Resources/The Agent API Atlas/Marketing/Marketo

Everything an AI agent can do with the Marketo API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints36

API versionv1

Last updated23 June 2026

Orientation

How the Marketo API works.

The Marketo API is how an app or AI agent works with a Marketo Engage instance: reading and syncing leads, adding or removing them from a static list, reading the activities a lead has taken, and triggering a campaign to run against a set of people. Access is granted through an OAuth access token tied to an API user, and what that token can do is decided by the broad permissions on the user's role rather than per-call scopes. Marketo does not push events to a listener, so an integration learns about changes by reading the activity endpoints from a paging token.

36Endpoints

8Capability groups

24Read

12Write

10Permissions

Authentication

Marketo uses the OAuth 2.0 client credentials flow. A custom service in Admin, tied to an API-only user, produces a Client ID and Client Secret that are exchanged at the identity endpoint for a bearer access token lasting one hour. The token is sent on every call in an Authorization Bearer header. The older method of passing the token as an access_token query parameter is deprecated and stops working after 31 July 2026.

Permissions

Access is governed entirely by the role assigned to the API user, not by per-endpoint scopes chosen at token time. The role carries Access API permissions such as Read-Only Lead, Read-Write Lead, Read-Only Activity, Read-Write Activity, Read-Only Custom Object, Read-Write Custom Object, Read-Only Asset, Read-Write Asset, and Execute Campaign. A call the role does not cover returns error 603 Access denied. Because the permissions are broad areas rather than per-call grants, an integration that needs only one method still inherits everything its role allows.

Versioning

The REST API is on a single path version: v1 for Lead Database calls, v1 for Asset calls under /rest/asset/v1, and v1 for bulk under /bulk/v1. Marketo does not mint new version numbers for changes; it ships dated changes, deprecations, and end-of-life notices through the Marketo Engage release notes. Notable dated changes include the access_token query parameter and the SOAP API both ending on 31 July 2026.

Data model

The API splits into a Lead Database side and an Asset side. The Lead Database covers leads, their activities, static lists, and custom objects, reached under /rest/v1 against a per-instance host like https://{munchkinId}.mktorest.com. The Asset side covers programs, emails, and smart campaigns under /rest/asset/v1. Reads page with a token and time-based reads start from a paging token. Every response is HTTP 200 with a success flag inside the body, so an error is read from success:false and an errors array, not the HTTP status.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Marketo determines what it can reach. There is the REST API for making calls and a hosted server that exposes Marketo operations to agents, and each is governed by the API user behind it and the permissions on that user's role.

Ways to connect

REST API

The REST API answers at a per-instance host, https://{munchkinId}.mktorest.com, found under Admin in the Marketo instance. The Lead Database calls live under /rest/v1, the Asset calls under /rest/asset/v1, and bulk import and extract under /bulk/v1. A call carries an OAuth 2.0 access token in an Authorization Bearer header.

Best forConnecting an app or AI agent to Marketo.

Governed byThe API user and the permissions on its role.

Docs ↗

MCP server

Adobe hosts a Marketo Engage Model Context Protocol server at https://marketo-mcp.adobe.io/mcp, in limited availability, which exposes more than 100 operations across forms, programs, smart campaigns, leads, emails, snippets, lists, and folders. An AI tool passes Marketo client credentials, the Client ID, Client Secret, and Munchkin account id, as HTTP headers on each request, and the server runs the matching REST API call. The server does not store or cache those credentials.

Best forConnecting an AI agent to Marketo through MCP.

Governed byThe client credentials passed per request and the permissions on the API user.

Docs ↗

Authentication

OAuth 2.0 client credentials

Marketo authenticates with the OAuth 2.0 client credentials flow. A custom service is created in Admin with an associated API-only user, which yields a Client ID and Client Secret. A call to the identity endpoint at /identity/oauth/token with grant_type=client_credentials returns an access token that lasts 3600 seconds, sent on each request as an Authorization Bearer header. Passing the token as an access_token query parameter is deprecated and stops working after 31 July 2026.

