Why does the API token expire? | Community
Skip to main content
A
Anonymous
February 19, 2016
Solved

Why does the API token expire?

  • February 19, 2016
  • 3 replies
  • 5654 views

I'm trying to create an external page form that prefills the fields with the leads name, email, company etc. I've set up a LaunchPoint and got my token. I can make a call to my endpoint using the ID from a cookie and return the leads info. BUT after awhile (1 hour?) the token expires.

How is this supposed to work? If the token expires after a time, how am I supposed to set this up?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Kenny_Elkington

Hi Philip, the token expires for the same reason that logins time out, for security if a session is somehow hijacked.  You'll need to implement a system which reauthenticates with your credentials when the token expires: http://developers.marketo.com/documentation/rest/authentication/

3 replies

A
Anonymous
February 19, 2016

Thanks for the help gents. I was approaching from a javascript only direction and running in a wall. Using PHP to authorize and everything is working out. Thanks.

SanfordWhiteman
SanfordWhiteman
New Participant
February 20, 2016

The issue is exactly the same regardless of language.  I'm glad you didn't end up exposing your REST API credentials in the browser (!!!) but your next stop should be not using the API for this at all unless you have purchased enough additional API calls that this is no longer your site's weakest link.

A
Anonymous
February 21, 2016

The API accepts 1000/hour — no? If I run out of API calls, it should fail quietly — no?

I'm only using it to prefill a form for convenience sake for downloading white papers. The feature is not mission critical or on pages that receive a lot of traffic.

    SanfordWhiteman
    SanfordWhiteman
    New Participant
    February 19, 2016

    I'm trying to create an external page form that prefills the fields with the leads name, email, company etc. I've set up a LaunchPoint and got my token.

    1. Yuck.  Have you thought about the DoS implications?

    2. As Kenny said, you have to think of the access token as if it were distributed to a third party, where the ability to have it self-revoke is critical.

    3. For apps you control, it can be annoying to have to do ultra-defensive programming, waiting for tokens to give an error before getting a new one.  That's why I recommend the workaround here: Flaw in REST API Authentication

    Kenny_Elkington
    Kenny_ElkingtonAccepted solution
    New Participant
    February 19, 2016

    Hi Philip, the token expires for the same reason that logins time out, for security if a session is somehow hijacked.  You'll need to implement a system which reauthenticates with your credentials when the token expires: http://developers.marketo.com/documentation/rest/authentication/

    Terms & ConditionsAccessibility statement

    Loading footer...