SFMC connection readiness
Verify the Marketing Cloud connection before campaign execution work begins.
Campaign Builder's SFMC setup is not just an API key screen. Technical evaluators should verify launch context, OAuth handoff, business-unit mapping, account-scoped credentials, token context, and entitlement-gated execution before Bruno, agents, or Factory prepare SFMC draft artifacts.
Readiness sequence
Start with the SFMC identity and credential path.
Campaign Builder can run from first-party application sessions or SFMC-launched sessions. The useful evaluation question is whether each request resolves the intended account, workspace, Marketing Cloud user, and business unit before any SFMC-facing workflow runs.
Confirm the launch model
Campaign Builder supports first-party sessions, bearer JWTs, SFMC signed_request launches, and SFMC mc_token browser sessions. Technical pilots should identify which path will start the evaluation before testing protected agent or Factory routes.
Resolve BU-to-workspace mapping
SFMC app launches use enterprise and business unit context to resolve an sfmcBuMappings record into a Campaign Builder tenant and workspace. Missing mappings go to the unmapped flow instead of guessing the tenant.
Connect account-scoped credentials
The SFMC connection settings route accepts server-to-server or web-app credential shapes, stores the connection under the authenticated account, and returns refreshed Campaign Builder session state.
Verify token context
GET /api/v1/sfmc-connect/test replays the stored credentials against Marketing Cloud and fetches token context so evaluators can see the resolved user and business-unit context before SFMC operations run.
Implementation map
Readiness claims map to concrete Campaign Builder routes.
The product source exposes distinct route families for installed-package launch, OAuth callback, BU mapping administration, account connection settings, and Marketing Cloud operations. That separation makes setup failures easier to isolate.
Installed-package launch
GET /api/v1/sfmc/app/launch extracts enterprise, BU, SFMC user, return path, and response mode context, then resolves or provisions the mapped workspace before issuing a local session.
OAuth callback
GET /api/v1/sfmc/oauth/callback verifies signed state, exchanges the authorization code, resolves token context, stores encrypted refresh-token credentials where available, and issues the mapped Campaign Builder session.
Mapping administration
POST /api/v1/sfmc/bu-map and GET /api/v1/sfmc/bu-map manage one-to-one enterprise/business-unit mappings for admins, with mapping writes recorded in audit_logs.
Account connection settings
POST, GET, GET /test, and DELETE /api/v1/sfmc-connect manage account-level S2S or web-app Marketing Cloud credentials and connection status.
Marketing Cloud operations
/api/v1/marketingcloud routes use account-scoped credentials for Content Builder assets, email assets, Journey Builder interactions, event definitions, folder lookup, and Data Extension access.
Workspace and BU scope
Connection readiness must prove the active Campaign Builder workspace.
Salesforce Marketing Cloud Business Units are not treated as loose labels. Campaign Builder resolves account, tenant, workspace, enterprise, and business-unit context before workspace-aware data or SFMC execution routes are used.
Account is the tenant
Campaign Builder treats accountId and tenantId as the same business tenant. Account-owned settings, entitlements, and SFMC credential records stay under that account before downstream routes prepare Marketing Cloud work.
Workspace is the execution scope
workspaceId identifies the active work area for execution and data isolation. The default workspace uses workspaceId = accountId, while manual or SFMC Business Unit workspaces can separate workspace-aware data inside the same account.
Users enter through memberships
Standalone sessions use the user's active account and workspace membership. In production, standalone logins are blocked from BU-scoped workspaces, so workspace switching cannot silently enter a Marketing Cloud BU context.
SFMC BU launches resolve a mapping
SFMC launched sessions map enterpriseId plus businessUnitId to tenantId and workspaceId before Campaign Builder issues local session context or lets agent, Factory, content, journey, email, or Data Extension routes run.
Connection guardrails
A connected account still stays inside Campaign Builder review boundaries.
SFMC readiness proves Campaign Builder can resolve the right context and credentials. It does not remove entitlements, tenant scoping, CSRF checks, encrypted secret handling, or manual Marketing Cloud activation decisions.
Mapped sessions, not raw SFMC tokens
The browser handoff establishes Campaign Builder session state scoped to the mapped tenant and workspace. The local session token is not the raw Salesforce Marketing Cloud access token.
Encrypted credential storage
SFMC client secrets and refresh tokens are encrypted at rest with FIELD_ENCRYPTION_KEY using AES-256-GCM before they are persisted for account-scoped operations.
CSRF and session controls
First-party browser writes use the cb_auth HttpOnly cookie with the readable cb_csrf marker. SFMC cookie sessions use double-submit CSRF checks unless a route is explicitly bypassed.
Scoped execution surface
Connected credentials do not unlock every workflow. Agent, content-block, Bruno, and Factory routes still require authentication, tenant/workspace context, and the relevant entitlement gate.
Evaluator FAQ
What readiness proves, and what still needs review.
Connection readiness is the entry point for a serious SFMC pilot. It should make account scope, BU mapping, credential resolution, and downstream execution gates visible before campaign production work starts.
What should be checked before a Campaign Builder pilot starts?
Confirm the launch model, BU-to-workspace mapping, account-scoped SFMC credentials, token context, required entitlements, Factory prerequisites, and the review boundary for any production-bound write.
Does a valid SFMC connection mean every agent can write to Marketing Cloud?
No. The connection only proves that Marketing Cloud credentials can be resolved. Specialist routes still require entitlement checks, account and workspace scope, and confirmed write paths.
What happens when an SFMC business unit is not mapped?
The launch flow uses the unmapped screen or admin mapping path. It does not infer a tenant or workspace from the BU context alone.
Which SFMC operations become testable after connection readiness is proven?
Evaluators can then trace Content Builder assets, email assets, journeys, event definitions, folders, Data Extension access, agent workflows, Bruno dry runs, and Factory prerequisites through scoped routes.
Evaluation takeaway
Treat SFMC readiness as the first proof point.
A useful Campaign Builder evaluation should show the mapped Marketing Cloud context first, then dry-run Bruno or inspect agent and Factory routes after the account has the correct credentials and entitlements. That keeps campaign execution grounded in the customer's real SFMC setup instead of a generic AI demo.