Can one get lead data from the Marketo Lead Database API by using the token in the `_mkto_trk` cookie? | Community
Skip to main content
N
nahcp
Level 2
April 21, 2025
Solved

Can one get lead data from the Marketo Lead Database API by using the token in the `_mkto_trk` cookie?

  • April 21, 2025
  • 1 reply
  • 1070 views

I'd like to identify users on our website using Marketo data. I am curious if one can fetch lead data using the data stored in the `_mkto_trk` cookie. It appears that the cookie is storing both an ID (Munchkin ID?) and a token. Can either of these be used to fetch the lead that's associated with that particular user?

 

There seem to be several posts that hint at this, but neither of the suggested implementations work:
https://nation.marketo.com/t5/product-discussions/submitting-munchkin-cookie-as-mkto-trk-through-leadcapture-save/m-p/95503#M58126

https://nation.marketo.com/t5/product-discussions/marketo-api-to-get-user-email-using-filter-type-munchkin-cookie/m-p/331832#M187437

 

Based on the last post above, I'd assume hitting the leads endpoint like this would work:

{MARKETO_ENDPOINT}/v1/leads.json?access_token=${ACCESS_TOKEN}&filterType=cookies&filterValues=${COOKIE_TOKEN}
 
However, when hitting that API, I get a successful request but `result` returns an empty array. Am I doing this wrong or is this simply not possible with the API?
This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by SanfordWhiteman

The problem with this model is doing individual lookups by cookie in response to end user activity makes you vulnerable to a trivial DoS attack.  Integrations that attempt this have catastrophic effects on Marketo instances, and it’s not recommended. (Note even without anything malicious, you have a self-DoS if you look up every newly set cookie for thousands of legit visitors per day.)

 

If you’re only using it for a one-time backfill on a fixed number of cookies, it may be feasible. But I still wouldn’t do a direct lookup. Instead, do a bulk export that includes the cookies field. Then do your lookup offline, i.e. import the CSV into a database and query it.

 

By the way, the scalable way to do this kind of thing is to use my cross-domain pre-fill JS, which doesn’t use any API calls. Search for “SimpleDTO.”

1 reply

SanfordWhiteman
SanfordWhiteman
Level 10
April 21, 2025
Let's step back for a moment to make sure we don't have an XY Problem.

What is the exact business need you're trying to meet? Be as detailed as possible.
N
nahcpAuthor
Level 2
April 22, 2025

Sure thing!

 

We have a website that uses Marketo and a separate analytics provider for tracking traffic and user behavior. Currently, users/visitors in the latter are identified by a unique hash. However, if a user has any Marketo lead data associated with it, we would want to push that data to our analytics provider (associate the hash with things like email, name, company, etc.). Hence the idea of fetching lead data from the Marketo API via the `_mkto_trk` cookie.

 

It's worth noting that we can achieve this by grabbing the data when user's submit forms and then pushing it to our analytics provider. That said, this would only give us data moving forward. The above idea would address capturing user data for users that have already filled out a form.

 

Does that makes sense? Happy to expand on any of that.

SanfordWhiteman
SanfordWhitemanAccepted solution
Level 10
April 22, 2025

The problem with this model is doing individual lookups by cookie in response to end user activity makes you vulnerable to a trivial DoS attack.  Integrations that attempt this have catastrophic effects on Marketo instances, and it’s not recommended. (Note even without anything malicious, you have a self-DoS if you look up every newly set cookie for thousands of legit visitors per day.)

 

If you’re only using it for a one-time backfill on a fixed number of cookies, it may be feasible. But I still wouldn’t do a direct lookup. Instead, do a bulk export that includes the cookies field. Then do your lookup offline, i.e. import the CSV into a database and query it.

 

By the way, the scalable way to do this kind of thing is to use my cross-domain pre-fill JS, which doesn’t use any API calls. Search for “SimpleDTO.”

Terms & ConditionsAccessibility statement

Loading footer...