Get Started
What is the Alexa Skills Kit?
- About Voice Interaction Models
- Index of Skill Types
- Glossary
Create Your Developer Account
Contact Alexa Developer Support
Skill Types
Alexa for Apps
- Use the Command Line
- FAQ
- Alexa for Apps V1 to V2 Migration Guide
Automotive Skills
- Connected Vehicle Skills
- Alexa Skills for Driving
Custom Voice Model Skills
- Steps to Build a Custom Skill
- Get Custom Skill Sample Code
- Understand How Users Invoke Custom Skills
- Choose the Invocation Name for a Custom Skill
- Create a Custom Skill from a Quick Start Template
- Host a Custom Skill as an AWS Lambda Function
- Host a Custom Skill as a Web Service
- Configure a Skill for Multiple Languages
- Create the Interaction Model (Intents, Slots, and Dialogs)
- Use Built-in Intents and Slot Types
- Entity Resolution
- Handle Requests Sent by Alexa
- Understand Name-free Interaction for Custom Skills
- Add Audio to a Custom Skill
  - Stream Long-Form Audio with AudioPlayer
- Alexa Quick Links
  - Create a Quick Link for Your Custom Skill
  - Create a Quick Link for Your Custom Task
- Use Display Templates to Show Content on Screens
Flash Briefing Skills
- Steps to Build a Flash Briefing Skill
- Tips to Create a Great Flash Briefing Skill
- Flash Briefing Skill Certification Checklist
- Normalize the Loudness of Audio Content
- Flash Briefing Skill API Feed Reference
Game Skills
- Alexa Web API for Games
Music, Radio, and Podcast Skills
- Steps to Build a Music, Radio, or Podcast Skill
- Radio Skills Kit
  - Use No-Code Radio Skills
- Implement Podcast Skill Features
- Upload Music or Radio Catalogs
- Upload Podcast Catalogs
- Add Premium Audio, Badging, and License Retrieval to a Music Skill
- Internationalize a Podcast Skill
- Catalog Reference
- Understand Voice Modeling
- Testing Guide
- Event Subscriptions
- Troubleshooting
- Music, Radio, and Podcast Skill API
Smart Home Skills
- Steps to Build a Smart Home Skill
- Smart Home Skill Concepts
- Smart Home Skill Types
- Tutorial: Build a Smart Home Skill
- Troubleshooting Guide
- Smart Home Skill APIs
Video Skills
- Steps to Build a Video Skill
  - Implement Video Skill Code
- State Reporting for Video Skills
- Video Skill Testing Guide
- Video Skill APIs
- Video Skills for Fire TV Apps
- Video Skills for Echo Show
Skill Development Process
Design Your Skill
- Alexa Design Guide
Build Your Skill
- Use AI-Driven Dialog Management
- Add Visuals and Audio to Your Skill
- Add Account Linking
- Use Alexa Advertising ID
  - Steps to Add Advertising ID
- Earn Money with a Skill
- Add Alexa Shopping Kit
- Include Reminders in a Skill
- Personalize the User Experience
- Expose Skill Functionality with Tasks
- Expose Skill Functionality with Triggers
- Let Skills Work Together with Skill Connections
  - Use Skill Connections to Request Tasks
- Offer Pre-Built Routines from Your Skill
  - Pre-Built Routine API Reference
  - Pre-Built Routine Primitives
- Include Timers in a Skill
  - Set Up Voice Permissions for Timers
  - Best Practices for Timers
- Use Events in a Skill
- Add Dash Replenishment
- Display Suggestions on the Home Screen
- Add Rich Media to Your Skill Detail Page
- Deprecated Features
Test and Debug Your Skill
- Test and Debug Your Custom Skill
- Test and Debug Your Smart Home Skill
- Test with the Alexa Simulator
- Beta Test a Skill
Certify and Publish Your Skill
- Requirements
- Certification Testing
  - Certification Functional Tests
  - Certification Tests for VUI and UX
- Troubleshoot Certification Failures
- Works with Alexa Certification
Monitor Your Skill Metrics and Earnings
- Analyze Your Skill Metrics
- View Your Payments and Earnings
Tools to Create and Manage Skills
- Manage Your Developer Account
- Alexa Developer Console
- Alexa-hosted Skills
- ASK Toolkit for VS Code
- ASK SDKs
- ASK CLI
- Skill Management API
- AWS Tools
Skill Developer Reference
Alexa Interface Reference
- List of Alexa Interfaces
- Message and Property Reference
- Foundational APIs
- Smart Home Skill APIs
- Video Skill APIs
Custom Skill Interface Reference
- Request and Response JSON Reference
- Request Types Reference
- Interfaces
REST API Reference
- Access Token Retrieval
- Account Linking Management
- Alexa-hosted Skill Management
- Audit Logs
- Beta Test Management
- Beta Tester Management
- Catalog Management
- Customer Profile
- Device Settings
- In-Skill Product Management
- Intent Request History
- Interaction Model Catalog Management
- Interaction Model Management
- Linked Data
- Locale Cloning
- Metrics
- Monetization
- NLU Annotation Set
- NLU Evaluation
- Person Profile
- Proactive Events
- Proactive Suggestion
- Progressive Response
- Reminders
- Resource Schema
- Skill Certification
- Skill Credentials
- Skill Development Notifications
- Skill Enablement
- Skill Invocation
- Skill Manifest
- Skill Messaging
- Skill Package Management
- Skill Publishing
- Skill Rollback
- Skill Simulation
- Skill Validation
- Smart Home Skill Evaluation
- SSL Certificates
- Timers
- Utterance Profiler
- Vendor Management
Skill Schema Reference
- Skill Manifest Schema
- Skill Manifest Examples
- Account Linking Schemas
- Interaction Model Schema
- In-Skill Product Schema
- Paid Skill Schema
- Proactive Events Schemas
- Skill Development Event Schemas
SSML Reference
- Best Practices for Using Amazon Polly Voices
- Alexa Skills Kit Sound Library
- Speechcons (Interjections)
- Test SSML Examples with the Audio Sandbox

