Community Home
Resources
Events & Webinars
Learn
Groups
Product Ideas
Got a 'How do I' question? Join 'Ask a Trainer' Monday to Friday, 11am to 4pm ET for instant help and pro tips!
Join

Constant Contact OAuth2 refresh tokens with PHP

ChristopherGronbeck
Rookie
‎08-29-2024 12:17 PM
0 Votes
‎08-29-2024 12:17 PM

We have a WordPress site and associated mailing list that we're porting to Constant Contact.  We'll be using the OAuth2 flow, and we've registered our application, and authenticated to get an authorization code, but it sounds like that code will expire unless we generate a token and keep refreshing it if it's not used, perhaps once per hour, according to some documentation (https://developer.constantcontact.com/api_guide/faqs_manage_applications.html under "Make access tokens last longer?"), or perhaps once every two hours.

 

It seems unwieldy to have to refresh tokens every hour (or two), but is there a better solution than adding a cron script on the server that runs once every hour to refresh tokens?  This seems cumbersome (almost 9,000 executions per year) and fragile...if something goes wrong with that script, the API will fail.

 

Are we missing a more reliable / elegant solution for using the Constant Contact API with OAuth2 while needing to avoid constant user logins for authentication?  Thank you.

1 REPLY 1
Courtney_E
Moderator
Moderator
‎09-10-2024 03:40 PM
0 Votes
‎09-10-2024 03:40 PM

Hello ChristopherGronbeck,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

Thank you for bringing that to our attention, as the page that you referenced is now out of date. I'll be submitting a ticket to get that resolved.

 

Instead, please feel free to reference this page, as it has up to date information on the V3 API's OAuth processes: https://developer.constantcontact.com/api_guide/auth_overview.html

 

When using the new OAuth2 flows that are available for V3, the access token lifetime is a static 24 hours, and you have the option of using rotating refresh tokens or long lived refresh tokens. 

 

In regards to scheduling, you could refresh the access/refresh tokens daily, or you could have your program check to see whether the current access token is still valid, and if not send a new token request.

 

The access token is a JWT token, so you can parse the JWT access token for the expiration date/time and/or granted scopes. You can either look for a standalone JWT decoder tool or set up a decoder within your program’s code so that it can programmatically verify the remaining lifetime of the access token before attempting to refresh.

 

Regarding Long Lived Refresh Tokens (which can be configured within your V3 key’s settings), these allow you to use the same refresh token continuously to generate new Access Tokens. You can use the same configuration as you would for the rotating refresh tokens if desired, you’ll just get back the same refresh token value each time when receiving your new access token.While we generally recommend using rotating refresh tokens (as they're more secure), using a long lived refresh token should alleviate many of the situations that we've seen reported where a refresh token becomes invalid, and then requires a new authorization request. 

 

Please have a look and let us know if you have any other questions!

 

You can also reach our team directly/securely via email at webservices@constantcontact.com


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Resources
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Announcements

API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up