I want to develop a .net service that will run on a schedule and query my company's campaigns for recently sent emails. This service will run completely independently of user input. I don't have our Constant Contact username and password but instead have the api key and access token that my colleague generated for me. Once the service is built and deployed, there will be no user input. Everything I read seems implies that OAuth is required but entering account details is not an option.
It's important to stress that this is my company's account and will not be used in any way by third-parties. The service is (for all intents and purposes) the account owner but does not have login credentials.
Can someone provide code samples as to how to go about this developing this?
Thank you for reaching out to Constant Contact's API Support.
Unfortunately I don't have any .NET code samples on this, however our OAuth process only requires the account owner connect once. They will get back an Access Token and a Refresh Token. Once you have these, you can programmatically use the refresh token to get a new access token without the need for the account owner to manually log in each time.
If you wish to view our documentation our OAuth, see here:
Please have a look and let me know if you have any questions!
Tier II API Support Engineer
I've read through the server flow docs several times and still don't see how you can you can use the refresh token to obtain new access and refresh tokens more than one time. As I understand it, once you use the refresh token to obtain a new one it becomes expired and can no longer be used. That seems to suggest the refresh token needs to be stored on the server so it can be used on the next request. If this is truly the recommended approach, it doesn't sound feasible if you have multiple users making the same request simultaneously. My preference is to keep things stateless and not store the tokens.
It seems awfully shortsighted if this is the only way developers can authenticate server to server. Please let me know if there's something I may be missing related to refreshing the token.
We use current OAuth standards for security purposes. Access tokens are good for up to 24 hours. Refresh tokens don't expire, but will become invalid if they are used or if the initial authorization flow is completed again. If you could use the same refresh token over and over, that kind of defeats the purpose of having a rotating access token.
When you use your refresh token, you get a new access token and a new refresh token as well. You then use the new access token until it expires, and refresh using the refresh token that was given at the same time as the access token you were just using.
Typically in a situation such as yours where you have multiple users making calls for the same Constant Contact account, you would have your server control all of your calls, storing the access and refresh token, and refreshing it when needed.
Please let me know if you have any other questions.
Tier II API Support Engineer