Official Pardot API Documentation

IMPORTANT: Support for passing credentials via querystring is deprecated and returns an error response. Please update your API client as soon as you can.

Refer to the Using the API > Request Format section below for details.

Welcome! All up-to-date documentation of Pardot's official API is housed here. A few things to note:

Using the API

The Pardot API lets your application access current data within Pardot. Through the API, you can perform several common operations on Pardot objects including the following:

Developers must authenticate using a Salesforce OAuth endpoint or the Pardot API login endpoint before issuing Pardot API requests. Refer to the Authentication section for details about this procedure.

Keep in mind a few considerations when you perform requests. For update requests, only the fields specified in the request are updated. All others are left unchanged. If a required field is cleared during an update, the request is declined.

Request Format

All requests to the API:

Sample GET Request

With User Key and API Key (obtained through Pardot API login endpoint)
GET https://pi.pardot.com/api/<object>/version/3/do/<op>/<id_field>/<id>?<params> HTTP/1.1
Authorization: Pardot api_key=<your_api_key>, user_key=<your_user_key>
With Salesforce OAuth Access Token (obtained through Salesforce OAuth endpoint)
GET https://pi.pardot.com/api/<object>/version/3/do/<op>/<id_field>/<id>?<params> HTTP/1.1
Authorization: Bearer <access_token>
Pardot-Business-Unit-Id: <pardot_business_unit_id>

Sample POST Request

With User Key and API Key
POST https://pi.pardot.com/api/<object>/version/3/do/<op>/<id_field>/<id> HTTP/1.1
Authorization: Pardot api_key=<your_api_key>, user_key=<your_user_key>

<params>

Request Parameters

Parameter Required Description
object X The object type to be returned by the API request
op X The operation to be performed on the specified object type
id_field X The field to be used as the identifier for the specified object
id X The identifier for the specified object(s)
your_api_key X The API key obtained during Authentication
your_user_key X The user key used during Authentication
format The API data format: either xml (default) or json
params Parameters specific to your request; See individual methods for details
With Salesforce OAuth
POST https://pi.pardot.com/api/<object>/version/3/do/<op>/<id_field>/<id> HTTP/1.1
Authorization: Bearer <access_token>
Pardot-Business-Unit-Id: <pardot_business_unit_id>

<params>

Request Parameters

Parameter Required Description
object X The object type to be returned by the API request
op X The operation to be performed on the specified object type
id_field X The field to be used as the identifier for the specified object
id X The identifier for the specified object(s)
access_token X The access token obtained during Authentication
pardot_business_unit_id X The pardot business unit. For details see Authentication
format The API data format: either xml (default) or json
params Parameters specific to your request; See individual methods for details

The ordering of parameters is arbitrary. Parameters are passed using conventional HTML parameter syntax, with '?' indicating the start of the parameter string (for GET requests only) and '&' as the separator between parameters. With the exception of <format> and <params>, all components are required. Data returned from the API is formatted using JSON or XML 1.0 with UTF-8 character encoding. Keep in mind that some characters in the response may be encoded as HTML entities, requiring client-side decoding. Also, keep in mind that all parameters specified in an API request MUST be URL-encoded before they are submitted.

In general, the API returns XML or JSON containing a current version of the target object's data. But unsuccessful requests return a short response containing an error code and message. See Error Codes & Messages for error descriptions and suggested remedies: kb/error-codes-messages

Version 3 and Version 4 differences

To accommodate a new feature for prospects, we created a new version of our APIs: version 4. Now multiple prospects can share an email address on some Pardot accounts. Eventually all Pardot accounts will be able to do so. If your account has this feature active now, then you must use version 4. All others can continue to use version 3. Version 4 sometime uses slightly different input syntax with prospects, and can return multiple prospects where version 3 returns one. Please check out the appropriate version's documentation for usage details.

If your account uses version 4, then upon login to the APIs, the following data tag is returned: <version>4</version>. If your account requires version 3, you will not see this tag.

Changing the API Response Format

The Pardot API supports several output formats, and each returns different levels of detail in the XML or JSON response. Output formats are defined by specifying the output request parameter. Supported output formats include:

If the output request parameter is not defined, the output format defaults to full. See the XML Response Format sections for each object for details about the formats.

