Mask OAuth Consumer Key and Consumer Secret in Salesforce Sync Admin Page

Forum|Forum|5 days ago
May 14, 2026
1 reply
16 views

In the Marketo Admin panel under Integration > Salesforce > Edit OAuth Consumer Info, both the Consumer Key and Consumer Secret fields
are displayed in plain text.

This is a security concern — OAuth secrets should be masked by default (e.g., ••••••••••) with an optional "Show" toggle, consistent with
how most platforms handle sensitive credentials.

Current Behavior:
- Navigate to Admin > Integration > Salesforce
- Click "Edit OAuth Consumer Info"
- Both Consumer Key and Consumer Secret values are fully visible in plain text

Expected Behavior:
- Consumer Secret should use a password-type input field, masked by default
- Consumer Key should ideally also be masked
- An optional "Show/Hide" toggle would allow authorized admins to reveal the value when needed

Why this matters:
- Screen sharing, screenshots, and over-the-shoulder exposure can inadvertently leak credentials
- Security audits and compliance reviews (SOC 2, ISO 27001) flag plain-text credential display as a finding
- Other Adobe products and most SaaS platforms already mask API secrets in their admin UIs
- This is a low-effort, high-impact UX improvement that aligns with OWASP secure design principles

Workaround: None — there is no way to mask these fields today.

Reference: https://experienceleague.adobe.com/en/docs/marketo/using/product-docs/crm-sync/salesforce-sync/log-in-using-oauth-2-0

BlaneMcMichen-1

Adobe Employee

Hi Prabhu
I don’t really see this being an issue, since only Admins can access the setting. The values are not displayed on the integration dashboard and require you to go into edit mode to see/change the values. Also, the toggle really doesn’t protect the values and it may make it difficult to edit the value if you cannot see it as you type. Just my 2¢.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded