Describes the OAuth2.0 client flow

Use the OAuth2 client flow if your application is a public client where the source code is available to the public. For example, public clients include client-side JavaScript applications and mobile applications.

After you complete the OAuth2 client flow, Constant Contact returns an access token. You can use this access tokens to make requests using the V3 API.

The client flow does not use refresh tokens. When an access token expires, users must reauthenticate your application with Constant Contact. Access tokens automatically expire two hours (7,200 seconds) after their last use. Access tokens have a maximum lifetime of 24 hours (86,400 seconds).

In order to use the OAuth2 client flow, you must create and configure a V3 API application. For more information on the prerequisites, see the Authentication Overview. The OAuth2 client flow does not use your application secret.

Authenticate Using the Client Flow

Step 1:Create an Authorization Request URL

Create an authorization request URL by adding your client_id, redirect_uri, response_type, and scope values as query parameters to the authorization endpoint.

  • client_idRequired. The API key for your application. You can view the API keys for all of your applications or create a new application on the My Applications page.
  • redirect_uriRequired. The URI that Constant Contact redirects the user to after they grant access to your application. For more information, see the Authentication Overview page.
  • scopeOptional. A list of the scopes that your application requires. The V3 API currently supports the contact_data and campaign_data scopes. For more information on scopes and the specific scopes required by each V3 API endpoint, see the Scopes Overview page.
  • response_typeRequired. The client flow uses the token value and returns an access token in the response.

The finished authorization request URL will look like:{your_client_id}&redirect_uri=https%3A%2F%2Flocalhost%3A8888&response_type=token&scope=contact_data+campaign_data

Example Authorization Request URL


 * This function can be used to generate the URL an account owner would use to allow your app to access their account.
 * After visiting the URL, the account owner is prompted to log in and allow your app to access their account.
 * They are then redirected to your redirect URL with the access token appended as a URL hash fragment. e.g.:
 * http://localhost:8888/#access_token={new_access_token}&token_type=Bearer

 * @param $redirectURI - URL Encoded Redirect URI
 * @param $clientId - API Key
 * @return string - Full Authorization URL
function getAuthorizationURL($redirectURI, $clientId) {
    // Create authorization URL
    $baseURL = "";
    $authURL = $baseURL . "?client_id=" . $clientId . "&scope=contact_data&response_type=token" . "&redirect_uri=" . $redirectURI;

    return $authURL;


Step 2:Add the Authorization Request URL to Your Application

Add the authorization request URL to your application and direct your application’s users to the URL. Constant Contact then prompts the users to sign in and allow your application to access their data. Constant Contact displays the scopes you requested from a user when they authorize your application.

User Permission Request Screen

Step 3:Retrieve the Access Token

After a user successfully grants your application access to their data, Constant Contact redirects the user to your chosen redirect uri and appends an access_token and token_type=Bearer as URL fragments. For example, the authorization response will look like:


Use this access token to send requests in the V3 API by adding it to the Authorization request header in the format Authorization: Bearer {your_access_token}.

See the Authorization Request Errors table in the Authentication Overview for information on how to handle authorization request errors.

Access tokens automatically expire two hours (7,200 seconds) after their last use. Access tokens have a maximum lifetime of 24 hours (86,400 seconds). Making an API call with an expired access token returns a 401 unauthorized status code.