Pardot v5 uses Salesforce Identity for auth — obtain a Salesforce access token via the standard OAuth flow (authorization code or JWT Bearer) for the connected Salesforce org.
Every Pardot v5 API request requires a Pardot-Business-Unit-Id header containing the 18-character Pardot business unit ID (found in Salesforce Setup > Account Engagement > Business Units).
Set the base URL to https://pi.pardot.com/api/v5/; include Authorization: Bearer {salesforce_access_token} and Pardot-Business-Unit-Id: {buId} on every request.
To query prospects: GET /api/v5/objects/prospects?fields=id,email,firstName,lastName&orderBy=updatedAt — use the 'fields' parameter to limit returned data.
Paginate using the 'nextPageToken' field returned in the response when there are more results; pass it as the 'nextPageToken' query parameter on subsequent requests.
To upsert a prospect, PATCH /api/v5/objects/prospects with the prospect's email as the match field using the 'matchBy' parameter.
Known gotchas
Pardot v5 is distinct from v3/v4 — v5 is the only supported version going forward; do not use the legacy /api/prospect/version/3/ path.
The Pardot-Business-Unit-Id header is mandatory on every request; omitting it returns a 400 even with a valid Salesforce access token.
Salesforce access tokens expire on the standard Salesforce schedule (around 2 hours for connected app default); implement token refresh so long-running sync processes do not fail mid-run.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp