Scopes allow you to limit your application’s access to user data and to the V3 API endpoints. When your application requests a user’s permission to access their data, Constant Contact uses authorization scopes to determine what information your application needs. Users are more likely to authorize your application to use their data when you request only the data that your application needs to function. Constant Contact defines scopes in terms of the type of data the scope provides access to.
|account_read||Grants your application permission to read account data.|
|account_update||Grants your application permission to update account data.|
|contact_data||Grants your application permission to read or write contact data and to read contact reports.|
|campaign_data||Grants your application permission to read or write campaign data and to read campaign reports.|
Constant Contact also uses scopes to determine if your application can access the V3 API endpoints.
Scopes Required by V3 API Routes
|Description||Endpoint Route||Required Scope|
|Account Endpoints||/account||account_read or account_update|
|Contact Lists Endpoints||/contact_lists||contact_data|
|Custom Fields Endpoints||/contact_custom_fields||contact_data|
|Bulk Activities Endpoints||/activities||contact_data|
You specify which scopes your application requires when you send an authorization request to a Constant Contact user. Create an authorization request URL by adding your
response_type values as query parameters to the V3 API authorization endpoint.
|Auth Service Endpoint||Method||Authentication|
|Auth Query Parameter||Description|
||The API key for your application. You can view the API keys for all of your applications or create a new application on the My Applications page.|
||The URI that Constant Contact redirects the user to after they grant access to your application. The
||A list of the scopes you are requesting from the user. The V3 API supports the
||Specifies the type of Oauth flow you are using. The server flow uses the
Example Authorization Request URL
Not encoded for readability:
When a user clicks your authorization request URL, Constant Contact prompts the user to sign in and allow your application to access their data.
Constant Contact displays the scopes you requested from a user when they authorize your application.
After the user authorizes your application, Constant Contact redirects the user to your chosen
redirect_uri and appends an authorization code (server flow) or an access token (client flow) to the URL. For more information on how the OAuth2.0 flows work, see the Server Flow page or the Client Flow page.
Error Behavior for Scopes
The V3 API returns a 403 error when you attempt to access an endpoint that you do not have the correct scopes to use.
You can check which scopes are associated with an access token by making a POST request to
/token_info. For more information, see the Access Token Information Method topic.
In addition to the access restrictions that you can define using scopes, Constant Contact also restricts certain types of users from accessing certain types of data. For more information, see the User Roles and Privileges Overview.