Rate Limits

We enforce API rate limits in two ways:

Daily Requests

Pardot Pro customers are allocated 25,000 API requests a day. Pardot Ultimate customers can make up to 100,000 API requests a day. These limits reset at the beginning of the day based on your account time zone settings. Any request made exceeding the limits result in an error code 122

You can check your current daily usage on the "usage and limits" page.

Concurrent Requests

To interact with our API more efficiently, you can have up to five concurrent API requests. Any connection over five results in an error code 66 response.

Sample Code

Here's an example of calling the Pardot API using a simple PHP client using the cURL library.

Note: We strongly recommend against using PHP's file_get_contents function to call the Pardot API because it makes error handling extremely cumbersome.

<?php

/**
 * Class SamplePardotApiClient
 *
 * Example PHP client to call the Pardot API
 */
class SamplePardotApiClient
{
    const BASE_URL = "https://pi.pardot.com/api/";
    const SALESFORCE_OAUTH_TOKEN_URL = "https://login.salesforce.com/services/oauth2/token";

    /** @var int $apiVersion */
    private $apiVersion;

    /** @var string $format  */
    private $format;

    public function __construct($apiVersion, $format = 'xml')
    {
        $this->apiVersion = $apiVersion;
        $this->format = $format;
    }

    /**
     * @param string $endpoint
     * @param string $operation
     * @param array $data
     * @param array $headers
     * @param array $queryParams
     * @param bool $useSalesforceOAuth
     * @return array
     * @throws Exception
     */
    public function post($endpoint, $operation, $data = [], $headers = [], $queryParams = [], $useSalesforceOAuth = true)
    {
        $curl_handle = $this->initRequest($endpoint, $operation, $headers, $queryParams, $useSalesforceOAuth);
        curl_setopt($curl_handle, CURLOPT_POST, true);
        // Add POST data if given
        if (!empty($data)) {
            curl_setopt($curl_handle, CURLOPT_POSTFIELDS, $data);
        }

        return $this->executeCall($curl_handle);
    }

    /**
     * @param string $endpoint
     * @param string $operation
     * @param array $headers
     * @param array $queryParams
     * @param bool $useSalesforceOAuth
     * @return array
     * @throws Exception
     */
    public function get($endpoint, $operation, $headers = [], $queryParams = [], $useSalesforceOAuth = true)
    {
        $curl_handle = $this->initRequest($endpoint, $operation, $headers, $queryParams, $useSalesforceOAuth);

        return $this->executeCall($curl_handle);
    }

    /**
     * @param string $endpoint
     * @param string $operation
     * @param array $headers
     * @param array $queryParams
     * @param bool $useSalesforceOAuth
     * @return false|resource
     */
    private function initRequest($endpoint, $operation, $headers = [], $queryParams = [], $useSalesforceOAuth = true)
    {
        // Construct our full URL to the Pardot API
        $url = $this->buildUrl($endpoint, $operation, $useSalesforceOAuth);
        // Add desired format to any query string params provided
        $queryParams['format'] = $this->format;
        // Build query string params into an encoded string
        $queryString = http_build_query($queryParams, null, '&');
        // Append query string params to URL
        $url .= "?{$queryString}";

        // Init curl handle and set standard curl options: timeouts / require SSL / verify SSL
        $curl_handle = curl_init($url);
        curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 5);
        curl_setopt($curl_handle, CURLOPT_TIMEOUT, 30);
        curl_setopt($curl_handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
        curl_setopt($curl_handle, CURLOPT_SSL_VERIFYHOST, 2);
        curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1);

        // Add any headers passed in such as Authorization header
        if (!empty($headers)) {
            curl_setopt($curl_handle, CURLOPT_HTTPHEADER, $headers);
        }

        return $curl_handle;
    }

    /**
     * @param string $endpoint
     * @param string $operation
     * @param bool $useSalesforceOAuth
     * @return string
     */
    private function buildUrl($endpoint, $operation = "", $useSalesforceOAuth = true)
    {
        if ($endpoint === 'login') {
            if ($useSalesforceOAuth) {
                return self::SALESFORCE_OAUTH_TOKEN_URL;
            } else {
                return self::BASE_URL . "login";
            }
        }

        return self::BASE_URL . "{$endpoint}/version/{$this->apiVersion}/do/{$operation}";
    }

