Skip to main content

Authorization

Follow this guide to create a new Salesforce Marketing Cloud credential that will allow Nexla to authenticate to and exchange data with your Salesforce Marketing Cloud account.
sf_mktg_cloud_api_auth.png

Salesforce Marketing Cloud

Prerequisites

Before creating a Salesforce Marketing Cloud credential, you need to obtain your OAuth2 Client ID, Client Secret, and Marketing Cloud subdomain from your Salesforce Marketing Cloud account. Salesforce Marketing Cloud uses OAuth2 Server-to-Server (2-legged) authentication, which allows Nexla to access your account using client credentials without requiring user interaction at runtime.

To obtain your Salesforce Marketing Cloud OAuth2 credentials, follow these steps:

  1. Sign in to your Salesforce Marketing Cloud account using your administrator credentials.

  2. Navigate to Setup by clicking the gear icon in the top-right corner and selecting Setup.

  3. In the Setup menu, use the Quick Find box to search for Installed Packages, or navigate to Platform Tools > Apps > Installed Packages.

  4. Click New to create a new installed package.

  5. Enter a descriptive name for the package (for example, "Nexla Integration") and an optional description, then click Save.

  6. On the package detail page, click Add Component.

  7. Select API Integration as the component type and click Next.

  8. Select Server-to-Server as the integration type, then configure the required API permissions for your integration (for example, Data > Data Extensions > Read/Write or Assets > Read/Write depending on your use case).

  9. Click Save to create the API Integration component.

  10. Your Client ID (also called App Key) and Client Secret (also called App Secret) will be displayed on the component detail page. Copy both values and store them securely — the Client Secret may not be shown again after you navigate away.

  11. To locate your Marketing Cloud Subdomain, navigate to your Marketing Cloud account settings or look at the URL when logged into your Marketing Cloud account. Your subdomain is a 28-character string beginning with the letters mc (for example, mcXXXXXXXXXXXXXXXXXXXXXXXXXX). You can also find it in your tenant-specific endpoint URLs listed in the installed package settings.

  12. Store all three values — subdomain, Client ID, and Client Secret — securely. These credentials provide access to your Marketing Cloud account data and must be kept confidential.

The Client ID and Client Secret are used together to authenticate with the Salesforce Marketing Cloud OAuth2 token endpoint (/v2/token) to obtain a bearer access token. Nexla automatically obtains and refreshes this access token as needed, sending it in the Authorization: Bearer {token} header for all subsequent API requests. The subdomain is used to construct the correct authentication and API base URLs for your specific Marketing Cloud tenant.

For detailed information about Salesforce Marketing Cloud Server-to-Server OAuth2 authentication, see the Salesforce Marketing Cloud API documentation and the Request Token documentation.

Create a Salesforce Marketing Cloud Credential

  • To create a new Salesforce Marketing Cloud credential, after selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

New Credential Overlay – Salesforce Marketing Cloud

SalesforceMCCred.png

Credential Name & Description

  1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

    Resource descriptions are recommended but are not required. They should be used to provide information about the resource purpose, data freshness, etc. that can help the owner and other users efficiently understand and utilize the resource.

Server-to-Server OAuth Authentication

Salesforce Marketing Cloud uses Server-to-Server OAuth2 authentication for all API requests. Your Marketing Cloud subdomain, Client ID, and Client Secret are used to authenticate with the Salesforce Marketing Cloud token endpoint and obtain a bearer access token, which Nexla then uses automatically for all API calls to your Marketing Cloud instance.

  1. Enter your Marketing Cloud subdomain in the Marketing Cloud Subdomain field. This is the 28-character string beginning with mc that uniquely identifies your Marketing Cloud tenant. It is used to construct the authentication URL (https://{subdomain}.auth.marketingcloudapis.com) and the REST API base URL (https://{subdomain}.rest.marketingcloudapis.com) for your account.

  2. Enter your Salesforce Marketing Cloud Client ID in the Marketing Cloud Client ID field. This is the Client ID (App Key) you obtained from your Marketing Cloud installed package under Setup > Installed Packages > your package > Components > API Integration. The Client ID is used together with the Client Secret to request an OAuth2 access token from the Marketing Cloud token endpoint.

  3. Enter your Salesforce Marketing Cloud Client Secret in the Client Secret field. This is the Client Secret (App Secret) paired with your Client ID. It is used together with the Client ID to authenticate with the Salesforce Marketing Cloud token endpoint.

    Your Salesforce Marketing Cloud OAuth2 credentials can be found in your Marketing Cloud account under Setup > Installed Packages > your package > Components > API Integration. The Client ID and Client Secret are used to obtain an access token from the token endpoint (/v2/token), which Nexla sends automatically in the Authorization: Bearer {token} header for all API requests.

    Nexla automatically refreshes the access token as needed. If your credentials are compromised, immediately revoke them in your Marketing Cloud account settings and generate new ones. The Client ID, Client Secret, and subdomain together provide access to your Marketing Cloud account data — treat them as sensitive information and do not share them publicly.

    For detailed information about Salesforce Marketing Cloud OAuth2 authentication, see the Salesforce Marketing Cloud API documentation.

Save the Credential

  1. Once all of the relevant steps in the above sections have been completed, click the Save button at the bottom of the overlay to save the configured credential.

  2. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.