Secure a Custom Activity Using an OAuth 2.0 Bearer Token

Marketing Cloud supports the use of OAuth 2.0 bearer tokens in calls to external services. By using OAuth 2.0 bearer tokens, you can increase the security of requests that come into and out of Marketing Cloud.

To use OAuth 2.0 to secure your requests to external services, you must first configure Marketing Cloud to obtain bearer tokens from your token exchange endpoint. After you configure Marketing Cloud to obtain these tokens, it automatically uses them in the request headers for requests that you make to external applications.

  1. In Marketing Cloud Setup, under Data Management, click Key Management.

  2. Click Create.

  3. For Key Type, choose Security Context.

  4. For Name, enter a name for the key.

  5. For External Key, enter your external key. The value that you enter can only contain ASCII characters.

  6. Under Grant Type, complete these steps.

    1. Select JWT Bearer.

    2. For Token Endpoint, enter the URL of the token exchange endpoint.

    3. For Issuer, enter the JWT issuer name to use in the token exchange.

    4. For Audience, enter the JWT audience name to use in the token exchange.

    5. For Subject, enter the JWT subject to use in the token exchange.

    6. For Private Key, enter your RSA private key in PEM format.

    7. For Valid Service URLs, enter the endpoint URLs that you plan to issue requests to.

      When you configure a custom activity to use this security context, requests issued from custom journey activities to the endpoints listed in this field automatically include the bearer token in their header sections.

  7. Save the key.

After you configure Marketing Cloud to perform token exchanges, you can create or update journeys to use OAuth 2.0 authentication. In your custom activity, add a securityOptions object. The object must contain this information. (Substitute <externalKeyName> for the name that you provided when you configured the key exchange in Marketing Cloud.)