How do I manage my application settings, API keys, and access tokens?

How do I….

Click the FAQ title to expand or collapse details.

Get an API key?

The first step to making calls in our V3 API is to register an application to obtain an API Key and generate a secret.

Typically 3rd-party application developers will have their own API Key and Client Secret which lets their app talk to Constant Contact. However, some developers may require you to provide them with your own API Key and Client Secret. If you are using an integration that wants you to provide this information and are just not sure where to find those, then you can also use this step-by-step guide to generate this information.

Step 1: Visit the developer portal

To get started registering a new application, visit the Developer Portal.

Step 2: Click on My Applications in the top navigation bar

If prompted, log in to your Constant Contact account or click Sign up to create a new trial account if you don't yet have one.

Step 3: Create a new application

  1. Click the New Application button on the My Applications page.
  2. Name your new application.
    This is how you will identify your application. You will have the opportunity to enter a public facing name later. This should be the name of your application or integration. This cannot be changed once the application is created.
  3. Generate your secret.
    Click the Generate Secret button, and then press the Generate Secret button again on the confirmation overlay. During the OAuth flow, you use your Secret for basic authentication along with your API key to generate access tokens and refresh tokens. Generating a new secret will make your previous secret invalid, and it is only shown once so be sure to keep a record of it somewhere safe.
  4. Enter in your Redirect URI
    This is the web address that users are directed to after they grant access to your application. They are sent there with the authorization code (server flow) or the access token (client flow).
  5. Fill in Your App's Public Description.
    This information is shown to users when they are asked to grant your application access to their account.
    1. Enter your application's public name.
      This should be the public brand of your application and is the name of your app users will see during the OAuth flow. You cannot use "Constant Contact" in the name.
    2. Enter Your App's Logo URL - optional.
      This is the location of where the logo you would like to show on the Grant Access page is hosted.
    3. Enter an App Description - optional.
      This allows you to enter a brief description of your application.
  6. Click the Save button.

You are now ready to set up authorization and start making calls to our V3 API!

Know if my application requires users to keep granting permissions?

The first time a user logs in to your application, they need to grant your application permissions to their Constant Contact data. If you are using the Implicit Flow for your integration, your users must log in to reauthenticate with Constant Contact (generating a new access token) each time they launch your application.

Know if refresh tokens expire?

If you are using the Authorization Code flow for your integration, a new refresh token is provided each time a new access token is generated. Refresh tokens do not expire and are only used once.

Make access tokens last longer?

If the access token is generated but never used, it will have a minimum lifetime of one hour (3,600 seconds). If the access token is used to make API calls, it will expire two hours (7,200 seconds) after the last time it was used. However; please keep in mind the maximum lifetime of the access token is twenty four hours (86,400 seconds) before it expires and must be refreshed.

If you are using the server flow for your integration, you can use a refresh token to extend the lifetime of your access token by exchanging an expired access token for a new access token; without requiring a user to grant access again.

If you are using the client flow for your integration, your users must log in to reauthenticate with Constant Contact (generating a new access token) each time they launch your application.

Pro Tip

One method that you can use to automate the use of your refresh token to exchange for a new access token is to set two timers when you generate your access token. One timer counts to two hours and the other timer counts to twenty four hours. Restart the two-hour timer every time you make an API call. If either timer ever reaches its end time, use your refresh token to get a new access token. </i> For more details, see Refresh the Access Token.