    /**
     * @param $curl_handle
     * @return array
     * @throws Exception
     */
    private function executeCall($curl_handle)
    {
        // Execute our call to the Pardot API
        $rsp = curl_exec($curl_handle);
        // Gather the HTTP response code and last effective URL called
        $httpCode = curl_getinfo($curl_handle, CURLINFO_HTTP_CODE);
        $url = curl_getinfo($curl_handle, CURLINFO_EFFECTIVE_URL);

        // Handle errors in calls, this could be a log or an exception thrown as written here
        if (!$rsp) {
            $errorMessage = curl_error($curl_handle);
            curl_close($curl_handle);
            throw new Exception("Error calling API. HTTP Code: {$httpCode}. Message: {$errorMessage}");
        }
        curl_close($curl_handle);

        // Output call response for informational purposes
        echo("URL: {$url}" . PHP_EOL);
        echo("HTTP Response Code: {$httpCode}" . PHP_EOL);
        echo("Response: {$rsp}" . PHP_EOL . PHP_EOL);

        return [$httpCode, $rsp];
    }

    /**
     * Use Pardot API using Api Key and User Key.
     */
    public function executeRequestsWithApiKeys()
    {
        // Setup user credentials
        $credentials = [
            'user_key' => '<your_user_key>',
            'email' => '<your_pardot_user_email>',
            'password' => '<your_password>'
        ];

        // Authenticate to Pardot - Must be a POST with credentials in the message body
        list($httpCode, $rsp) = $this->post('login', '', $credentials, null, [], false);
        // Capture the api_key from a successful login response
        // api_key is good for 1 hour and can be reused on subsequent calls
        $apiKey = json_decode($rsp, true)['api_key'];

        // Create Authorization Header from api_key
        $authHeader = ["Authorization: Pardot user_key={$credentials['user_key']},api_key={$apiKey}"];

        // Call Prospect Query
        list($httpCode, $rsp) = $this->get('prospect', 'query', $authHeader, ['limit' => 1]);
        // Call VisitorActivity Query
        list($httpCode, $rsp) = $this->get('visitorActivity', 'query', $authHeader, ['limit' => 1]);
        // Create a Campaign
        list($httpCode, $rsp) = $this->post(
            'campaign',
            'create',
            ['name' => 'A Campaign', 'cost' => 100],
            $authHeader
        );
    }

    /**
     * Use Pardot API with a SSO user.
     * Getting the access token and using that to use the Pardot API.
     */
    public function executeRequestsWithSalesforceOAuth()
    {
        // Setup user credentials
        $credentials = [
            "grant_type" => "password",
            "client_id" => "<your_client_id>",
            "client_secret" => "<your_client_secert>",
            "username" => "<your_salesforce_email>",
            "password" => "<your_password>"
        ];

        $pardot_business_unit_id = "<Pardot_business_unit_id>";

        // Authenticate to Salesforce - Must be a POST with credentials in the message body
        list($httpCode, $rsp) = $this->post('login', '', $credentials, null, [], true);
        // Capture the access_token from a successful login response
        $access_token = json_decode($rsp, true)['access_token'];

        // Create Authorization Header from access_token and business unit
        $authHeader = ["Authorization: Bearer {$access_token}", "Pardot-Business-Unit-Id: {$pardot_business_unit_id}"];

        // Call Prospect Query
        list($httpCode, $rsp) = $this->get('prospect', 'query', $authHeader, ['limit' => 1]);
        // Call VisitorActivity Query
        list($httpCode, $rsp) = $this->get('visitorActivity', 'query', $authHeader, ['limit' => 1]);
        // Create a Campaign
        list($httpCode, $rsp) = $this->post(
            'campaign',
            'create',
            ['name' => 'A Campaign', 'cost' => 100],
            $authHeader
        );
    }
}

// Prepare to call version 3 or 4 of the API with JSON or XML responses
$client = new SamplePardotApiClient(4, 'json');

// Authenticate to Pardot - Using API Keys
$client->executeRequestsWithApiKeys();

// Authenticate to Pardot - Using Salesforce OAuth
$client->executeRequestsWithSalesforceOAuth();

Supported API wrappers