this is not really an API question, but the chat support was unable to help me:
When one of my users get sent to the CC page and are asked to grant my company the right to access their account via the API, your page (https://oauth2.constantcontact.com/oauth2/oauth/confirm_access) says: "This access grant is persistent. It will remain in effect until you explicitly revoke it."
Now, if the user wants to revoke the grant, where does (s)he find this in their CC account pages? I've been looking around for a good while and come up empty. Or is this revokal something between me and the user, i.e. I should direct them to write me an angry letter, whereupon I will scratch their access token from our database?
You are correct! That is a generic message under the assumption to whomever is creating the program should be storing the access token for future reference. Otherwise, the user would have to go through the whole process to obtain a new access token everytime.
You could build it into your program that ability for users to revoke the token or to deal with each request manually.
Token revocation can be done by calling Constant Contact support and requesting that the access to the application be revoked. Currently there is no self service method for customers to revoke access to these applications though that is something we are looking to add in the future.
As Andrew mentioned, you can also provide a method in your integration to allow them to delete the access token on your side. This does not invalidate the token with Constant Contact, but it can be used for you to forget the token and stop using it.