Scopes allow you to limit your application’s access to user data and to the V3 API endpoints. When your application requests a user’s permission to access their data, Constant Contact uses authorization scopes to determine what information your application needs. Users are more likely to authorize your application to use their data when you request only the data that your application needs to function. Constant Contact defines scopes in terms of the type of data the scope provides access to.
Available Scopes
Scope | Description |
---|---|
account_read | Grants your application permission to read account data. |
account_update | Grants your application permission to update account data. |
contact_data | Grants your application permission to read or write contact data and to read contact reports. |
campaign_data | Grants your application permission to read or write campaign data and to read campaign reports. |
Constant Contact also uses scopes to determine if your application can access the V3 API endpoints.
Scopes Required by V3 API Routes
Description | Endpoint Route | Required Scope |
---|---|---|
Authorization Refresh Token Endpoint | https://authz.constantcontact.com/oauth2/default/v1/token | offline_access |
Account Endpoints | /account | account_read or account_update |
Contacts Endpoints | /contacts | contact_data |
Contact Lists Endpoints | /contact_lists | contact_data |
Custom Fields Endpoints | /contact_custom_fields | contact_data |
Bulk Activities Endpoints | /activities | contact_data |
Contacts Reporting | /reports/contact_reports | contact_data |
Email Campaigns | /emails | campaign_data |
Email Reporting | /reports/email_reports | campaign_data |
Segments | /segments | contact_data |
Add Scopes
You specify which scopes your application requires in the authorization request. The authorization request is used to direct users to Constant Contact to authenticate their user account and authorize your application to access their Constant Contact data.
To create an authorization request, make a GET call to the authorization endpoint https://authz.constantcontact.com/oauth2/default/v1/authorize
and include all required request query parameters. The OAuth2 flow that your application uses determines which query parameters are required. Scope names must be space-delimited. For example: {contact_data%20campaign_data%20offline_access}.
For example, the following shows an encoded URL authorization request for an application that uses the Authorization Code Flow:
https://authz.constantcontact.com/oauth2/default/v1/authorize?client_id={your_client_id}&redirect_uri=https%3A%2F%2Flocalhost%3A8888&response_type=code&scope=contact_data%20campaign_data&state={URL encoded string value(s)}
For details about creating authorization requests for the different OAuth2 flows, see:
Error Behavior for Scopes
The V3 API returns a 403 error when you attempt to access an endpoint that you do not have the correct scopes to use.
In addition to the access restrictions that you can define using scopes, Constant Contact also restricts certain types of users from accessing certain types of data. For more information, see the User Roles and Privileges Overview.