Re: Adding Contacts to List with OAuth? - Constant Contact Community

MaggieS418 · ‎02-12-2021

Maybe I'm missing something, but I don't understand how the OAuth flow works when adding contacts to a list from a "Email Signup" form on a website, where the user obviously doesn't have access to the Constant Contact account. The API method I'm looking at is here: https://v3.developer.constantcontact.com/api_guide/contacts_create_or_update.html

OAuth authentication just doesn't make sense in this scenario.

MarkNetAlliance · ‎02-12-2021

I am looking for this exact issue as well and I can't see how it is possible.

JeffE86 · ‎03-23-2021

I spent a lot of time on this, and it doesn't appear that non-interactive Oauth is possible with the v3 api. It renders their api useless for server-to-server applications.

NCPC_DC · ‎03-28-2021

I basically asked the same question about a week ago See Here and I have received no replies. I am beginning to doubt the helpfulness of this forum.

Courtney_E · ‎04-27-2021

Hello MaggieS418,

Thank you for reaching out to Constant Contact API Developer Support and for your patience. My team is here to assist outside software developers with questions about building into Constant Contact's API.

When adding contacts to a list from a custom sign-up form app, the "user" referred to in the OAuth Server Flow would be the owner of the website who is setting up the form, as opposed to the contacts filling out the form. The owner of the website (and Constant Contact account) would grant the app access to their account during the initial setup of the form, after which the app would use step 5 of the Server Flow to exchange it's Refresh Token for a new pair of tokens whenever the Access Token expires, without the owner needing to log in again.

V3 API OAuth2.0 Server Flow

https://developer.constantcontact.com/api_guide/server_flow.html

V3 API Token Overview

https://developer.constantcontact.com/api_guide/auth_overview.html#tokens

Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

igvinc · ‎06-18-2021

Same problem here.

In V2 of the API

We have a simple HTML/PHP signup form on a basic landing page

We have an API key, a Secret, and a Token
Users fills out the form, agrees to terms, gets a Double opt in
Result: using the LIST_ID, and 2 custom fields the user is added to a specific list.
done. (works great only in V2)

that brings us to v3... :(. . .

I think you are right, so far it has proven Impossible to accomplish the simple task of
"adding 1 user to a specific list with some custom fields"

No way to generate an access token that stays good long enough to leave the landing page up
No way to add 1 user to a specific list
Documentation does not make sense
Constantly have to refresh the token
No clear examples
Examples given do not work

Other problems we ran into:

https://v3.developer.constantcontact.com/api_guide/contacts_create.html
Create contacts has no explanation on how to add that 1 user to a specific list
'authorization' => 'Bearer {access_token}'
Disambiguation needed
Assume access_token = 12345
Does not work: '{12345}'
Does not work: 'Bearer {12345}'
Does not work: 'Bearer 12345'
Does not work: '12345'
access_token and refresh_token constantly expire
Impossible to hardcode API_key, Secret, Token into a variable in PHP to allow landing pages to work

Our Conclusion:

V3 does not work for adding 1 contact to a list after they fill out a form.

Ergo: Our solution was and still is to use v2
(or switch to another platform that has a working API, which seems rude/inappropriate to talk about any further in this forum)

Sorry... but you are not alone!

Courtney_E · ‎06-23-2021

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

While V2 API Access tokens are valid for 10 years, V3 Access tokens automatically expire two hours after their last use, with a maximum lifetime of twenty four hours. This ensures a higher level of security for the connection. The V3 refresh token does not expire unless it is used or a new refresh token has been generated. Refresh tokens can only be used once, as generating a new set of tokens causes all previous tokens to expire.

You will need to set the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 5 of the OAuth2.0 Server Flow to get the new set of tokens it can assign new values to those variables to maintain an authenticated connection.

V3 API - Refresh the Access Token
https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-5-refresh-the-access-token

How to Make Access Tokens Last Longer
https://developer.constantcontact.com/api_guide/faqs_manage_applications.html

You can use the POST /contacts/sign_up_form endpoint to add a new contact to an account or update an existing contact based on their email address.

Create or Update a Contact
https://v3.developer.constantcontact.com/api_guide/contacts_create_or_update.html

The request for V3 application code samples is currently under review. However, we're currently still adding endpoints and capabilities to the V3 API, and do not plan to publish official SDKs or sample apps until that process is complete. Your feedback and experience with this request is essential to improving our product, so thank you for reaching out to us regarding this matter.

