Hello byList,

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

Each of our authorization flows requires the use of a browser window to authorize an application on an account through a permission request screen. You should only need to do this once though, as after permission is granted, your application can utilize refresh tokens to maintain account access. Below I’m including documentation for our device authorization flow, which is typically the preferred authorization method for input constrained applications. 

OAuth2 Device Flow:

https://developer.constantcontact.com/api_guide/device_flow.html

I’m also including some written instructions for the device authorization flow below:

Because the Device flow is designed to be used by applications that are input constrained, such as a command line application that can’t provide a web browser to users, the only time a web browser is required is when a user authorizing your application with the verification_uri that is returned in the response to your authorization request. The authorization request URL would be sent as an HTTP request using the POST method.

In the response for this request, you will receive a device_code, user_code, and verification_uri and verification_uri_complete, which is the verification_uri with the user_code included in the URI. the account connecting your application will use the verification_URI to authorize the application on their account. 

Once this is done, you can send a token request to receive an access_token and a refresh_token. I am including an example of this request below as well as the documentation:

https://authz.constantcontact.com/oauth2/default/v1/token?client_id={client_id}&device_code={device_...

Step 4: Request an Access Token:

https://developer.constantcontact.com/api_guide/device_flow.html#step-4-request-an-access-token

Assuming that the offline_access scope is verified in your authorization request, you will receive a refresh_token along with an access_token in your token request. The refresh_token will only expire after 180 days if never used. You can exchange the refresh_token for a new token set once the access_token expires with the following method:

Send a POST request to the https://authz.constantcontact.com/oauth2/default/v1/token endpoint with the following query parameters and header.

Query Parameters:

refresh_token (value = your refresh token)

grant_type (value = refresh_token)

client_id (value = your client_id)

Header:

Content-Type: application/x-www-form-urlencoded

Step 8: Refresh the Access Token:

https://developer.constantcontact.com/api_guide/device_flow.html#step-8-refresh-the-access-token

Please have a look and let us know if you have any other questions!

Regards,