Create a Server-to-Server installed package in Marketing Cloud Setup and record the Client ID, Client Secret, and the tenant-specific subdomain (TSSD) shown on the package page.
POST to https://{TSSD}.auth.marketingcloudapis.com/v2/token with grant_type: client_credentials, client_id, and client_secret in the JSON body.
The response contains 'access_token', 'token_type': 'Bearer', 'expires_in' (seconds, typically 1080), and 'rest_instance_url' — store the rest_instance_url as the base for all subsequent API calls.
Include Authorization: Bearer {access_token} on all Marketing Cloud REST requests and use the rest_instance_url (not a generic domain) as the host.
Implement token caching: refresh the token when expires_in minus a safety buffer (e.g., 60 seconds) is reached rather than re-authenticating on every request.
For multi-business-unit scenarios, note that the token is scoped to the BU of the installed package — cross-BU operations require a separate installed package per BU or use of the MID-scoped endpoints.
Known gotchas
The TSSD subdomain is unique per tenant — do not hardcode a generic domain; using the wrong subdomain results in a 401 regardless of valid credentials.
Marketing Cloud access tokens are short-lived (around 18 minutes); a background token refresh process is essential for long-running agent workflows.
Scopes are configured at the installed package level in Marketing Cloud Setup — if an API call returns a 403, the required scope (e.g., Journeys, Data Extensions) may not be enabled on the package.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp