Authentication Signature

Marketo API security uses a simple yet highly secure model, based on HMAC-SHA1 signatures with messages transmitted over HTTPS. A key advantage of this model is that it provides stateless authentication.

HMAC-SHA1 signatures require the following:

  • A User ID (also called Access Key) that is transmitted with the service request
  • A Signature that is calculated using a shared secret-key and message content and is transmitted with the service request
  • A shared secret-key (also called Encryption Key) that is not transmitted with the service request

This security information is confirmed via Admin –> SOAP API within Marketo.

The client program will calculate the HMAC-SHA1 signature using the shared secret-key and part of the request message content. The client must include a SOAP header, AuthenticationHeaderInfo, to pass authentication information with the SOAP message.

The following pseudo code demonstrates the algorithm:

Request Header

Field Name



mktowsUserId Required Marketo client access ID is found within your Marketo admin SOAP API panel under Integration.
requestSignature Required HMAC-SHA1 signature based on shared secret key, requestTimestamp and Marketo User Id
requestTimestamp Required Request timestamp (W3C WSDL date format Ex. “2013-06-09T14:04:54-08:00”)
partnerId Optional LaunchPoint Technology Partner API Key.

Request XML – getLeadActivity

Response XML – Success

Response XML – Failure (Invalid Credentials)

Sample Code – PHP

Sample Code – Java

Sample Code – Ruby