OAuth 2.0 Client Flow

The Client Flow for authenticating apps consists of one transaction only and should be used for mobile applications. The application makes an Authentication Request to the Authorization server, and the server returns the access token to the application assuming that the Constant Contact user grants access to the app. 

OAuth 2.0 Client Flow

  1. The user opens an app on their tablet or smartphone.
  2. The application directs the user to the Constant Contact authorization server.
  3. The login screen displays, and the user logs in to their account. 
  4. The Allow Access screen displays. The user clicks Allow
  5. The authorization server redirects the user back to the client and includes the access token in the redirect URI fragment (see Access Token Response).

For users without a Constant Contact account

You have two options to allow users to sign up for a Contact Contact account if they don't already have one when they launch your app. The first option adds a sign up link to the login page by using the oauthSignup query parameter. The second option allows you to ask users if they have an account when opening your app for the first time. If they answer no, use the newUser query parameter to direct them to the account sign up page. 

Option 1: Using the oauthSignup Query Parameter

Use oauthSignup=true in the Authorization request to display "Dont have an account? Sign up free" in the top right of the login screen. This gives users who don't have an account the ability to sign up for an account and grant access to the new account. 

user login authentication request
signup is true
Login window when oauthSignup=false
(see parameters table below for more info)
Login window when oauthSignup=true


Allow Access prompt:

Authorize Window

Option 2: Using the newUser Query Parameter

When set to true, the newUser query parameter sends the user to the account signup form to create a new trial account, and then on to the Allow Access screen. This gives you the option to ask the user if they already have a Constant Contact account when they initially launch your app. If they do, you use the traditional grant access flow where the user logs in to their account, and then Allows Access. 

If the user does not have an account, use newUser=true in the Authorization Request to send the user to the Account Signup page. After signing up for a free trial account, the Allow Access screen displays. 

newTrialSignup
Authorize Window
Create Account page shows when using 
newUser=true 
(see parameters table below for more info)
Allow Access displays after user creates new account.


Authorization Request

An Authorization Request is formed as a GET call to the Authorize endpoint. 

https://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize
Parameter Values Req'd   Description
response_type
token
Yes

The value token tells the authentication server to send an
access token to a web application; response_type MUST
always be token for the client flow.

client_id
<your_API_KEY>
Yes

Identifies the client that is making the request to the server;
this parameter MUST always be set to the exact value of the API_key.

redirect_uri
<your_encoded_redirect_URI>
Yes

Tells the Authorization Server where to send the user once
access is granted.

pn
<your_encoded_partner_name>
No

Use this to attribute new accounts created using the sign up link on the Oauth flow page to a partner. Do not include this parameter if you're not a Constant Contact partner.

oauthSignup
true or false(default)
No

Use oauthSignup=true to show a sign up link on the login page. 

NOTE: This parameter is ignored when using newUser parameter.

newUser
true or false(default)
No

Use newUser=true to send users who do not have a Constant Contact account to the account signup page.

Example: Authentication request query for the client flow

https://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?response_type=token&client_id=<your_API_KEY>&redirect_uri=<your_encoded_redirect_URI>

Access Token Response

The access token is returned to the client browser in the URL field appended to the redirect_uri, separated by the # character, as shown here:

http://localhost/#access_token=bc652ad7-c06f-4f9a-88c3-b61ccb8f7f8d&token_type=Bearer&expires_in=307422480

If the user denies the access request, or if the GET call is malformed in some way, the server returns one of the error messages described here.

NOTE: If a user's account has been inactive (user never logged in) for the 3.5 years prior to April 1, 2013, it has been deactivated. These accounts cannot be reactivated and are not allowed to obtain an access token. The Authorization Response for these accounts is:

<your_encoded_redirect_URI>?error=access_denied&error_description=This+account+is+no+longer+valid

Using Access Tokens

When making API calls, the client application uses the access_token in place of the user's Constant Contact credentials. You can use the access_token in API calls in the following ways:

In an HTTP Header - this method is preferred as the more secure way to protect the token from intercept.

GET https://api.constantcontact.com/v2/campaigns?api_key=4et8szhtkdkghfj5chxxz9f6
Authorization: Bearer a46950a6-7cad-413a-8183-550756d096f4

Using it in the query

GET https://api.constantcontact.com/v2/campaigns?api_key=4et8szhtkdkghfj5chxxz9f6&access_token=a46950a6-7cad-413a-8183-550756d096f4

NOTE: Every API call needs to include the api_key query parameter as shown in the examples above. 

Example OAuth 2.0 Flow

You can see a simple example implementation of an OAuth 2.0 flow in PHP with instructions here.