Implement Salesforce OAuth for Pardot
Learning Objectives
After completing this unit, you’ll be able to:
- Provide the information you need to implement OAuth.
- Implement a basic OAuth web server flow to authenticate to the Pardot API.
Gather Important Information
Now that you have a connected app, let’s gather some important information you need to finish setting up authentication.
- Connected App Consumer Key: A unique identifier for your connected app.
- Connected App Consumer Secret: A password for the connected app.
- Business Unit IDs: Because a Salesforce org can have multiple business units, the ID routes the API request to the correct business unit. You need the ID even if you have only one business unit.
- Salesforce User: A Salesforce user with SSO enabled for Pardot.
Since all this information is sensitive, carefully consider how to securely share these details with other team members.
And depending on your permissions, you might need your Salesforce admin to gather this information for you. Here’s how.
To find your consumer key and secret, have a Salesforce admin follow these steps.
- From Salesforce Setup, in the Quick Find box, enter
App Manager, and then select App Manager. - Go to your connected app and select View.
- Copy your consumer key.
- Reveal and copy your consumer secret.
Next, you need your Pardot business unit ID. To find it, have a Salesforce admin follow these steps:
- From Salesforce Setup, in the Quick Find box, enter
Pardot, and then select Pardot Account Setup. - Copy the business unit ID you want to use.
NOTE: You need a Salesforce admin to get the consumer key and secret, but a Marketing Admin can help you find the Pardot business unit ID in Marketing Setup if necessary.
Now, choose a user for the integration. This user authenticates to the Pardot API. We recommend that you create a unique user for each specific app integration. The user must be SSO-enabled and have access to Pardot. Have their credentials handy before you move on to the next step.
Implement OAuth Flow
Now it’s time to dig into your integration and implement your chosen OAuth flow. In this module, we use the web server flow, but you should use the flow that works best for your use case.
We cover the implementation process in detail in this unit, but you can also check it out in this video.
First, you need your integration’s code to direct the user to the Salesforce OAuth authorization endpoint:https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=https://my.example.com/myapp
- Replace
CLIENT_IDwith your connected app consumer key. - Replace
https://my.example.com/myappwith your redirect URI.
If the integration user doesn't have an active session, they’re prompted to log into Salesforce.
After the user has logged in and allowed the app, Salesforce redirects you to the redirect_uri passed in to the authorization endpoint: https://my.example.com/myapp?code=<CODE>
Your server-side code exchanges this code for an access token by making a POST request to the Salesforce OAuth token endpoint, like this:
POST /services/oauth2/token HTTP/1.1 Host: login.salesforce.com Content-type: application/x-www-form-urlencoded grant_type=authorization_code& code=<CODE>& client_id=<CLIENT_ID>& client_secret=<CONSUMER_SECRET>& redirect_uri=https://my.example.com/myapp
After Salesforce validates the connected app credentials and authorization code, the endpoint responds with an access token:
{
"Access_token": "<ACCESS TOKEN>",
"signature": "<SIGNATURE>",
"instance_url": "https://example.salesforce.com",
"id": "https://login.salesforce.com/id/00000000000/0000000000",
"token_type": "Bearer",
"issued_at": "1558553873237"
}
The access token can be used to make calls to the Pardot API. The code was exchanged for the access token on the server side and not from the user’s browser. Because of how the code was exchanged, there's no opportunity for malicious JavaScript to steal the access token.
Access tokens expire after a while. If you want your app to continue making calls on behalf of the API user after the user’s session is done, the app needs to get new, unexpired tokens without user action. To do so, the app can use a refresh token. Learn more about refresh tokens in the Salesforce Help article OAuth 2.0 Refresh Token Flow.
You’ve implemented Salesforce OAuth! Now you can start using Pardot APIs to extend Pardot’s capabilities—securely.
