Describes how you can limit your application's access to API resources.

Scopes allow you to limit your application’s access to user data and to the V3 API endpoints. When your application requests a user’s permission to access their data, Constant Contact uses authorization scopes to determine what information your application needs. Users are more likely to authorize your application to use their data when you request only the data that your application needs to function. Constant Contact defines scopes in terms of the type of data the scope provides access to.

Available Scopes

Scope Description
account_read Grants your application permission to read account data.
account_update Grants your application permission to update account data.
contact_data Grants your application permission to read or write contact data and to read contact reports.
campaign_data Grants your application permission to read or write campaign data and to read campaign reports.

Constant Contact also uses scopes to determine if your application can access the V3 API endpoints.

Scopes Required by V3 API Routes

Description Endpoint Route Required Scope
Account Endpoints /account account_read or account_update
Contacts Endpoints /contacts contact_data
Contact Lists Endpoints /contact_lists contact_data
Custom Fields Endpoints /contact_custom_fields contact_data
Bulk Activities Endpoints /activities contact_data
Contacts Reporting /reports/contact_reports contact_data
Email Campaigns /emails campaign_data
Email Reporting /reports/email_reports campaign_data
Segments /segments contact_data

Add Scopes

You specify which scopes your application requires when you send an authorization request to a Constant Contact user. Create an authorization request URL by adding your client_id, redirect_uri, scope, and response_type values as query parameters to the V3 API authorization endpoint.

Auth Service Endpoint Method Authentication GET N/A
Auth Query Parameter Description
client_id The API key for your application. You can view the API keys for all of your applications or create a new application on the My Applications page.
redirect_uri The URI that Constant Contact redirects the user to after they grant access to your application. The redirect_uri value you use must match one of the redirect_uri(s) associated with your API key. You can view or change the redirect URI values associated with your API key on the My Applications page.
scope A list of the scopes you are requesting from the user. The V3 API supports the account_read, account_update, contact_data and campaign_data scopes.
response_type Specifies the type of Oauth flow you are using. The server flow uses the code value and returns a authorization code. The client flow uses the token value and returns an access token.

Example Authorization Request URL

Not encoded for readability:{client_id}&scope=contact_data+campaign_data&redirect_uri=https://localhost:8888

URL encoded:{client_id}&scope=contact_data+campaign_data&redirect_uri=https%3A%2F%2Flocalhost%3A8888

When a user clicks your authorization request URL, Constant Contact prompts the user to sign in and allow your application to access their data.

User Permission Request Screen

Constant Contact displays the scopes you requested from a user when they authorize your application.

After the user authorizes your application, Constant Contact redirects the user to your chosen redirect_uri and appends an authorization code (server flow) or an access token (client flow) to the URL. For more information on how the OAuth2.0 flows work, see the Server Flow page or the Client Flow page.

Users must either grant access to all of your scopes or decline to grant access to your application.

Error Behavior for Scopes

The V3 API returns a 403 error when you attempt to access an endpoint that you do not have the correct scopes to use.

You can check which scopes are associated with an access token by making a POST request to /token_info. For more information, see the Access Token Information Method topic.

User Roles and Privileges

In addition to the access restrictions that you can define using scopes, Constant Contact also restricts certain types of users from accessing certain types of data. For more information, see the User Roles and Privileges Overview.