tools/list.Connection options
Copilot Studio
Use API-key authentication in a header.
Server URL: https://marketo-rest-mcp.heritagemcp.org/mcp
Authentication: API key
Location: Header
Header name: X-Marketo-Credentials
Value: <base64url JSON credential payload>Generic MCP clients
Use separate request headers when your client supports them.
X-Marketo-Client-Id: <client id>
X-Marketo-Client-Secret: <client secret>
X-Marketo-Munchkin-Id: 123-ABC-456
X-MCP-API-Key: <optional outer MCP key>Bearer-style remote MCP clients
Use the same base64url credential payload as a bearer value.
Authorization: Bearer <base64url JSON credential payload>Credential payload
The server does not store this payload. The MCP client sends it per request, and the Worker exchanges it for a request-local Marketo access token.
{
"clientId": "YOUR_MARKETO_CLIENT_ID",
"clientSecret": "YOUR_MARKETO_CLIENT_SECRET",
"munchkinId": "123-ABC-456",
"mcpServerApiKey": "optional outer MCP key"
}Generate it locally with:
export MARKETO_CLIENT_ID='...'
export MARKETO_CLIENT_SECRET='...'
export MARKETO_MUNCHKIN_ID='123-ABC-456'
npm run make:credential-tokenCore workflows and tools
| Workflow | Typical tools | Notes |
|---|---|---|
| Lookup a person | marketo_lookup_person_by_email, marketo_find_people | Returns one result or a selectable list when duplicates exist. |
| Recent activity / activity counts | marketo_get_person_recent_activities, marketo_count_person_activities, marketo_get_activity_types | Can filter by activity type, page/email name, primary attribute, or activity attributes. |
| Subscription data | marketo_lookup_person_subscriptions_by_email, marketo_get_person_subscriptions | Returns common compliance fields and discovers fields whose names contain subscriber or subscription. |
| Event registration | marketo_list_programs, marketo_register_person_for_event_program | Mutates Marketo; confirm exact person, program, and status before calling. |
| Email/event program creation | marketo_clone_program, marketo_get_program_tokens, marketo_upsert_program_token, email/landing-page tools | Use clone-and-tokenize templates; confirm before approval or scheduling. |
Manual JSON-RPC examples
MCP clients handle this automatically. These examples are useful for debugging with curl or scripts.
Initialize
{
"jsonrpc": "2.0",
"id": 1,
"method": "initialize",
"params": {
"protocolVersion": "2025-06-18",
"capabilities": {},
"clientInfo": {
"name": "manual-test-client",
"version": "1.0.0"
}
}
}Discover tools
{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/list",
"params": {}
}Lookup by email
{
"jsonrpc": "2.0",
"id": 3,
"method": "tools/call",
"params": {
"name": "marketo_lookup_person_by_email",
"arguments": {
"email": "person@example.com"
}
}
}Lookup subscriptions by email
{
"jsonrpc": "2.0",
"id": 4,
"method": "tools/call",
"params": {
"name": "marketo_lookup_person_subscriptions_by_email",
"arguments": {
"email": "person@example.com"
}
}
}Count a web-page visit
{
"jsonrpc": "2.0",
"id": 5,
"method": "tools/call",
"params": {
"name": "marketo_count_person_activities",
"arguments": {
"leadId": 12345,
"sinceDays": 60,
"activityTypeNames": [
"Visit Webpage"
],
"primaryAttributeContains": "/example-page"
}
}
}Useful endpoints
GET /healthz— deployment health and credential-mode summary.GET /docs— this page.GET /docs.json— machine-readable docs summary.POST /mcp— Streamable HTTP MCP endpoint.
Safety notes
- Bulk import/export endpoints are blocked.
- Identity/OAuth endpoints are internal and blocked from the generic REST tool.
- Use
MCP_SERVER_API_KEYin production to protect the MCP server itself. - Mutating tools should be explicitly confirmed by the user before execution.
Machine-readable summary: /docs.json