system which reauthenticates with your credentials when the token expires: http://developers.marketo.com/documentation/rest/authentication/
I'm trying to create an external page form that prefills the fields with the leads name, email, company etc. I've set up a LaunchPoint and got my token.
1. Yuck. Have you thought about the DoS implications?
2. As Kenny said, you have to think of the access token as if it were distributed to a third party, where the ability to have it self-revoke is critical.
3. For apps you control, it can be annoying to have to do ultra-defensive programming, waiting for tokens to give an error before getting a new one. That's why I recommend the workaround here: Flaw in REST API Authentication
Thanks for the help gents. I was approaching from a javascript only direction and running in a wall. Using PHP to authorize and everything is working out. Thanks.
The issue is exactly the same regardless of language. I'm glad you didn't end up exposing your REST API credentials in the browser (!!!) but your next stop should be not using the API for this at all unless you have purchased enough additional API calls that this is no longer your site's weakest link.
The API accepts 1000/hour — no? If I run out of API calls, it should fail quietly — no?
I'm only using it to prefill a form for convenience sake for downloading white papers. The feature is not mission critical or on pages that receive a lot of traffic.
10,000 per day. With a 56K modem I could snuff out all your API calls in an hour or two -- killing *all* your possible integrations. Bottom line is the API should not be invoked in response to individual user activity.
I get paid to notice such things, which aren't acceptable risks for my clients. YMMV, but I wouldn't do this even on a hobby site (script kiddies also have hobbies!).