Adding Contacts to List with OAuth?

MaggieS418
Rookie

Maybe I'm missing something, but I don't understand how the OAuth flow works when adding contacts to a list from a "Email Signup" form on a website, where the user obviously doesn't have access to the Constant Contact account. The API method I'm looking at is here: https://v3.developer.constantcontact.com/api_guide/contacts_create_or_update.html

 

OAuth authentication just doesn't make sense in this scenario. 

12 REPLIES 12
MarkNetAlliance
Constant Contact Partner

I am looking for this exact issue as well and I can't see how it is possible.

JeffE86
Rookie

I spent a lot of time on this, and it doesn't appear that non-interactive Oauth is possible with the v3 api.  It renders their api useless for server-to-server applications. 

NCPC_DC
Rookie

I basically asked the same question about a week ago See Here and I have received no replies. I am beginning to doubt the helpfulness of this forum.

Courtney_E
Employee
0 Votes

Hello MaggieS418,

 

Thank you for reaching out to Constant Contact API Developer Support and for your patience. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

When adding contacts to a list from a custom sign-up form app, the "user" referred to in the OAuth Server Flow would be the owner of the website who is setting up the form, as opposed to the contacts filling out the form. The owner of the website (and Constant Contact account) would grant the app access to their account during the initial setup of the form, after which the app would use step 5 of the Server Flow to exchange it's Refresh Token for a new pair of tokens whenever the Access Token expires, without the owner needing to log in again.

 

V3 API OAuth2.0 Server Flow

https://developer.constantcontact.com/api_guide/server_flow.html

 

V3 API Token Overview

https://developer.constantcontact.com/api_guide/auth_overview.html#tokens


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
igvinc
Constant Contact Partner
0 Votes

Same problem here.

In V2 of the API :smileyface:

We have a simple HTML/PHP signup form on a basic landing page

  • We have an API key, a Secret, and a Token
  • Users fills out the form, agrees to terms, gets a Double opt in
  • Result: using the LIST_ID, and 2 custom fields the user is added to a specific list.
  • done. (works great only in V2)

 

that brings us to v3...  :(. . .

I think you are right, so far it has proven Impossible to accomplish the simple task of
"adding 1 user to a specific list with some custom fields"

  • No way to generate an access token that stays good long enough to leave the landing page up
  • No way to add 1 user to a specific list
  • Documentation does not make sense
  • Constantly have to refresh the token
  • No clear examples
  • Examples given do not work

Other problems we ran into:

  • https://v3.developer.constantcontact.com/api_guide/contacts_create.html
    Create contacts has no explanation on how to add that 1 user to a specific list
  • 'authorization' => 'Bearer {access_token}'
    Disambiguation needed
    Assume access_token = 12345
  • Does not work: '{12345}'
  • Does not work: 'Bearer {12345}'
  • Does not work: 'Bearer 12345'
  • Does not work: '12345'
  • access_token and refresh_token constantly expire
  • Impossible to hardcode API_key, Secret, Token into a variable in PHP to allow landing pages to work

Our Conclusion:

V3 does not work for adding 1 contact to a list after they fill out a form.

 

Ergo: Our solution was and still is to use v2
(or switch to another platform that has a working API, which seems rude/inappropriate to talk about any further in this forum)

 

Sorry... but you are not alone!

Courtney_E
Employee
0 Votes

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

While V2 API Access tokens are valid for 10 years, V3 Access tokens automatically expire two hours after their last use, with a maximum lifetime of twenty four hours. This ensures a higher level of security for the connection. The V3 refresh token does not expire unless it is used or a new refresh token has been generated. Refresh tokens can only be used once, as generating a new set of tokens causes all previous tokens to expire.

 

You will need to set the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 5 of the OAuth2.0 Server Flow to get the new set of tokens it can assign new values to those variables to maintain an authenticated connection.

 

V3 API - Refresh the Access Token
https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-5-refresh-the-access-token

 

How to Make Access Tokens Last Longer
https://developer.constantcontact.com/api_guide/faqs_manage_applications.html

 

You can use the POST /contacts/sign_up_form endpoint to add a new contact to an account or update an existing contact based on their email address.

 

Create or Update a Contact
https://v3.developer.constantcontact.com/api_guide/contacts_create_or_update.html

 

The request for V3 application code samples is currently under review. However, we're currently still adding endpoints and capabilities to the V3 API, and do not plan to publish official SDKs or sample apps until that process is complete. Your feedback and experience with this request is essential to improving our product, so thank you for reaching out to us regarding this matter.

