How to authenticate the Constant Contact to add a contact

0 Votes

Hi everyone,


I am following the documentation here:


I am trying to create an automation workflow in Python that allows me to add a contact using the Constant Contact API but I keep getting the authentication error hence the need to authenicate.


In the link provided above. I have done step 1 and received a 200 response but an HTML page as a response instead of a JSON.


The next step is step4, its not clear to me what code_verifier  and code  is. I dont know what values are required here.


More importnatly. step 2 is not clear to me at all. How do I get here?


Thanks for your response

0 Votes

Hello user2631095,


Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.


We’ve identified a mistake in our Implicit flow documentation that we’re currently working to correct. We appreciate you bringing this to our attention. After completing step 1 in the documentation you can disregard the first “Step 4: Get the Access and Refresh Tokens” section and skip to the “Step 2: Get Authorization” section. The first step 4 that appears in the Implicit flow documentation is from our PKCE flow documentation and is not applicable to the Implicit flow. This means you can disregard the portion about the code_verifier parameter as it is only applicable to the PKCE flow.


I would note that the Implicit is no longer recommended as it is only being provided for backward compatibility or applications that are unable to support the PKCE flow. I would recommend reviewing the Authorization code flow documentation as it would likely be better suited for the automation workflow in Python that you described. You should be able to fully automate your integration with the exception of the initial Authorization Request screen and redirect, which can only be accessed/authorized via a browser window and cannot be bypassed, but you should only need to authorize each connected account once.


To get started with the V3 API, you’ll want to start by going through the V3 API OAuth2 Authorization Code Flow. Please note, after step 1, you should set up step 4 before proceeding, because the authorization code from steps 2 and 3 only has a lifespan of 5 minutes.


V3 API OAuth2 Authorization Code Flow


Once you have your first set of tokens, you’ll want to set the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 8 of the OAuth2 Authorization Code Flow to get the new set of tokens it can assign the updated values to those variables to maintain an authenticated connection.


You can either have the application refresh the tokens on a timer based on the life of the access token (access token lifetime is a static 24 hours), or you can check to see if the access token is still active before each submission, and then use the refresh token to generate a new set of tokens if not.


In order to parse the JWT access token for the expiration date/time and/or granted scopes, I'd suggest looking for a standalone JWT decoder tool or setting up a decoder within your program’s code so that it can programmatically verify the remaining lifetime of the access token before attempting to refresh.


[3rd party resource] JWT Decoder Tool Examples:


[3rd party resource] Epoch & Unix Timestamp Conversion Tool Example:


If you want your application to parse the JWT programmatically in your program’s code (the example we currently offer in the documentation is only in Java at this time), you can find instructions online regarding how to do this in different languages.


The OpenID Foundation maintains a list of libraries implementing JWT and JOSE specs, which may be a good starting point. Their list can be found here:

Once authentication is set up, and you’re able to complete Step 8 (Refresh the Access Token), you can then use your current Access Token variable value to make calls to the API endpoints.


We’re currently looking into authentication options for unattended/non-interactive integrations for our V3 API. The main option currently under consideration is the Device Authorization flow, however, I’m unable to guarantee when or if this flow will be implemented at this time.


Please have a look and let us know if you have any other questions!



John B.
API Support Specialist
Did I answer your question? If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Developer Portal

View API documentation, code samples, get your API key.

Visit Page


API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up