Describes the OAuth2.0 client flow

Use this flow for apps that are considered public clients, such as browser-based or mobile apps, where the client code is downloaded from a web server and executed in the browser or on the mobile device. This flow issues an access_token directly to the client. See the Implicit Grant and Native Applications sections of RFC 6749 for more information.

The Client Flow consists of only one transaction where the application makes an Authentication Request to the authorization service, and the server returns an Authorization Response containing the access_token to the application after the Constant Contact user grants access to the app.

The client flow does not support refresh tokens - users must authenticate and grant access each time they use the app once the access_token expires.
v3 OAuth2 Client Flow
v3 OAuth2 Client Flow

Authorization Request

An Authorization Request is formed as a GET call to the authorization service.

Auth Service Endpoint Method Authentication GET N/A User authentication is invoked when the user logs in to grant access
Auth request property Value Description
‘client_id’ your_API_key The API key for your application.
‘redirect_uri’ url_endcoded_redirect_uri Tells the authorization service where to send the user once access is granted. This must be one of the redirect_uri(s) associated with your_API_key
‘scope’ ‘contact_data’ The product functionality to which the end user is granting the application access
‘response_type’ token Must always be set to token in the client flow.

Example Authorization Requests

Example Authorization Request URL

(not encoded for readability):{client_id}&scope=contact_data&redirect_uri=https://localhost:8888

URL encoded:{client_id}&scope=contact_data&redirect_uri=https%3A%2F%2Flocalhost%3A8888

curl -X GET -i -H "application/x-www-form-urlencoded" "{client_id}&scope=contact_data&redirect_uri={redirect_uri}"
      public function CTCTv3Auth($clientId, $redirectURI)
	  $request = new HttpRequest();
	  $params = array(
	    'client_id' =>$clientId,
	    'redirect_uri' => $redirectURI,
	    'response_type' => 'token',
		'scope' => 'contact_data'

	  try {
	    $response = $request->send();
	    echo $response->getBody();
	  } catch (HttpException $ex) {
	    echo $ex;

Access Token Response

Once the user grants access to the application, the authorization service returns the ‘access_token’ and ‘token_type’ appended to the redirect uri provided in the request:


The access_token has a maximum lifetime of 24 hours (86,400 seconds).