Hello KyW,
Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.
API connections that use basic authentication to access the account via your username and password are no longer considered a secure enough option to protect our customers' data. Our current V3 API uses OAuth2.0, which is the current industry-standard for authorization. However, even with our previous/legacy API version, V2, you still had to grant access to the account to get an access token, which is what the integration uses to send data to/from your Constant Contact account.
OAuth2.0 is more secure and does a much better job of keeping your Constant Contact account data safe. Additionally, when you give their integration permission to access your account, it will show you exactly which permissions the integration is requesting to be granted (rather than just granting all permissions). V3 also uses tokens that are continuously refreshed to keep the connection encrypted and secure.
Using V3, you should be able to fully automate your integration with the exception of the initial Authorization Request screen and redirect, which can only be accessed/authorized via a browser window and cannot be bypassed, but you should only need to authorize your account once (grant permission and exchange auth code for first token set). After the initial connection, your application will use the access token to make calls, and the refresh token to generate a new token set once the access token expires (24 hours), so the site credentials are not needed again after the first time.
The Authorization Request screen is only for the initial connection of a Constant Contact account to the integration, so for example, if you are making a sign-up form or integration that only connects to one Constant Contact account, only you would access the Authorization Request screen one initial time to connect your account, it isn't visible publicly to anyone signing up via the form. When your users are accessing the integration/form, it will use the token set generated when you initially granted permission to access the connection.
Please have a look and let us know if you have any other questions!
... View more