TokenOAuth 2.0 bearer access token (1 hour lifetime)

Best forServer-side calls to a single Marketo instance.

Docs ↗

Capability map

What an AI agent can do in Marketo.

The Marketo API is split into a Lead Database side, covering leads, their activities, static lists, and custom objects, and an Asset side, covering programs, emails, and smart campaigns. Each area maps to a permission on the API user's role, and a write in some areas changes live marketing records or runs a campaign against real people.

Leads

6 endpoints

Get a lead by id, query leads by filter, create, update, and delete leads, merge duplicates, and describe the available lead fields.

A write here changes real lead records in the database.

View endpoints →

Lead lists

6 endpoints

List static lists, read a list, list its members, and add or remove leads from a static list.

A write here changes who is a member of a real static list.

View endpoints →

Activities

6 endpoints

Get a paging token, read lead activities, list activity types, read lead field changes and deleted leads, and add custom activities.

A write here records a real custom activity against a lead.

View endpoints →

Custom objects

4 endpoints

List custom object types, describe one's fields, sync (insert, update, upsert) records, and delete records.

A write here changes real custom object records.

View endpoints →

Campaigns

6 endpoints

List campaigns, read a campaign, trigger a campaign against a set of leads, schedule a campaign, and list or read smart campaigns.

A write here runs a real campaign against real people.

View endpoints →

Programs

2 endpoints

Browse programs and read a single program by id.

A write here changes real program assets.

View endpoints →

Emails

2 endpoints

Browse email assets and read a single email by id.

A write here changes real email assets.

View endpoints →

Bulk import

4 endpoints

Submit a bulk lead import job from a file and poll its status, failures, and warnings.

A write here imports real lead records in bulk.

