1. You must have Salesforce OAuth set up in the org. To set up a connected app for OAuth, the "pardot_api" scope must be one of the selected OAuth scopes. Otherwise, OAuth flows other than username/password flow can't be used with the Pardot API. Check out this video for an example of how to implement OAuth.

    Implement Salesforce OAuth for Pardot API
  2. You must have the Pardot Business Unit ID that you want to authenticate with. To find the Pardot Business Unit ID, use Setup in Salesforce. From Setup, enter "Pardot Account Setup" in the Quick Find box. Your Pardot Business Unit ID begins with "0Uv" and is 18 characters long. If you can’t access the Pardot Account Setup information, ask your Salesforce Administrator to provide you with the Pardot Business Unit ID.

  3. Authenticate with a user that is SSO enabled. An SSO-enabled user is one who can log in to using "Log In with Salesforce" or who can access Pardot using the Pardot Lightning App.

Oauth Authentication Domain by Account Type

Pardot Account TypeSalesforce DomainPardot Domain
Pardot Developer

Sample POST Request for OAuth Token

Request must be made using HTTPS.

Request Parameters

grant_typeXThe value must be "password"
client_idXThe consumer key
client_secretXThe consumer secret
usernameXThe username of the SSO user account
passwordXThe password of the SSO user account

If authentication is successful, an access token is returned. See Salesforce OAuth documentation for the response format.

Using Access Token with Pardot

After you get the access token, you must pass it and the Pardot Business Unit ID using the Authorization and Pardot-Business-Unit-Id headers.

Sample Request

Request must be made using HTTPS.

Request Parameters

access_tokenXAccess token obtained from Salesforce OAuth Endpoint
business_unit_idXPardot Business Unit ID

If a valid access token is provided with a valid business unit ID, the Pardot endpoint works as expected.

Note: The Pardot API doesn’t enforce IP address restrictions that are configured using the Salesforce option "Enforce login IP ranges on every request".