The Community is hosting an End of Summer sweepstakes! Participants must complete tasks to earn tickets that will enter them with a chance to win a free year of Constant Contact and other great prizes!*
*No Purchase Necessary. For Official Rules, visit here. Constant Contact’s End of Summer 2020 Sweepstakes ends on October, 20, 2020 at 11:50 PM EST.

401 : oauth_problem=invalid_expired_token

Occasional Participant

401 : oauth_problem=invalid_expired_token

In doing two legged authentication, my app provides all the required parameters mentioned in the documentation but gets a 401 error as shown in the subject.

In the description below, it mentions "make an API call to Constant Contact using just your Consumer Key (API Key) and Consumer Secret" - ok... so how ? which API endpoint and what are the parameters and is it really ok sending my Consumer Secret over the wire in a GET request (or non https POST) ?

I've been trying to debug this for a few hours now and am getting nowhere... perhaps a CC API developer could provide some answers ? BTW this is a demo account as well, if that changes anything and the PHP lib recommended in the docs.

Here is what us being sent in the POST request (from debug, with various bits supressed):

'oauth_version' => string '1.0' (length=3)
'oauth_nonce' => string 'xxxxxxxxxxxxxxxxx' (length=32)
'oauth_timestamp' => int 1239860563
'oauth_consumer_key' => string 'xxxxxxxxxxxxxxxxxxxxx' (length=36)
'oauth_signature_method' => string 'HMAC-SHA1' (length=9)
'oauth_signature' => string 'xxxxxxxxxxxxxxxxxx=' (length=28)

Here is the response object from our HTTP lib

public 'headers' =>
public 'Date' => string 'Thu, 16 Apr 2009 05:42:45 GMT' (length=29)
public 'Server' => string 'IBM_HTTP_Server' (length=15)
public 'WWW-Authenticate' => string 'OAuth realm="", oauth_problem="invalid_expired_token"' (length=76)
public 'Content-Length' => string '35' (length=2)
public 'Cache-Control' => string 'private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"' (length=78)
public 'Pragma' => string 'no-cache' (length=8)
public 'Content-Type' => string 'application/x-www-form-urlencoded;charset=UTF-8' (length=47)
public 'Content-Language' => string 'en-US' (length=5)
public 'Set-Cookie' => string 'BIGipServerProdAPI=860099594.20480.0000; path=/' (length=47)
public 'body' => string 'oauth_problem=invalid_expired_token' (length=35)
public 'valid' => boolean false
public 'status' => string 'HTTP/1.1 401 Unauthorized' (length=25)
public 'code' => int 401
public 'version' => string '1.1' (length=3)
public 'reason' => string 'Unauthorized' (length=12)

Page in question:

This page:

This section:
Step 1: Obtaining Access Token
Access Token URL

Required Parameters

* oauth_consumer_key : application consumer key
* oauth_nonce, oauth_timestamp, oauth_signature_method, oauth_version, oauth_signature (these parameters are normally handled by an OAuth library, if you are using one, which we highly recommend)

To get the access token, your application needs to make an API call to Constant Contact using just your Consumer Key (API Key) and Consumer Secret. The Consumer Secret is used to sign the request prior to sending.

Occasional Participant

One more thing... this is

One more thing... this is happening with both GET and POST and http/https combinations.

RE: 401 OAuth Error

Hi J, I'm going to take a look at this closer on a test program on my end. This will take some time, you are using the OAuth PHP library for the entire handling of the Authentication process? I just want to confirm that I will have all the same code you are using for testing purposes. If you want to send any extra files or code you have modified to our webservices support team, this will help me in testing the environment exactly the same way you are.

Dave Berard
Senior Product Manager, Constant Contact
Occasional Participant

Thanks Dave have sent you the

Thanks Dave have sent you the email.

RE: Sending files

We're taking a look at it now, definitely see where the confusion can come into play here. We will hopefully have something for you soon.
Dave Berard
Senior Product Manager, Constant Contact

re: OAuth Challenges? - Consider Basic Authentication over HTTPS

Given recent challenges in our API user base and in the OAuth community in general, we have decided to extend support for Basic Authentication over HTTPS. The Basic Authentication model, while not our preferred approach, should prove simpler to adopt for many developers.

You can read more on the Basic Authentication model here.

Tom M
Group Product Manager – Content Editing
Constant Contact
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Constant Contact 2020 End of Summer Community Sweepstakes!

The Constant Contact User Community is hosting a sweepstakes. The more you participate, the more chances you have to win! Read on to learn more...

Read More