In the meantime, here are the example calls that are currently available for V3:

V3 Code Samples:
https://v3.developer.constantcontact.com/api_guide/tag_code_samples.html

Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

DaveY53 · ‎08-11-2021

Instead of OAuth2, the CC API developers should consider OAuthX, the latest version, which has 38 steps instead of 5. It is way more secure than OAuth2 and, so totally worth it, and developers really don't mind the extra 33 steps.

DaveY53 · ‎08-11-2021

Seriously though, the CC v3 API makes ZERO sense. I have spent hours on this and gotten nowhere. The premise that there is a landing page is nonsensical. What developers want is simple server-server communication like https://api.cc.com/update_contact?id=1423&phone=7775554444&api_key=52165362

That's all there is to it. Get your api key. Make calls.

Duh.

Courtney_E · ‎08-11-2021

Hello DaveY53,

At this time, there is no way to bypass the Authorization Request screen for the V3 API and it must be accessed via a browser window, but you should only need to authorize an account once, after that you’ll use step 5 of the V3 API OAuth Server Flow to get a new set of tokens to maintain an authenticated connection.

To get started with the V3 API, you’ll want to start by going through the V3 API OAuth Server Flow. Please note, after step 1, you should set up step 4 before proceeding, because the authorization code from steps 2 and 3 only has a lifespan of 60 seconds.

V3 API OAuth2.0 Server Flow
https://v3.developer.constantcontact.com/api_guide/server_flow.html

Tokens Overview
https://developer.constantcontact.com/api_guide/auth_overview.html#tokens

Once you have your first set of tokens, you’ll want to set the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 5 of the OAuth2.0 Server Flow to get the new set of tokens it can assign new values to those variables to maintain an authenticated connection.

You can either have the application refresh the tokens on a timer based on the life of the access token, or you can have each submission check to see if the access token is still active, and then use the refresh token to generate a new set of tokens if not.

V3 API - Refresh the Access Token
https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-5-refresh-the-access-token

How to Make Access Tokens Last Longer
https://developer.constantcontact.com/api_guide/faqs_manage_applications.html

Please have a look and let us know if you have any other questions!

Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

RickS015 · ‎08-11-2021

You see all the references you are making to the 5 steps? That is way more complicated than it needs to be. Please consider switching to a simpler API, where all a developer needs to do is get an api key. Then the developer can make calls like

https://api.cc.com/update_contact?id=1423&phone=7775554444&api_key=52165362

It really can be this simple! E.g. Google Maps API works exactly like this.

Courtney_E · ‎08-12-2021

Hello RickS015,

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

While our familiarity with any other party's API is limited, the Google Maps API appears to only involve access to the Maps platform, not to any user's personal account data (saved places, timeline, etc). This is a key difference from our V3 API, which does allow access to our clients’ account data.

The OAuth flow we use allows the Constant Contact account owner to review the types of data and functionality that your application is requesting (scopes), prior to granting access, as the developer of an app is not necessarily the owner of the Constant Contact account’s resources that they are accessing.

Our API is designed to protect both our users, and their contacts, from having their data compromised. Short-lived access tokens allow Constant Contact to handle credentials in a secure way. By eliminating basic authentication and using access tokens with a limited lifespan, it decreases the risk and impact of compromised credentials.

Please let us know if you have any other questions! You can also reach our team directly via email at webservices@constantcontact.com

Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

Courtney_E · ‎08-11-2021

Hello DaveY53,

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

Your feedback and experience with this request is essential to improving our product, so thank you for reaching out to us regarding this matter.

We're currently making updates to our authentication system. This work would need to be completed prior to implementing additional authentication flows, however we are looking into them as future options. Some of the options currently under consideration include: Client Credentials flow, the Device Authorization flow, static refresh tokens, etc.

If you have a specific use case or auth type that you feel would better meet your needs, we’d love to hear from you. If possible, please include what specific solution(s) you’re looking for, whether your app would only access your own Constant Contact’s account data or if it would also be used by other accounts, etc. You can reply here, or contact us directly via email at webservices@constantcontact.com .

Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

Adding Contacts to List with OAuth?

Developer Portal

API Updates