Use OAuth2 Authentication with Event Notification Service

Access to the Event Notification Service (ENS) is secured using message signing and IP allowlisting. In some cases, it's preferable to have ENS authenticate with your system before pushing event notifications. To meet this requirement, ENS supports OAuth2 authentication.

These instructions assume that you’re familiar with the Event Notification Service API.

Marketing Cloud Engagement supports authentication using the OAuth2 client_credentials and password grant types.

To use the client_credentials grant type, your system must support clientId, clientSecret, authUrl.

The password grant type uses resource owner password credential (ROPC). To use this grant type, your system must support clientId, clientSecret, username, password, authUrl.

The password grant type is considered a legacy authentication scheme. However, many customers find the level of risk for this use case to be acceptable.

Your authorization server must be publicly accessible and must serve requests over HTTPS. It must be able to return authorization tokens within 2 seconds of the request being issued, and must support the concurrent provisioning of multiple tokens. The server must support client requests with parameters in application/x-www-form-urlencoded format with UTF-8 character encoding. Successful responses must include the access_token property.

If you use the password grant type, your server must support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

Optionally, responses can use the access_token scope. See IETF: RFC 6749.

Before you configure ENS callbacks for authentication, create an authentication scheme. When you create or update calls for OAuth2 requests, verify that the authentication URL successfully returns a token.

When there is a delete request, ENS confirms that all callback associations with the authentication scheme have been removed. If this verification step isn't successful, the request fails.

This code sample shows an example of a REST request using the client_credential grant type.

The response includes an authID parameter. Fields that contain sensitive data, such as the clientId and clientSecret fields, aren't included in the response.

This code sample shows an example of a REST request using the password grant type.

The response includes an authID parameter. Fields that contain sensitive data, such as the clientId, clientSecret, username, and password fields, aren't included in the response.

Register a new callback to receive event notifications by sending a POST request to the /platform/v1/ens-callbacks API endpoint.

The response includes the callback ID and a signature key.

To verify events via message signature, capture the value of the signatureKey property in the response.

For more information about the ens-callbacks endpoint, see Create Callback.

Verify that the callback can receive notifications by sending a POST request to the /platform/v1/ens-verify endpoint. The request includes the callback ID and the verification key from the creation request.

If the callback is operating as expected, the API returns a 200 OK response.

For more information about the ens-verify endpoint, see Verify Callback.

After you verify the callback, create a subscription. A subscription indicates the event types that you want to receive notifications for and which callback to receive them on. A new subscription takes up to 2 minutes to become active. Each callback can have up to 200 subscribers.

Ensure that the callback you specify is ready to receive events before creating a subscription for it. This code provides an example of a request to create a subscription. It includes these properties:

PropertyTypeDescription
subscriptionNameStringA unique name for the subscription.
callbackIdStringThe unique identifier of the callback that receives the notification events. This callback must exist and must be verified.
eventCategoryTypesArray of stringsThe comma-separated list of fully qualified event types for which you’re requesting notifications. This list is expressed as NotificationEventCategory.NotificationEventType. See Supported Notification Events.
filtersArray of stringsEach string in the array is a key-value pair to filter on. Filter values must use the syntax key=value. See Subscription Filters.

The response includes a subscription ID and the status of the subscription.

For more information about the ens-subscription endpoint, see Create Subscription.

When the callback is configured and subscribed to, you can begin to send events to the authentication server. This code sample shows an example of a request to log an event.

The Authorization header in the request includes the bearer token only if the authentication token was retrieved successfully. If the token retrieval fails, the Authorization header contains a value of Bearer null, and the request fails.

To modify the authentication configuration for a callback, send a PUT request to the /platform/v1/ens-authentications endpoint. There can be a delay of a few minutes before the changes to the callback become active. This code example shows how to update a callback.

The response includes an updated authId property.