View endpoints →

Endpoint reference

Every Marketo API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Leads Get a lead by id, query leads by filter, create, update, and delete leads, merge duplicates, and describe the available lead fields.6
GET	`/rest/v1/lead/{id}.json`	Get a single lead by its id, with default or specified fields.	read	`Read-Only Lead`	Current
Granted by the Read-Only Lead permission on the API user's role. Acts onlead Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/leads.json`	Query multiple leads by a filter type and values, returning up to 300 per page.	read	`Read-Only Lead`	Current
filterType and filterValues are required; results page with nextPageToken. Acts onlead Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/leads.json`	Create or update lead records (createOnly, updateOnly, createOrUpdate, createDuplicate), up to 300 per request.	write	`Read-Write Lead`	Current
The same endpoint handles create and update, chosen by the action field. Granted by Read-Write Lead. Acts onlead Permission (capability)`Read-Write Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/leads/delete.json`	Delete lead records by id, up to 300 per request.	write	`Read-Write Lead`	Current
Deletes are irreversible. Uses POST, not the DELETE method. Acts onlead Permission (capability)`Read-Write Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/leads/{id}/merge.json`	Merge duplicate leads into one, with the winning lead in the path and the losing leads in parameters.	write	`Read-Write Lead`	Current
The merge cannot be undone; the losing records are removed. Acts onlead Permission (capability)`Read-Write Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/leads/describe.json`	List the lead fields available through the REST API, with their data types and names.	read	`Read-Only Lead`	Current
Used to discover field names before reading or writing leads. Acts onlead field Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Lead lists List static lists, read a list, list its members, and add or remove leads from a static list.6
GET	`/rest/v1/lists.json`	List static lists in the instance.	read	`Read-Only Lead`	Current
Static list membership is governed by the Lead permissions. Acts onstatic list Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/lists/{id}.json`	Get a single static list by its id.	read	`Read-Only Lead`	Current
Read-only. Acts onstatic list Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/lists/{listId}/leads.json`	Get the leads that are members of a static list.	read	`Read-Only Lead`	Current
Returns list members; pages with nextPageToken. Acts onstatic list Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/lists/{listId}/leads.json`	Add leads to a static list, up to 300 ids per request.	write	`Read-Write Lead`	Current
Adding to a list can make those leads targets of campaigns that watch the list. Acts onstatic list Permission (capability)`Read-Write Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/rest/v1/lists/{listId}/leads.json`	Remove leads from a static list, up to 300 ids per request.	write	`Read-Write Lead`	Current
Removes the leads from the list without deleting the lead records. Acts onstatic list Permission (capability)`Read-Write Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/lists/{listId}/leads/ismember.json`	Check whether given leads are members of a static list.	read	`Read-Only Lead`	Current
Read-only membership check by lead id. Acts onstatic list Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Activities Get a paging token, read lead activities, list activity types, read lead field changes and deleted leads, and add custom activities.6
GET	`/rest/v1/activities/pagingtoken.json`	Get a paging token for a start datetime, used as the cursor for reading activities and changes since that point.	read	`Read-Only Activity`	Current
sinceDatetime must be ISO 8601 and URL encoded; the returned token feeds the activity reads. Acts onpaging token Permission (capability)`Read-Only Activity` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/activities.json`	Get lead activities of specified types since a paging token, optionally filtered by lead or list.	read	`Read-Only Activity`	Current
Requires a nextPageToken and activityTypeIds. This is how an integration learns about changes without a push. Acts onactivity Permission (capability)`Read-Only Activity` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/activities/types.json`	List the available activity types and their definitions for the instance.	read	`Read-Only Activity`	Current
Used to find the activityTypeIds passed to the activities read. Acts onactivity type Permission (capability)`Read-Only Activity` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/activities/leadchanges.json`	Get data value change records for specified lead fields since a paging token.	read	`Read-Only Activity`	Current
Requires a fields parameter and a nextPageToken. Acts ondata value change Permission (capability)`Read-Only Activity` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/activities/deletedleads.json`	Get records of leads deleted since a paging token.	read	`Read-Only Activity`	Current
Used to keep an external copy in sync with deletions. Acts ondeleted lead Permission (capability)`Read-Only Activity` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/activities/external.json`	Add custom activity records against leads, up to 300 per request.	write	`Read-Write Activity`	Current
The activity type must be defined first; granted by Read-Write Activity. Acts oncustom activity Permission (capability)`Read-Write Activity` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Custom objects List custom object types, describe one's fields, sync (insert, update, upsert) records, and delete records.4
GET	`/rest/v1/customobjects.json`	List the custom object types defined in the instance.	read	`Read-Only Custom Object`	Current
