Secure Your API Credentials For Salesforce Marketing Cloud Development
This post comes off the back of a webinar hosted by Eliot Harper and Ivan Razine in which the very important topic of secure development practices was covered. One of the key learnings was how to protect your API credentials (clientID and clientSecret) on CloudPages. I’d encourage you to watch the webinar recording for some excellent nuggets of information. This blog post is my takeaway from the presentation, with the aim of helping to spread good development practices.
Server-side code utilises the ‘home’ server environment and is able to interact and manipulate objects on the server prior to response rendering. The server script is not passed along to the requester, only the results of this scripting.
In this respect, there is low risk of
clientSecreet being accessible by CloudPage end users, however it is not good practice to have them just sitting in the page clearly exposed and easily available for all internal SFMC users to see. Eliot raised a good point in the preso, that even the most basic of SFMC user permissions permits users to view CloudPages code. So securing your API creds inside pages is definitely something you will want to implement.
EncryptSymmetric() AMPscript function we are going to encrypt our REST API credentials, save the encrypted string output in a Data Extension, and then use Lookup and DecryptSymmetric functions to retrieve the credentials for use in our CloudPage.
Explanation here: AMPscript Guide
Official help documentation here. We need to create 3 keys so that we are able to use the EncryptSymmetric function. Go to setup and search for ‘Key Management.’
Using https://www.random.org/bytes/ generate SALT and IV keys.
- Salt encryption requires a hex value longer than 8 bits.
- Initialization Vector (IV) encryption requires you enter 16 byte hexadecimal value.
- 8 random bytes https://www.random.org/cgi-bin/randbyte?nbytes=8&format=h
- 16 random bytes https://www.random.org/cgi-bin/randbyte?nbytes=16&format=h
Once our key management is in place, we can create a CloudPage, input the REST API credentials and use EncryptSymmetric function utilising external keys.
This will output a Base64 encoded value of our encrypted credentials.
Given it is Symmetric encryption, this can be decrypted right in your SFMC account using the password and keys used to create the encrypted string stored in key management. More on that soon.
Copy this string and upload it into a new data extension like the below. I am using the account MID for the LOOKUP function.
| Name | Data Type | Length |
| MID | Int | 10 |
| apiCreds | Text | 3000 |
This will print out accessToken to screen, but in reality you’ll then be taking this token for use in the Authorization of subsequent API calls on the page.
Secure Development with Salesforce Marketing Cloud
What is Base64?
Finally, below is great video about how Base64 works. Watch it and once you understand, you’ll see why it is not a great way to secure anything as it is widely and easily decrypted.
What is Salting?
Thanks goes to all the respective authors and content creators.