Using the Pardot API with Sandbox Accounts

We’ve integrated a Pardot Sandbox account with Salesforce using the Salesforce-Pardot Connector v2.

I’m trying to use the Pardot API with an SSO user on a Sandbox Salesforce org (i.e. when creating the Pardot user I enabled ‘Enable single sign-on with CRM’ as documented here to convert the Pardot user to an SSO-only user).

I’m obtaining my access token via Salesforce OAuth, as the documentation states:

To access the Pardot API with an SSO enabled user (including users synced from Salesforce), you must use a Salesforce OAuth endpoint for authentication.

What I’ve Tried

I’m making the following request to obtain an OAuth token, which I get successfully. (And yes I’m aware that the OAuth 2.0 Username-Password Flow should only be used for special scenarios).

POST https://test.salesforce.com/services/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=password
client_id={{Connected_App_consumerKey}}
client_secret={{Connected_App_consumerSecret}}
username={{Salesforce_SSO_username}}
password={{Salesforce_SSO_password}}

Note: I assume the documentation is wrong as it states the username is ‘the email address of the SSO user account’, when I believe they are referring to the username.

I successfully get back the OAuth token, so far, so good. Next, when I try to use the access token in to create a new batch import in Pardot:

POST https://pi.pardot.com/api/import/version/4/do/create
Content-Type: application/json
Authorization: Bearer {{access_token}}
Pardot-Business-Unit-Id: 0Uv19000000CaR7CAK

{"operation":"Upsert","object":"Prospect"}

I receive the following response:

<?xml version="1.0" encoding="UTF-8"?>
<rsp stat="fail" version="1.0">
    <err code="49">Access Denied</err>
</rsp>

I note that this error code relates to:

Problem: User is not authorized to perform the requested operation either due to access restrictions or forbidden method of passing credentials

Additional Info

The SSO user has a ‘System Administrator’ role and the Selected OAuth Scopes (in the Connected App) include:

• Access and manage your data (api)
• Perform requests on your behalf at any time (refresh_token, offline_access)
• Access Pardot services (pardot_api)

I’ve also tried other operations like /api/prospect/version/4/do/query and get the same response.

Possible Cause

My suspicion is that Pardot isn’t able to validate the access token as it was issued from a sandbox endpoint (test.salesforce.com instead of login.salesforce.com). But Pardot is integrated with the Sandbox account. Do you know if it’s possible to use the Pardot API with a sandbox SSO user? I would assume it would be, but there’s no way that I can hint to the Pardot API that this access token was obtained from a sandbox org.