Read-only; lists object names to use in the other custom object calls. Acts oncustom object Permission (capability)`Read-Only Custom Object` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/customobjects/{customObjectName}/describe.json`	Describe a custom object's fields, dedupe fields, relationships, and searchable fields.	read	`Read-Only Custom Object`	Current
Read the structure before syncing records. Acts oncustom object Permission (capability)`Read-Only Custom Object` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/customobjects/{customObjectName}.json`	Insert, update, or upsert records of a custom object.	write	`Read-Write Custom Object`	Current
The action field chooses createOnly, updateOnly, or createOrUpdate. Granted by Read-Write Custom Object. Acts oncustom object Permission (capability)`Read-Write Custom Object` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/customobjects/{customObjectName}/delete.json`	Delete records of a custom object by their dedupe or id fields.	write	`Read-Write Custom Object`	Current
Deletes are irreversible; uses POST, not the DELETE method. Acts oncustom object Permission (capability)`Read-Write Custom Object` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Campaigns List campaigns, read a campaign, trigger a campaign against a set of leads, schedule a campaign, and list or read smart campaigns.6
GET	`/rest/v1/campaigns.json`	List campaigns, including trigger and batch campaigns, filterable by id, name, or program.	read	`Read-Only Campaign`	Current
Read-only; finds the campaign id used to trigger or schedule. Acts oncampaign Permission (capability)`Read-Only Campaign` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/v1/campaigns/{id}.json`	Get a single campaign by its id.	read	`Read-Only Campaign`	Current
Read-only. Acts oncampaign Permission (capability)`Read-Only Campaign` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/campaigns/{id}/trigger.json`	Request a trigger campaign to run its flow against a set of leads passed in the call.	write	`Execute Campaign`	Current
The campaign must have a Campaign is Requested trigger with source Web Service API. Granted by the Execute Campaign permission. Acts oncampaign Permission (capability)`Execute Campaign` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/v1/campaigns/{id}/schedule.json`	Schedule a batch campaign to run at a given time, with optional token overrides.	write	`Execute Campaign`	Current
Runs a batch campaign against its own smart list, not a passed-in set of leads. Acts oncampaign Permission (capability)`Execute Campaign` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/asset/v1/smartCampaigns.json`	Browse smart campaigns as assets, filterable by date and folder.	read	`Read-Only Asset`	Current
The Asset API governs smart campaigns by the Asset permissions, not the Campaign permission. Acts onsmart campaign Permission (capability)`Read-Only Asset` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/rest/asset/v1/smartCampaign/{id}/activate.json`	Activate a smart campaign so its triggers begin to run.	write	`Read-Write Asset`	Current
The campaign must have at least one trigger and flow step and be error free. Acts onsmart campaign Permission (capability)`Read-Write Asset` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Programs Browse programs and read a single program by id.2
GET	`/rest/asset/v1/programs.json`	Browse programs, with optional filtering by status, date range, and folder.	read	`Read-Only Asset`	Current
Read-only; the Asset side of the API is governed by the Asset permissions. Acts onprogram Permission (capability)`Read-Only Asset` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/asset/v1/program/{id}.json`	Get a single program by its id, with optional tags and costs.	read	`Read-Only Asset`	Current
Read-only. Acts onprogram Permission (capability)`Read-Only Asset` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Emails Browse email assets and read a single email by id.2
GET	`/rest/asset/v1/emails.json`	Browse email assets, with optional filtering by status and folder.	read	`Read-Only Asset`	Current
Read-only. Acts onemail Permission (capability)`Read-Only Asset` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/rest/asset/v1/email/{id}.json`	Get a single email asset by its id.	read	`Read-Only Asset`	Current
Read-only. Acts onemail Permission (capability)`Read-Only Asset` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Bulk import Submit a bulk lead import job from a file and poll its status, failures, and warnings.4
POST	`/bulk/v1/leads.json`	Submit a bulk import job for lead records from a CSV, TSV, or SSV file up to 10MB.	write	`Read-Write Lead`	Current
Returns a batchId; the job runs asynchronously and is polled for status. Acts onimport batch Permission (capability)`Read-Write Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/bulk/v1/leads/batch/{id}.json`	Get the status of a bulk lead import job, such as Queued, Importing, Complete, or Failed.	read	`Read-Only Lead`	Current
Polled until the job leaves Queued or Importing. Acts onimport batch Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/bulk/v1/leads/batch/{id}/failures.json`	Get the rows that failed during a bulk lead import, with a failure reason on each.	read	`Read-Only Lead`	Current
Available after the job completes. Acts onimport batch Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/bulk/v1/leads/batch/{id}/warnings.json`	Get the rows that produced a warning during a bulk lead import, with a warning on each.	read	`Read-Only Lead`	Current
Available after the job completes. Acts onimport batch Permission (capability)`Read-Only Lead` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Marketo does not push REST API events to a listener. What Marketo calls a webhook is an outbound HTTP call configured as a flow step inside a smart campaign, which posts lead data to an external URL when a lead flows through that step. An integration that wants to learn about changes polls the activity endpoints with a paging token instead.

