Get an Access Token for Legacy Packages

This document applies only to API integrations in legacy packages. To get an access token for OAuth 2.0 API integrations, review Set Up Your Development Environment for Enhanced Packages.

For your authentication requests, we recommend using our tenant-specific Marketing Cloud-branded endpoint structure, which includes your tenant’s subdomain. Find your authentication endpoint in Installed Packages.

The first step in any API-based integration is getting an OAuth access token to authenticate your calls.

Using the client ID and secret from the installed package, call the REST Auth service to obtain an OAuth access token for authenticating your API calls. This sample call demonstrates how to POST to that resource to acquire an access token.

The access token is returned in the accessToken property. Specify this access token to authenticate all other REST API calls via the Authorization header field with the Bearer HTTP authorization scheme.

The following example uses the same access token to authenticate with the SOAP API.

Note the expiresIn property in the HTTP response to the requestToken API call. Access tokens expire one hour after they are issued. If you attempt to use an expired token, you receive a 401 Unauthorized HTTP response. If this happens, refresh your access token by calling requestToken again.

Follow these considerations when using the API directly and doing your own OAuth token management.

  1. Do not request a new access token for every API call you make—-each access token is good for an hour and is reusable. Making two API calls for every one operation is inefficient and causes throttling.
  2. Be careful where you store your client ID and secret. Never expose this information on the client side via JavaScript or store it in a mobile application. Ensure that these credentials are stored securely in your application.