Authentication Signature

Marketo API security uses a simple yet highly secure model, based on HMAC-SHA11 signatures with messages transmitted over HTTPS. A key advantage of this model is that it provides stateless authentication.

HMAC-SHA1 signatures require the following:

  • A User ID (also called Access Key) that is transmitted with the service request
  • A Signature that is calculated using a shared secret-key and message content and is transmitted with the service request
  • A shared secret-key (also called Encryption Key) that is not transmitted with the service request

This security information is confirmed via Admin –> SOAP API within Marketo.

The client program will calculate the HMAC-SHA1 signature using the shared secret-key and part of the request message content. The client must include a SOAP header, AuthenticationHeaderInfo, to pass authentication information with the SOAP message.

Request Header

Field Name



mktowsUserId Required Marketo client access ID is found within your Marketo admin SOAP API panel under Integration.
requestSignature Required HMAC-SHA1 signature based on shared secret key, requestTimestamp and Marketo User Id
requestTimestamp Required Request timestamp (W3C WSDL date format Ex. “2013-06-09T14:04:54-08:00”)
partnerId Optional LaunchPoint Technology Partner API Key.

Request XML – getLeadActivity

Response XML – Success

Response XML – Failure (Invalid Credentials)

Sample Code – PHP

Sample Code – Java

Sample Code – Ruby