Secure a Custom Activity Using an OAuth 2.0 Bearer Token

Marketing Cloud Engagement supports the use of OAuth 2.0 bearer tokens in calls to external services. By using OAuth 2.0 bearer tokens, you can increase the security of requests that come into and out of Marketing Cloud Engagement.

To use OAuth 2.0 to secure your requests to external services, you must first configure Marketing Cloud Engagement to obtain bearer tokens from your token exchange endpoint. After you configure Marketing Cloud Engagement to obtain these tokens, it automatically uses them in the request headers for requests that you make to external applications.

In Setup, under Data Management, select Key Management.
Click Create.
For Key Type, choose Security Context.
For Name, enter a name for the key.
For External Key, enter an external key.
The value that you enter can contain only ASCII characters.
For Grant Type, select the type of grant to issue:
- To create a key that is authenticated using a client key and client secret, select Client Credentials. This option is helpful for basic server-to-server authentication.
- To create a key that is authenticated using a private key in a signed JWT, select Client Credentials with JWT assertion. This option is helpful for secure authentication between servers.
- To create a key that is authenticated using a JWT that contains a user assertion, select Authorization grant with JWT assertion. This option is helpful in single sign-on (SSO) scenarios.
For Content Type, select a value to use in the content-type headers of requests that Marketing Cloud Engagement sends to the external application. Choose from these options:
- application/json
- application/x-www-form-urlencoded
Make sure that the value you select aligns with the content type that the token endpoint expects.
Complete the remaining fields for the grant type you selected. This table lists the properties that you specify to create a key.

Property	Applies to These Grant Types	Description
Audience	Authorization grant with JWT assertion Client Credentials with JWT Assertion	The JWT audience name to use in the token exchange.
Client ID	Client Credentials	A public identifier for the client.
Client Secret	Client Credentials	The private credential that is used to authenticate the client.
Issuer	Authorization grant with JWT assertion Client Credentials with JWT Assertion	The JWT issuer name to use in the token exchange.
Key ID	Authorization grant with JWT assertion Client Credentials with JWT Assertion	The unique ID that identifies the key used to sign the JWT for an authorization grant.
Private Key	Authorization grant with JWT assertion Client Credentials with JWT Assertion	An RSA private key in PEM format.
Subject	Authorization grant with JWT assertion Client Credentials with JWT Assertion	The JWT subject to use in the token exchange.
Token Endpoint	Client Credentials Client Credentials with JWT Assertion	The URL of the external web service to call to retrieve an access token.
Valid Service URLs	Authorization grant with JWT assertion Client Credentials Client Credentials with JWT Assertion	The URLs that the returned access token applies to. Enter each URL on a new line. You can specify up to 10 URLs.

To add extra parameters to the key request, specify them in the Key and Value fields, and then click Add.
If you add parameters, you must specify both the key and the value.
Save the key.

After you configure Marketing Cloud Engagement to perform token exchanges, you can create or update journeys to use OAuth 2.0 authentication. In your custom activity, add a securityOptions object. The object must contain this information. (Substitute <externalKeyName> for the name that you provided when you configured the key exchange.)