Hello MatthewF537,
Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.
As with most APIs, our API has rate limits to help maintain stability and security. Our standard API keys have a rate limit of 10,000 calls per day, and 4 calls per second. Once your key has hit its limit, your calls will see this error until the next day (or the next second if going over your queries-per-second limit). Rate limits are per key.
429: Too Many Requests
https://v3.developer.constantcontact.com/api_guide/glossary_responses.html#429-too-many-request
If you are hitting your daily rate limit when adding/updating contacts individually, you could consider using our bulk contact export and import (multipart or JSON) endpoints instead. It's a lot more efficient on your systems and ours, reducing the number of calls required to update a large list membership to 2 calls. Export the current list, Import the revised list.
You could also set up your application to only make synchronous refresh calls with a 1 second latency, having code execution wait for the API call to return and wait a full second before allowing another request.
Under our authorization management service, Constant Contact has also implemented a rate limit on the Token endpoint. A 429 response could potentially be returned if you attempt to refresh an access token before every V3 API request, so it’s recommended that you only send a refresh token request to get a new access token if your existing access token is expired or about to expire, but there are other options available based on the functionality and use of your application:
The new rate limit for the endpoint to acquire tokens is 1 request/second.
-With previous auth flows, we recommended refreshing the tokens on a timer. If your application is already set up to do this and isn’t used by multiple accounts, this should still work fine, however it can be modified and simplified. There's no longer a need to reset the timer when making a successful API call. Access token lifetime is now a static 24 hours. Timer would only need to count down the 24 hours from receiving the token.
-You could also set up your application to only make synchronous refresh calls with a 1 second latency, having code execution wait for the API call to return and wait a full second before allowing another token request.
-However, the simplest (and currently recommended method) is to just check whether your JWT access token is still valid before each request. If yes, send your request. If not, refresh the token before sending your request.
Our new OAuth2 flows utilize Access Tokens that are in JWT format. JSON Web Tokens (JWT) are a compact and self-contained way for securely transmitting information between parties as a JSON object.
If you want to be able to parse the JWT for the expiration date/time and/or granted scopes, I'd suggest looking for a standalone JWT decoder tool or setting up a decoder within your program’s code so that it can programmatically verify the remaining lifetime of the access token before attempting to refresh.
[3rd party resource] JWT Decoder Tool Examples:
https://jwt.io/#debugger-io
https://developer.pingidentity.com/en/tools/jwt-decoder.html
[3rd party resource] Epoch & Unix Timestamp Conversion Tool Example:
https://www.epochconverter.com/
If you want your application to parse the JWT programmatically in your program’s code (the example we currently offer in the documentation is only in Java at this time), you can find instructions online regarding how to do this in different languages.
The OpenID Foundation maintains a list of libraries implementing JWT and JOSE specs, which may be a good starting point. Their list can be found here: https://openid.net/developers/jwt/
[3rd party resource] Decode JWTs in C# Example:
https://developer.okta.com/blog/2019/06/26/decode-jwt-in-csharp-for-authorization
If you are planning on making an application that would be available and potentially used by a large base of customers then I would suggest you look into becoming a Technology Partner with Constant Contact. There is no price involved with this and the basics are to just create and maintain your app, though there are other parts to it. Members of our partner program are given 250,000 calls per day and up to 10 calls per second. To associate your API Key with a partnership, you can look into becoming a Technology Partner: https://www.constantcontact.com/partners/technology
Please have a look and let us know if you have any other questions or if your situation doesn’t match either of the solutions above by emailing us at webservices@constantcontact.com with your API Key and the details of your application that would require an increase to your call limits.
Please have a look and let us know if you have any other questions!
... View more