SFMC request traceability
Trace a Campaign Builder action from request to reviewed SFMC execution evidence.
A Salesforce Marketing Cloud evaluation should prove more than generated copy. Campaign Builder exposes request IDs, outbound correlation, redacted logs, audit records, OpenAI usage context, and Bruno run evidence so production-bound work can be reviewed without exposing secrets.
Trace layers
Request correlation is part of the SFMC control surface.
Campaign Builder connects browser/API actions, Bruno orchestration, Factory workflows, and Marketing Cloud calls with request context that support teams can inspect during a pilot.
Inbound request ID
Campaign Builder accepts an inbound x-request-id or generates one, sets req.requestId, returns the same response header, and stores request metadata in AsyncLocalStorage for downstream logging.
Outbound SFMC correlation
The approved HTTP helper injects the active request ID into outbound Axios and fetch calls, including SFMC-dependent execution paths, so a reviewed action can be connected to downstream diagnostics.
Central error evidence
Centralized error handling includes the request ID in stable JSON errors and hides unexposed 5xx details in production, giving support teams a reference without leaking sensitive payloads.
Guarded implementation contract
The observability guard blocks routes that bypass centralized errors, mutate x-request-id outside requestContext, or use direct axios/fetch calls instead of the request-aware helper.
Evidence records
What a technical evaluator can ask Campaign Builder to show.
The trace should connect to records that are safe to inspect: operational metadata, scoped actor context, low-risk target identifiers, and usage accounting rather than raw SFMC or AI payloads.
API logs
api_logs records request ID, method, path, route, status, duration, IP, user agent, user, account, tenant, workspace, auth source, sanitized query, and sanitized non-GET body context.
Audit logs
audit_logs is the centralized user-action sink for auth/session events, settings/admin changes, SFMC connection changes, content publish actions, SFMC external side effects, and Bruno write-skill executions.
OpenAI usage logs
openai_logs records action, model, endpoint, request_id, user, account, tenant, workspace, token counts, and explicit missing-usage reasons without storing raw prompts or raw model responses.
Bruno run evidence
Bruno execution uses dry runs, pending write previews, durable run records, artifact ledgers, request journals, resume support, and manual Journey activation warnings for production-bound review.
Evaluator sequence
A practical way to review one SFMC execution trace.
Use this sequence for a controlled pilot action before expanding to more campaign teams, more Business Units, or confirmed write paths.
Start with the pilot action
Pick one concrete action such as Campaign Agent planning, Bruno dry run, Email Agent update preview, Factory template email generation, Content Builder save, image insertion, or Journey draft creation.
Capture the request ID
Use the x-request-id response header or supplied inbound x-request-id as the primary thread that ties the browser/API action to API logs, audit events, usage records, and downstream SFMC calls.
Check scoped identity
Confirm the request resolved the expected user, account, tenant, workspace, auth source, login source, SFMC enterprise ID, and Business Unit mapping before trusting the artifact it produced.
Separate reads, drafts, writes, and manual launch
Classify the action as a read or preview, draft-building operation, confirmed write, or manual Marketing Cloud launch step so the trace does not imply hidden SFMC automation.
Redaction boundary
Traceability should not become sensitive data exposure.
Campaign Builder's implemented logs are designed for operational review, not raw prompt replay or raw Salesforce Marketing Cloud payload storage.
API logging redacts sensitive key patterns such as password, token, secret, authorization, cookie, prompt, messages, response, raw, body, payload, base64, image, and sfmc.
Audit logs use stable action names, safe target identifiers, sanitized metadata, actor/account/workspace context, request metadata, and timestamps instead of raw customer content.
OpenAI usage records preserve tenant/workspace/request context and token accounting while avoiding raw prompt and raw response logging.
Audit insert failures are non-blocking for user requests and emit sanitized request-aware warnings rather than exposing payload details.
FAQ
Questions for SFMC admins and security reviewers.
What should an SFMC admin ask for after a demo action?
Ask for the x-request-id, the resolved account and workspace, the entitlement path, whether the action was read, draft, confirmed write, or manual launch, and the matching API or audit evidence.
Does traceability mean Campaign Builder stores raw prompts or SFMC payloads?
No. The implemented logging model intentionally redacts prompts, messages, raw responses, payloads, base64/image data, SFMC secrets, tokens, cookies, credentials, billing fields, and customer content payloads.
Which actions should leave audit evidence?
Security-sensitive and production-bound actions such as auth/session changes, admin/settings changes, SFMC connection updates, content creation or publish actions, SFMC external side effects, and Bruno write-skill execution should be reviewable through audit records.
Next reading
Pair traceability with execution boundaries.
Use request traceability alongside the security review, write-boundaries guide, and pilot plan to prove exactly which SFMC operations are reads, drafts, confirmed writes, or manual Marketing Cloud launch steps.