Secure Your API Credentials For Salesforce Marketing Cloud Development

Photo by Philipp Katzenberger on Unsplash

This post comes off the back of a webinar hosted by Eliot Harper and Ivan Razine in which the very important topic of secure development practices was covered. One of the key learnings was how to protect your API credentials (clientID and clientSecret) on CloudPages. I’d encourage you to watch the webinar recording for some excellent nuggets of information. This blog post is my takeaway from the presentation, with the aim of helping to spread good development practices.

ll AMPscript and Server Side JavaScript (SSJS) is processed on the Marketing Cloud’s server side instead of the client-side computer. Thus any such code is fully executed on the server prior to the final content being sent and ultimately rendered on the client side. Greg at Gortington.com explains this very clearly in his blog post here.

Server-side code utilises the ‘home’ server environment and is able to interact and manipulate objects on the server prior to response rendering. The server script is not passed along to the requester, only the results of this scripting.

In this respect, there is low risk of clientID and clientSecreet being accessible by CloudPage end users, however it is not good practice to have them just sitting in the page clearly exposed and easily available for all internal SFMC users to see. Eliot raised a good point in the preso, that even the most basic of SFMC user permissions permits users to view CloudPages code. So securing your API creds inside pages is definitely something you will want to implement.

Solution

Utilising the EncryptSymmetric() AMPscript function we are going to encrypt our REST API credentials, save the encrypted string output in a Data Extension, and then use Lookup and DecryptSymmetric functions to retrieve the credentials for use in our CloudPage.

EncryptSymmetric

Explanation here: AMPscript Guide

Key Management

Official help documentation here. We need to create 3 keys so that we are able to use the EncryptSymmetric function. Go to setup and search for ‘Key Management.’

Setup > Key Management

Create Keys

Using https://www.random.org/bytes/ generate SALT and IV keys.

  • Salt encryption requires a hex value longer than 8 bits.
  • Initialization Vector (IV) encryption requires you enter 16 byte hexadecimal value.

Once our key management is in place, we can create a CloudPage, input the REST API credentials and use EncryptSymmetric function utilising external keys.

This will output a Base64 encoded value of our encrypted credentials.

PiUmPMeWWRRQ35gdPVwpJHs7bTpfXFwqHQJ7bCRtxroIFxgFQFIcUj9nYzMYcxw6GXxiJx1TPFIeeWR3WdujMC1bNEBNEW5uJwIEJAR5WghNCUED1pE9MMW0NRdMJFVmLUp2bV9z

Given it is Symmetric encryption, this can be decrypted right in your SFMC account using the password and keys used to create the encrypted string stored in key management. More on that soon.

Copy this string and upload it into a new data extension like the below. I am using the account MID for the LOOKUP function.

|   Name    | Data Type | Length |
|-----------|-----------|--------|
| MID | Int | 10 |
| apiCreds | Text | 3000 |

In our final CloudPage we’ll lookup this DE, grab the apiCreds string, decrypt the string, pass it from an ampscript to a javascript string, parse it to JSON and use appropriate object notation to declare and define variables.

This will print out accessToken to screen, but in reality you’ll then be taking this token for use in the Authorization of subsequent API calls on the page.

Secure Development with Salesforce Marketing Cloud

Eliot: https://mc.chat/
Ivan: https://ampscript.xyz/

What is Base64?

Finally, below is great video about how Base64 works. Watch it and once you understand, you’ll see why it is not a great way to secure anything as it is widely and easily decrypted.

What is Salting?

Thanks goes to all the respective authors and content creators.

I am a certified Salesforce Marketing Cloud Consultant at Bower House Digital in Melbourne, Australia.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store