Authenticate your partner account to make authorized API calls.

Technology partners can access both standard developer endpoints and partner-only endpoints. To securely authenticate your technology partner account with CTCT, your application must send an authorization request in the form of a URL to the Constant Contact Authorization Server. If necessary, use the V3 Developer Portal to get the API key required to authenticate your partner account.

The OAuth2 authentication flow to use differs depending on if you are using developer or partner account endpoints.

Developer Account Endpoint Authentication

To get access to developer endpoints requires that you authenticate your partner account by providing your API key using either the OAuth2 Authorization Code Flow, Proof Key for Code Exchange (PKCE) Flow, or Implicit flow.

Successful authorization starts by sending a user authorization request to the Constant Contact Authorization Server, and ends when the server replies back to the client application with the user’s access token (JSON Web Token). You then use the access token to make calls to V3 API endpoints in order to get access to the user’s Constant Contact data. In exchange, you receive a bearer access token (JWT) authorizing your account to make API calls to Constant Contact account endpoints.

For more details about using OAuth2 flows, see the OAuth2 Overview.

Partner Account Endpoint Authentication

Partners authenticate their account with Constant Contact by sending a authorization request to the Authorization Server in order to get an access token (JWT). The access token and your API key are used to authorize you to make API calls to partner endpoints.

Create an Authorization Request

Use the POST /token endpoint to create an authorization request (https://v3api-partner.auth.us-east-1.amazoncognito.com/oauth2/token) that uses basic authentication (base64 encoded) to pass data as query parameters (the body of the request is empty).

To create the authorization request, specify the following:

The Content-Type header as application/x-www-form-urlencoded.
Your partner credentials (partner_client_id and partner_secret) as authorization parameters (partner_client_id:partner_secret) in the Authorization request header.

If you do not include required request headers, a 415 error response code is returned. If you use an invalid partner_client_id or grant_type, a 400 error response code is returned.

Example Partner Authorization Requests

POST https://v3api-partner.auth.us-east-1.amazoncognito.com/oauth2/token

JAVA cURL PHP

/**
  * This method uses your partner client id and partner secret to retrieve a JWT (JSON Web Token).
  *
  * @param partnerClientId      Your partner client id.
  * @param partnerClientSecret  Your partner secret.
  * @return A JSON string containing a JWT.
**/

public String getPartnerJWT(String partnerClientId, String partnerClientSecret) throws Exception {

       StringBuilder authResult = new StringBuilder();
        

      // Make authorization header with Partner Client ID:Partner Secret and encode
        String credentials = partnerClientId + ":" + partnerClientSecret;
        String auth = "Basic " + Base64.getEncoder().encodeToString(credentials.getBytes());
      
        // Create request URL
        StringBuilder requestUrl = new StringBuilder()
                .append("https://v3api-partner.auth.us-east-1.amazoncognito.com/oauth2/token")
                .append("?grant_type=client_credentials");

        URL authorizeUrl = new URL(requestUrl.toString());
        
        // Open connection
        HttpURLConnection con = (HttpURLConnection) authorizeUrl.openConnection();

        // Set Method
        con.setRequestMethod("POST");

        // Add Headers
        con.setRequestProperty("Authorization", auth);
        con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");

        // Read response from server
        try (BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()))) {
            String inputLine;
            while ((inputLine = in.readLine()) != null) {
                authResult.append(inputLine);
            }
        }
        return authResult.toString();
    }

<?php

$partner_client_id = '{PARTNER_CLIENT_ID}';
$partner_secret = '{PARTNER_SECRET}'

$credentials = base64_encode($partner_client_id + ':' + $partner_secret);
$url = 'https://v3api-partner.auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=client_credentials'

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_HTTPHEADER => array(
    "authorization: Basic $credentials",
    "content-type: application/x-www-form-urlencoded"
  ),
));

$response = curl_exec($curl);
$error = curl_error($curl);

curl_close($curl);

if ($error) {
  echo "cURL Error:" . $error;
} else {
  echo $response;
}     

AUTH=$(echo -n "$partnerClientId:$partnerSecret" | base64)

curl --request POST 'https://v3api-partner.auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=client_credentials' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header "Authorization: Basic $AUTH"   

Get the Access Token

The partner authorization request returns the access token (access_token) in the response body. Copy the access token and use it when making V3 API calls to partner endpoints.

Example Partner Authorization Response

 {
  “access_token”: "*****************.eyJzdWIiOiIxNGFxNWxsNWIxaXQ2ZjYydWVmZW02YXFobiIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoidGVzdFwvZm9vIiwiYXV0aF90aW1lIjoxNTI3ODE3MzY2LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV83RThJc3hDR0MiLCJleHAiOjE1Mjc4MjA5NjYsImlhdCI6MTUyNzgxNzM2NiwidmVyc2lvbiI6MiwianRpIjoiYWVlZWY1MGEtYjNiNS00MjAxLTlhOGYtOGI1ZjYzYTBlYmNjIiwiY2xpZW50X2lkIjoiMTRhcTVsbDViMWl0NmY2MnVlZmVtNmFxaG4if.LaWN4NEUrR_2gGANnDx8zINMZteR7-E_moskq__zai5BLNpiCBnVtoLHwVH3FvDFVVesMCBmD02dRhZqXkttxEMUmetFybDtEkH2KWbalOmKvibl5JuPyQEqZ5S4DN9ZUZAqv3X48F2e0Eshck-*******************-0aDBMaMtJU-QMfeFJkN2UgKQhtzi2dbLBB06dQEd6gcxh-*****************"
  “expires_in”: 3600,
  “token_type”: “Bearer”
 }

Make Authorized API Calls to Partner Endpoints

To make authorized API calls to partner endpoints, include the access token and your API key in the headers as follows:

Headers	Description	Example
`x-api-key`	The API key that uniquely identifies your technology partner application.	`ctct1234-cons-tant-cont-act012345678`
`Content-Type`	The content format type to use.	`application/json`
`Authorization`	The JWT to use to make authorized API calls to account endpoints.	See a JWT in the example that follows.

Example Partner Endpoint Request

The following GET partner/accounts method shows how to use the access token and API key to make an authorized request to a partner endpoint:

<?php
    
$token = 'JWT_TOKEN'
$api_key = 'API_KEY'
$url = 'https://api.cc.email/v3/partner/accounts'
    
$curl = curl_init();
    
curl_setopt_array($curl, array(
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => array(
    "authorization: Bearer $token",
    "x-api-key: $api_key"
  ),
));
    
$response = curl_exec($curl);
$error = curl_error($curl);
   
curl_close($curl);
    
if ($error) {
  echo "cURL Error #:" . $error;
} else {
  echo $response;
} 
   

View the partner endpoint topics to see more code examples.

For more details about sending V3 API requests on behalf of your managed clients, see Send API Requests on Behalf of Managed Client Accounts.

Tags: Technology_Partners

Technology Partner Authentication