Hello user443019,

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

The state can be any value that you specify, and is used to prevent cross-site request forgery, specify the arbitrary state string value you want to use to uniquely identify a user’s session.

The newly added state parameter can be used to pass additional values through the Authorization Request URL. Here are three ways that you might implement this using the state parameter, from least secure to most secure:

Option 1:

Use the additional value as the state value (least secure, directly exposes the additional value in the URL, and so isn't secure).

Option 2:

Base64 encode the additional values, and use that as the state value (more secure, but still not random, and can be decoded).

Option 3:

Come up with some formula to encode the additional values + a random value, which your program can decode when you get the response (fairly secure).

Option 4:

Use a completely random state value for each additional value, save it within your application before sending the request associated with that value, then use the state value to look up the additional value upon receiving the response (most secure).

Step 1: Create an Authorization Request
https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-1-create-an-authorization-r...

The redirect URI used when exchanging the Authorization code for a token set must match exactly both the redirect URI that was used in your Authorization Request URL, as well as the Redirect URI within your App Details for the key.

**If you are only intending to use your application for one account, you can always leave the Redirect URI as the default value and capture the code manually from the webpage URL you are redirected to after granting access.

When a user goes to connect their Constant Contact account to your integration and clicks “Allow” on the Authorization Request screen to grant your app access to their data, they are sent to the website URL that you specify as your Redirect URI. After the account owner is successfully authenticated and authorizes your application, Constant Contact redirects the account owner to your chosen redirect_uri and appends the Authorization Code to the URL, allowing your application to capture it and exchange it for your initial token set.

Get the Token from the Redirect URL

https://v3.developer.constantcontact.com/api_guide/auth_overview.html#get-the-token-from-the-redirec... 

Create an Authorization Request URL

https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-1-create-an-authorization-r... 

While we don’t really have much info in our documentation regarding how to implement the Redirect URL within your application to capture the code (as our expertise is with our API itself as opposed to its implementation within any particular programming language), it should work similarly to other apps using OAuth2, and so it’s likely you’ll be able to find some applicable examples or sample code for this online.

Please have a look and let us know if you have any other questions!

You can also reach our team directly/securely via email at webservices@constantcontact.com