Server based auth flow and api calls -- NO WEB BROWSER in this flow.

0 Votes

I'm trying to build a server based integration between my cc account and a node server (our backend).   Use case is updating specific contacts with additional info such as a unique short-code to enable access to our iOS app.  

  • Elsewhere: Typically this would happen by various means, such as an API KEY in the header or  getting an auth token,  and then including the token in api calls. 
  • How do I make API calls to CC?    The OAUTH workflow won't work as the calls are coming from a server that can't use a web browser flow.    


I'm a new customer, and the sole reason we chose CC was api capability.  

0 Votes

Hello byList,


Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.


Each of our authorization flows requires the use of a browser window to authorize an application on an account through a permission request screen. You should only need to do this once though, as after permission is granted, your application can utilize refresh tokens to maintain account access. Below I’m including documentation for our device authorization flow, which is typically the preferred authorization method for input constrained applications. 


OAuth2 Device Flow:


I’m also including some written instructions for the device authorization flow below:


Because the Device flow is designed to be used by applications that are input constrained, such as a command line application that can’t provide a web browser to users, the only time a web browser is required is when a user authorizing your application with the verification_uri that is returned in the response to your authorization request. The authorization request URL would be sent as an HTTP request using the POST method.


In the response for this request, you will receive a device_code, user_code, and verification_uri and verification_uri_complete, which is the verification_uri with the user_code included in the URI. the account connecting your application will use the verification_URI to authorize the application on their account. 


Once this is done, you can send a token request to receive an access_token and a refresh_token. I am including an example of this request below as well as the documentation:{client_id}&device_code={device_...


Step 4: Request an Access Token:


Assuming that the offline_access scope is verified in your authorization request, you will receive a refresh_token along with an access_token in your token request. The refresh_token will only expire after 180 days if never used. You can exchange the refresh_token for a new token set once the access_token expires with the following method:



Send a POST request to the endpoint with the following query parameters and header.



Query Parameters:


refresh_token (value = your refresh token)


grant_type (value = refresh_token)


client_id (value = your client_id)





Content-Type: application/x-www-form-urlencoded


Step 8: Refresh the Access Token:


Please have a look and let us know if you have any other questions!



John B.
API Support Specialist
Did I answer your question? If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Developer Portal

View API documentation, code samples, get your API key.

Visit Page


API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up