cancel
Showing results for 
Search instead for 
Did you mean: 
Tomorrow morning (8/26) from 07:00 AM - 08:00 AM ET we need to make a few updates to our site. During this time, no emails will be sent and some customers will not be able to access their contacts. We recommend finishing up your work before 07:00 AM and logging in after 08:00 AM ET. Thank you for your patience while we make these updates.

Repudiation of API key usage

New Member

Repudiation of API key usage

I'm looking at how authentication an access work with CC, and unless I'm missing something, there there is not a way to repudiate API key usage.

 

Using OAuth is fine - it requires that the application authenticate itself by providing a secret in addition to the API key. However, there is no way to prevent unauthenticated use of our API key. In other words, it appears that there is no way to prevent other actors from using the CC API while claiming to be an arbitrary application.

 

Any usage requires the cooperation of a CC account holder, of course.  Let's say my API key is XXXX.

 

1. OAuth:

 

The user is directed to CC, authenticated, and gives permission to API key XXXX to access their account. In order for XXXX to get an access token, the API key must be supplied to CC along with a secret known only the owner of API key XXXX. Thus authenticating and establishing the identity of the application identified by XXXX. Permission is then granted by means of an access token to act on behalf of a particular CC user.

 

2.  Other:

 

A user is directed/convinced/coerced into going to https://oauth2.constantcontact.com/oauth2/callback.htm?client_id=XXXX , grants permission, and is presented with an access token.

 

Using that access token, anyone can now act on behalf of the user, using my XXXX access key, without being authenticated as the owner of that API key.

 

I don't want it to be possible for anyone else to impersonate my application. Any API calls will count against my concurrent and/or daily transaction limit. Additionally, any nefarious use of that user's account is done in association with my key.

 

The worst part is that even if *I* always use OAuth, which is fine, it doesn't prevent anyone from obtaining a key using method #2. I can't configure my API access in such a way that *requires* all uses of my API key to be authenticated.  I want to be able to repudiate non-authorized uses of my API key.

 

Am I totally missing something? I assume I that I am, because that doesn't seem too cool.

Tags (1)
1 REPLY 1
Moderator

Re: Repudiation of API key usage

Hello DavidC325,

 

Your question is interesting and we would like to look in to this more. Due to the nature of any involved details would you be willing to email us at webservices@constantcontact.com so we can go over this with you in more detail?


Regards,
Jimmy D.
Tier II API Support Engineer