Describes how you can limit your application's access to API resources.

Scopes allow you to limit your application’s access to user data and to the V3 API endpoints. When your application requests a user’s permission to access their data, Constant Contact uses authorization scopes to determine what information your application needs. Users are more likely to authorize your application to use their data when you request only the data that your application needs to function. Constant Contact defines scopes in terms of the type of data the scope provides access to.

Available Scopes

Scope Description
account_read Grants your application permission to read account data.
account_update Grants your application permission to update account data.
contact_data Grants your application permission to read or write contact data and to read contact reports.
campaign_data Grants your application permission to read or write campaign data and to read campaign reports.

Constant Contact also uses scopes to determine if your application can access the V3 API endpoints.

Scopes Required by V3 API Routes

Description Endpoint Route Required Scope
Authorization Refresh Token Endpoint https://authz.constantcontact.com/oauth2/default/v1/token offline_access
Account Endpoints /account account_read or account_update
Contacts Endpoints /contacts contact_data
Contact Lists Endpoints /contact_lists contact_data
Custom Fields Endpoints /contact_custom_fields contact_data
Bulk Activities Endpoints /activities contact_data
Contacts Reporting /reports/contact_reports contact_data
Email Campaigns /emails campaign_data
Email Reporting /reports/email_reports campaign_data
Segments /segments contact_data

Add Scopes

You specify which scopes your application requires in the authorization request. The authorization request is used to direct users to Constant Contact to authenticate their user account and authorize your application to access their Constant Contact data.

To create an authorization request, make a GET call to the authorization endpoint https://authz.constantcontact.com/oauth2/default/v1/authorize and include all required request query parameters. The OAuth2 flow that your application uses determines which query parameters are required. Scope names must be space-delimited. For example: {contact_data%20campaign_data%20offline_access}.

For example, the following shows an encoded URL authorization request for an application that uses the Authorization Code Flow:

https://authz.constantcontact.com/oauth2/default/v1/authorize?client_id={your_client_id}&redirect_uri=https%3A%2F%2Flocalhost%3A8888&response_type=code&scope=contact_data%20campaign_data&state={URL encoded string value(s)}

For details about creating authorization requests for the different OAuth2 flows, see:

Error Behavior for Scopes

The V3 API returns a 403 error when you attempt to access an endpoint that you do not have the correct scopes to use.

User Roles and Privileges

In addition to the access restrictions that you can define using scopes, Constant Contact also restricts certain types of users from accessing certain types of data. For more information, see the User Roles and Privileges Overview.