As of March 31, 2022, support ends for applications that use our previous authorization management service and that use the following authorization and token URLs:
https://api.cc.email/v3/idfed
https://idfed.constantcontact.com/as/token.oauth2
As a result, you must update your existing application or create a new application. This includes updating your application code to use the new authorization and token URLs.
The new service also adds support for the PKCE Flow. If you have an existing application that uses the Implicit Flow, you may want to consider creating a new application integration using the more secure PKCE Flow.
Update your application in the V3 API developer portal by making a copy of your application from the My Applications tab. Constant Contact automatically converts that copy to use the new authorization management service configuration, registers your new application, and syncs your account information, such as your API key. After, you need to generate a new client secret for your updated application to associate it with your client_id
.
To enable your updated applications to use the new service, complete the steps that follow.
Copy Your Application
- Log in and open the My Applications tab on the V3 API developer portal.
-
If you have applications that use an outdated OAuth2 configuration, the following screen displays:
- Click Close to close the screen and return to the My Applications tab or Learn More to open the OAuth2 Overview topic.
- On the My Applications tab, your applications that use the new service display in the Valid Applications table. Applications that don’t use the new service display in the Outdated Applications table.
- To update an application, click Copy next to the name of the application. If your application is successfully updated, the confirmation screen displays.
- Click Close to close the screen and return to the My Applications tab or Learn More to open the OAuth2 Overview topic.
Generate a Client Secret and Modify Your Application Settings
Generate a secret for your new updated application.
- On the My Applications tab, click the name of your new application.
- In the API Key section, click Generate Secret to generate a new client secret.
- On the App Secret screen, click Generate Secret to confirm that you want to create a secret for your new updated application. Be sure to save your new API Key and client secret in a secure location!
- Modify your application settings as needed. For example, to rename your application, under Your App’s Public Description, type the new name for your application in the text box.
Users of your updated application will need to reauthenticate their Constant Contact account and reauthorize your updated application to grant permissions to use their account data.
Update Your Application Code
To successfully use the new authorization management service, you need to make some changes to your updated application’s code.
The authorization request URL is changing from https://api.cc.email/v3/idfed
to https://authz.constantcontact.com/oauth2/default/v1/authorize
. The URL now includes two new query parameters:
-
The
state
query parameter is required for all Auth2 flows. For security, developers usestate
to encode and securely pass arbitrary string value(s) in the authorization request URL to uniquely identify a user’s session and to prevent cross-site request forgery. You decode the encoded value to verify it is authentic when validating the access token. -
The
nonce
query parameter is an arbitrary string value used to associate a client session with a token ID for the purpose of mitigating replay attacks. On receipt, you verify the nonce value using theid_token
. This parameter is required for the Implicit Flow and is optional for the Authorization Code and PKCE flows. -
The
offline_access
scope is required to get a refresh token for the Authorization Code and PKCE OAuth2 flows.
The access token exchange URL is changing from https://idfed.constantcontact.com/as/token.oauth2
to https://authz.constantcontact.com/oauth2/default/v1/token
. Access tokens (JWT) maximum life is now increased.
The OAuth2 flow that your updated application uses determines any additional modifications to make, such as query parameters to include. For details, see the OAuth2 flow topic that is appropriate for your application:
Deactivate Invalid Applications
After you have given users of your applications ample notice and you have finished updating and testing your applications, complete the following steps to deactivate your invalid applications:
- On the My Applications tab, in the list of applications, click the name of your invalid application.
- On the application details page, click Deactivate App.
- On the Deactivate App screen, to permanently deactivate the selected application and the associated API key click I understand this action cannot be undone, and then click Permanently Deactivate.
- On the My Applications tab, verify that the Status is now Deactivated.