In the meantime, here are the example calls that are currently available for V3:

 

V3 Code Samples:
https://v3.developer.constantcontact.com/api_guide/tag_code_samples.html


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
DaveY53
Rookie
0 Votes

Instead of OAuth2, the CC API developers should consider OAuthX, the latest version, which has 38 steps instead of 5. It is way more secure than OAuth2 and, so totally worth it, and developers really don't mind the extra 33 steps. 

DaveY53
Rookie
0 Votes

Seriously though, the CC v3 API makes ZERO sense. I have spent hours on this and gotten nowhere. The premise that there is a landing page is nonsensical. What developers want is simple server-server communication like https://api.cc.com/update_contact?id=1423&phone=7775554444&api_key=52165362

 

That's all there is to it. Get your api key. Make calls.

 

Duh.

Courtney_E
Employee
0 Votes

Hello DaveY53,

 

At this time, there is no way to bypass the Authorization Request screen for the V3 API and it must be accessed via a browser window, but you should only need to authorize an account once, after that you’ll use step 5 of the V3 API OAuth Server Flow to get a new set of tokens to maintain an authenticated connection.

 

To get started with the V3 API, you’ll want to start by going through the V3 API OAuth Server Flow. Please note, after step 1, you should set up step 4 before proceeding, because the authorization code from steps 2 and 3 only has a lifespan of 60 seconds.

 

V3 API OAuth2.0 Server Flow
https://v3.developer.constantcontact.com/api_guide/server_flow.html

 

Tokens Overview
https://developer.constantcontact.com/api_guide/auth_overview.html#tokens

 

Once you have your first set of tokens, you’ll want to set the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 5 of the OAuth2.0 Server Flow to get the new set of tokens it can assign new values to those variables to maintain an authenticated connection.

 

You can either have the application refresh the tokens on a timer based on the life of the access token, or you can have each submission check to see if the access token is still active, and then use the refresh token to generate a new set of tokens if not.

 

V3 API - Refresh the Access Token
https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-5-refresh-the-access-token

 

How to Make Access Tokens Last Longer
https://developer.constantcontact.com/api_guide/faqs_manage_applications.html

 

Please have a look and let us know if you have any other questions!


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
RickS015
Rookie
0 Votes

You see all the references you are making to the 5 steps? That is way more complicated than it needs to be. Please consider switching to a simpler API, where all a developer needs to do is get an api key. Then the developer can make calls like

 

https://api.cc.com/update_contact?id=1423&phone=7775554444&api_key=52165362

 

It really can be this simple! E.g. Google Maps API works exactly like this.

Courtney_E
Employee
0 Votes

Hello RickS015,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

While our familiarity with any other party's API is limited, the Google Maps API appears to only involve access to the Maps platform, not to any user's personal account data (saved places, timeline, etc). This is a key difference from our V3 API, which does allow access to our clients’ account data.

 

The OAuth flow we use allows the Constant Contact account owner to review the types of data and functionality that your application is requesting (scopes), prior to granting access, as the developer of an app is not necessarily the owner of the Constant Contact account’s resources that they are accessing.

 

Our API is designed to protect both our users, and their contacts, from having their data compromised. Short-lived access tokens allow Constant Contact to handle credentials in a secure way. By eliminating basic authentication and using access tokens with a limited lifespan, it decreases the risk and impact of compromised credentials.

 

Please let us know if you have any other questions! You can also reach our team directly via email at webservices@constantcontact.com


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Courtney_E
Employee
0 Votes

Hello DaveY53,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

Your feedback and experience with this request is essential to improving our product, so thank you for reaching out to us regarding this matter.

We're currently making updates to our authentication system. This work would need to be completed prior to implementing additional authentication flows, however we are looking into them as future options. Some of the options currently under consideration include: Client Credentials flow, the Device Authorization flow, static refresh tokens, etc.

 

If you have a specific use case or auth type that you feel would better meet your needs, we’d love to hear from you. If possible, please include what specific solution(s) you’re looking for, whether your app would only access your own Constant Contact’s account data or if it would also be used by other accounts, etc. You can reply here, or contact us directly via email at webservices@constantcontact.com .


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Resources
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Announcements

API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up