Event	What it signals	Triggered by

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Marketo limits how fast and how much an app or AI agent can call, through a short-window rate measured per twenty seconds, a daily call quota per instance, and a separate cap on how many calls run at once.

Request rate

Marketo meters by the instance, not per method. Calls are capped at 100 in any rolling 20-second window, returning error 606 when exceeded, and at most ten calls may run at once, returning error 615 over that. A separate daily quota, 50,000 calls by default, resets at midnight US Central time and returns error 607 when reached. Bulk import and extract help stay under the per-call limits by moving large jobs into a single asynchronous job rather than many small calls.

Pagination

Most read endpoints page with a token. A query returns up to 300 records with a nextPageToken, which is passed back on the next call until no token is returned. Time-based reads of activities, lead changes, and deleted leads start from a paging token obtained by calling Get Paging Token with a start datetime.

Request size

Lead reads and writes are capped at 300 records per call, and add or remove from list at 300 ids per call. A bulk lead import file may be up to 10MB and must be CSV, TSV, or SSV.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
200	`success:false (601 Access token invalid)`	Marketo returns HTTP 200 even on failure, with success:false and an errors array of code and message. Code 601 means the access token is invalid.	Request a fresh access token from the identity endpoint and retry.
200	`602 Access token expired`	The access token has passed its one-hour lifetime.	Fetch a new token and retry; cache tokens and refresh before expiry.
200	`603 Access denied`	The API user's role lacks the permission the call needs, such as Read-Write Lead for a write.	Grant the matching permission on the API user's role in Admin.
200	`606 Max rate limit exceeded`	More than 100 calls were made within a 20-second window for the instance.	Back off and retry after the window, and smooth the request rate.
200	`607 Daily quota reached`	The instance has used its daily call allowance, which resets at midnight US Central time.	Wait for the daily reset or request a higher quota, and batch calls where possible.
200	`615 Concurrent access limit reached`	More than ten calls ran at the same time for the instance.	Cap concurrency at ten and queue further calls.
200	`610 Requested resource not found`	The id or object in the path does not exist or is not visible to this instance.	Verify the id and the object name before retrying.

Versioning & freshness

Version history.

Marketo's REST API is on a single version, v1 for the Lead Database and v1 for Asset, and ships dated changes through the Marketo Engage release notes rather than minting new version numbers.

Version history

What changed, and when

Latest versionv1

v1Current version

Single-version REST API with dated changes

The Marketo REST API stays on path version v1 for Lead Database and Asset calls and v1 for bulk, and does not mint new version numbers for changes. Instead it ships dated changes, deprecations, and end-of-life notices through the Marketo Engage release notes. The entries below are notable dated changes from those notes.

What changed

Lead Database calls under /rest/v1, Asset calls under /rest/asset/v1, bulk under /bulk/v1.
Outcome is signalled by a success flag and errors array inside an HTTP 200, not by the HTTP status.

2026-07-31Requires migration

access_token query parameter and SOAP API end of life

Two long-standing capabilities are removed on 31 July 2026. The access_token query parameter for authenticating REST calls stops working, so all calls must send the token in an Authorization header. Support for the Marketo SOAP API ends the same day, and SOAP-based integrations must move to REST.

What changed

access_token query parameter authentication removed; use the Authorization header.
Marketo SOAP API support ends; migrate to the REST API.

2026-05

Marketo Engage MCP server announced

Adobe introduced the Marketo Engage MCP server, a hosted Model Context Protocol bridge that exposes more than 100 operations across forms, programs, smart campaigns, people, emails, snippets, lists, and folders to AI tools, running the matching REST API call per request.

What changed

Hosted MCP server at https://marketo-mcp.adobe.io/mcp, in limited availability.
Credentials passed per request and not stored or cached.

2025-09-16Feature update

REST API hosting infrastructure update

Adobe moved REST API URLs to a more modern hosting infrastructure for added security and scalability. Subscriptions whose API URLs contained a double forward slash needed to follow a documented update.

What changed

Modernised hosting for REST API URLs.
Double-slash URLs flagged for a one-time fix.

2026-09-30Requires migration

Static list size limit on activity reads

From 30 September 2026, Get Lead Activities and Get Lead Changes calls that include a listId pointing at a static list of 10,000 or more leads return a 1003 error, pushing large reads toward other filters or bulk extract.

