Presentations About Resources

Salesforce, Python, SQL, & other ways to put your data where you need it -- a bilingual blog in English & French

Logging into Salesforce's Marketing Cloud API (w/ Python)

26 Feb 2019 🔖 python marketing cloud salesforce tutorials api
💬 EN

Post Header Image

Table of Contents

Sometimes, just getting a login acknowledgement from an API is half the battle of using it.

Here, with screenshots, is how I finally logged into Salesforce Marketing Cloud’s API.

I used Python, but most of the steps have nothing to do with code.
Any language that can do HTTPS POST requests will do.


My e-mail expert colleague and I are going to team up and explore which of his “clicks” we can imitate with “code.”

Hopefully, this will help us do great things connecting to secondary Salesforce “orgs” (databases).

Password Precautions

To get this code to work, you have to type secret information into your code that could let anyone who intercepts it imitate you in Marketing Cloud.

That’s not a good thing.

  1. Only run this code on a computer you trust.
  2. Only run this code over a network connection you trust.
  3. If you save this Python script in a file, type “CONTAINS PASSWORD” at the beginning of the filename so you’ll remember it’s a file in which you have to clear out your “Client Id,” “Client Secret,” and “Authentication Base URI” before you close it.
  4. If you’re working in an IDE that treats subsequent “run” button clicks like one big session (and caches the values of variables from “run” to “run”), leverage that to help you remember to clear out your “Client Id,” “Client Secret,” and “Authentication Base URI” from your file.
    Run a few lines of code, with the rest commented out, to fetch an “access token” and save it into a variable called “token.”
    Then comment out the “fetching” code, backspace over your secret info, and type the word “SECRET_INFO_GOES_HERE,” and save your script.
    Ta da! Now you can stop worrying about whether you left secrets in plain text in the contents of your script.
  5. You’re going to have to get expert advice if you need to store this script and run it in any sort of automated fashion. Typing secrets into the body of the script itself and leaving it there is simply not an option.

1: Admin -> Installed Packages

Log into Marketing Cloud’s web console as an administrator.

Click on the drop-down by your name, top right.

Under “Settings,” click “Administration.”

In the top nav, hover over “Account” and click “Installed Packages.”

2: Create a new package

Click the “New” button.

Give your new package a name and description. Click Save.

You have a new package!

In the bottom half of its “details” tab, it will indicate that your new package doesn’t yet have any components.

In just a moment, after this brief diversion, click on “Add Component.”

Diversion: access settings

If you click on the “Access” tab of your package, you’ll notice that it’s only valid for accessing data of whatever “business unit” you were looking at when you logged into Marketing Cloud.

We’ll have a chance to fix that later.

3: Create a new component

Having clicked on the “Add Component” button in the new package’s “details” tab, you’ll choose “API Integration” from the radio-button menu of options and click “Next.”

Choose “Server-to-server” from the radio-button menu of options and click “Next.”

Click the “Read” checkboxes on anything you want to be able to read with code and click “Save.”

I checked “Read” in all the boxes.

IMPORTANT: Please don’t click anything but “Read” yet.

You really don’t want to be the person who erased all the data in Marketing Cloud because you gave yourself “write” permissions with an API you haven’t even tried yet, do you?

Diversion: access settings

Now if you click on the “Access” tab of your package, you’ll see a left-nav listing all your “business units.”

Click on one and you can toggle API access to this BU’s data on or off.

4: Secrets -> Python -> Voilà!

In the “Details” tab of your package, down below under “Components,” under “API Integration,” you’ll find all sorts of secret information.

3 key pieces of information are your “Client Id,” “Client Secret,” and “Authentication Base URI.”

Open up an IDE from which you can execute Python and run the following script, making appropriate substitutions for “YOUR_CLIENT_ID,” “YOUR_CLIENT_SECRET,” and “ the “/v2/token’ part of the URL):

import json, requests

client_Id = 'YOUR_CLIENT_ID'
client_Secret = 'YOUR_CLIENT_SECRET'

payload = {
    'client_id': client_Id,
    'client_secret': client_Secret,
    'grant_type': 'client_credentials'

url = '';

r =,

body = json.loads(r.content)
token = body['access_token']
expiresIn = body['expires_in']

If everything goes well, print(token) should show you the token you just generated.

If things don’t go well, try adding print(r) and print(body) to your script and re-running. You’ll get more detailed status and error responses about the HTTPS POST request that Python just made on your behalf.

For the next 20 minutes, you’ll prove your identity by passing this “token” value to one of the other two URLs Marketing Cloud gave you (REST or SOAP).

Those URLs are for actually fetching data from Marketing Cloud.

Here is official documentation about the HTTPS POST to make when authenticating against Salesforce Marketing Cloud.

(Note: Actually including a “content-type” of “application/json,” as per the official instructions, seems touchy. It didn’t work for me. Try taking it out of your header if you encounter problems.)

Happy experimenting!

--- ---