Marketing Cloud XML API Retirement

Salesforce retired Marketing Cloud XML API and no longer provide support on October 31, 2018. We took this action to increase the security of your data and eliminate duplicative systems. In addition, in our ongoing endeavor to protect your data, we identified some potential vulnerabilities.

What’s Changing?

On October 31, 2018 Salesforce Marketing Cloud retired XML API endpoints and no longer accept XML API traffic.

What is the XML API?

The XML API allows outside systems to interact with Email Studio within the Salesforce Marketing Cloud. It allows outside systems to import and export data and trigger actions with Email Studio.

What are the potential vulnerabilities?

We identified two potential vulnerabilities passing API username and password in clear text as part of the XML URL and/or authenticating via HTTP versus the more secure HTTPS.

How can we address the security vulnerabilities?

TLS/SSL (HTTP vs HTTPS) - To address this vulnerability you need to make sure all API calls are being made using the HTTPS protocol instead of HTTP.

XML in URL - XML payload passed in the URL will be rejected, this has to be sent in the request body instead.

Not Accepted

GET-http://www.exacttarget.com/api/integrate.aspx?qf=xml&xml=<XML>

Accepted

POST-https://www.exacttarget.com/api/integrate.aspx

BODY

qf=xml&xml=<XML>

If you are deprecating the functionality, why should I address the vulnerabilities?

The data within your accounts remain at risk until the vulnerabilities are closed.  Typically these fixes can be addressed more quickly than a full migration off of XML.

What action do I need to take?

There’s only one thing you need to do to prepare. You must update your systems to move from the XML API to the SOAP API.  If you need help, follow the guide for migrating from XML to SOAP API here.

Why are you retiring this product?

We are focusing our development efforts on enhancing our latest SOAP API versions to improve the overall Salesforce Marketing Cloud experience when building custom functionality via applications. 

Where can I get more information?

If you have more questions, open a case with support via Salesforce Help or contact your Salesforce account team. To view all current and past retirements, see Salesforce Product & Feature Retirements.

For more information about Salesforce’s approach to retiring products and features, read our Product & Feature Retirement Philosophy.