What changed

listId on activity and change reads limited to static lists under 10,000 leads.
Larger reads return error 1003.

The path version stays v1; track the release notes for dated changes and deprecations.

Marketo Engage release notes ↗

Questions

Marketo API, answered.

How does authentication work, and how long does a token last?+

Marketo uses OAuth 2.0 client credentials. A custom service in Admin, linked to an API-only user, gives a Client ID and Client Secret, which are exchanged at the identity endpoint, /identity/oauth/token with grant_type=client_credentials, for a bearer access token. The token lasts 3600 seconds, one hour, and is sent on each call in an Authorization Bearer header. Passing it as an access_token query parameter is deprecated and stops working after 31 July 2026.

How are permissions decided?+

Permissions come from the role assigned to the API user, not from scopes chosen when the token is issued. The role grants broad Access API areas such as Read-Only Lead, Read-Write Lead, Read-Only Activity, Read-Write Asset, or Execute Campaign. A call the role does not cover returns error 603 Access denied. Because the grant is per area, a token inherits everything its role allows rather than just the one method an integration needs, which is why a gateway in front is useful for narrowing access per agent.

Why does a failed call still return HTTP 200?+

Marketo returns HTTP 200 for most calls, including many failures, and signals the outcome inside the body. A response carries a success field, and when it is false an errors array holds objects with a code and a message, such as 606 for the rate limit or 603 for access denied. An integration must read success and the errors array rather than relying on the HTTP status code alone.

What are the rate limits?+

Limits are per instance. At most 100 calls are allowed in any 20-second window, returning error 606 when exceeded, and at most ten calls may run at once, returning error 615. A daily quota, 50,000 calls by default, resets at midnight US Central time and returns error 607 when reached. Bulk import and extract move large jobs into a single asynchronous job to stay under the per-call limits.

Does Marketo push events to a webhook, like other APIs?+

Not in the way a push API does. A Marketo webhook is an outbound HTTP call configured as a flow step inside a smart campaign; it fires when a lead flows through that step and posts that lead's data to a chosen URL. It is not a subscription to record changes across the instance. To track changes, an integration polls the activity endpoints, starting from a paging token for a datetime, and reads activities, lead field changes, and deleted leads since that point.

How do create and update leads share one endpoint?+

Both go through POST /rest/v1/leads.json, called Sync Leads, with up to 300 records per request. The action field chooses the behavior: createOnly, updateOnly, createOrUpdate, or createDuplicate, and a lookupField sets which field is used to match existing records. The same endpoint covers both create and update, so the permission needed is Read-Write Lead in either case.

Is there an official MCP server for Marketo?+

Yes. Adobe hosts a Marketo Engage MCP server at https://marketo-mcp.adobe.io/mcp, in limited availability, which exposes more than 100 operations across forms, programs, smart campaigns, leads, emails, snippets, lists, and folders. An AI tool passes the Client ID, Client Secret, and Munchkin account id as HTTP headers on each request, and the server runs the matching REST API call. It does not store or cache the credentials.

What is Bollard AI?

Control what every AI agent can do in Marketo.

Bollard AI sits between a team's AI agents and Marketo. Grant each agent exactly the access it needs, read or write, area by area, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Marketo client secret.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Marketo access in Bollard Browse all APIs →

Marketo

Campaign Agent

Read leads ResourceOffReadFull use

Trigger campaigns ActionOffReadFull use

Lead lists ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Marketo

How the Marketo API works.

Connection & authentication methods.

REST API

MCP server

OAuth 2.0 client credentials

What an AI agent can do in Marketo.

Leads

Lead lists

Activities

Custom objects

Campaigns

Programs

Emails

Bulk import

Every Marketo API method.

Leads

Lead lists

Activities

Custom objects

Campaigns

Programs

Emails

Bulk import

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Marketo API, answered.

More marketing API guides for agents

Constant Contact

Campaign Monitor

GetResponse

MailerLite

Mailgun

Braze

Control what every AI agent can do in Marketo.