Account Linking Concepts for Alexa Skills

Note: Sign in to the developer console to build or publish your skill.

To create a link between the Alexa user's Amazon account and the account that they have with your service, the Alexa Skills Kit (ASK) uses the OAuth 2.0 authentication framework. OAuth 2.0 defines a means by which your service can allow Alexa, with the user's permission, to access information from the account that the user has set up with you.

This topic describes OAuth 2.0 concepts in the context of the most common account-linking implementation for Alexa skills: Alexa-app only account linking with the authorization code grant type. Less common variants of account linking, such as a different grant type (implicit grant) or an alternate flow (app-to-app account linking) share many of the same concepts but aren't described here.

Account linking overview

For Alexa skills, account linking rests on the concept that to access the user's account in your system, the Alexa skill must use an access token. In other words, to "link accounts" means "to get the user's permission to obtain an access token" so that the skill can use the access token in API calls to the server that contains the user data. Here, we assume that you own the server that contains the user data, though it could be owned by a third party.

In the most typical scenario (authorization code grant type), the Alexa service does not get an access token directly: it must first get an authorization code and then exchange that for an access token (and, optionally, a refresh token so that it can request a new access token when the old access token expires). The following figure shows the relationship between the key components of account linking, which are described later in this topic. For an example of how users experience the account linking flow, see How Users Experience Account Linking for Alexa Skills.

Concepts

Review the following concepts that you might encounter as you implement account linking.

OAuth roles

OAuth 2.0 defines four roles: resource owner, resource server, client, and authorization server. The following sections describe these roles in the context of Alexa skills. The examples use a fictional custom skill that lets users order rides (Ride Hailer) and a smart home skill that can control lighting (My Lights).

Resource owner
Resource server
Client
Authorization server

Resource owner

The resource ownder is the Alexa user who wants to enable your skill and link it to their account in your system.

Resource server

The resource server hosts the protected resource (user data) that your skill needs to access, with the user's permission.

Client

The client is the Alexa skill making requests to your resource server on behalf of the Alexa user, with the user's permission.

Although the skill is the OAuth client, Alexa performs some operations on behalf of the skill. For example, Alexa makes requests to the authorization server to get an access token. The skill is still considered the client because it's the only component that ever accesses the protected resource (user data) in the resource server.

Authorization server

The authorization server identifies and authenticates the identity of the Alexa user with a user in your system. It plays a key role in account linking in that it: 1) displays a log-in page for the user to log into your system, 2) authenticates the user in your system, 3) generates an authorization code that identifies the user, and 4) passes the authorization code to the Alexa app, and finally, 5) accepts the authorization code from the Alexa service and returns an access token that the Alexa service can use to access the user's data in your system. Due to that last step, the authorization server is sometimes also called a token server.

You can use a third-party authorization server, such as Login with Amazon, or build your own. In any case, the authorization server must support OAuth 2.0. If you use a third-party authorization server, the authorization server provides you with data that you can map to your users in your resource server. For example, if you use Login with Amazon to authenticate users, and then use the Amazon profile:user_id to access a user's profile in your database.

For authorization URI requirements, see Authorization URI requirements.

Codes and tokens

Account linking for Alexa skills uses an access token to access the resource, such as the user's account with your service. In the authorization code grant type scenario, the client must first get an authorization code and then exchange that for an access token and, optionally, a refresh token so that it can request a new access token when the old access token expires.

Account linking supports the following codes and tokens:

Authorization code
Access token
Refresh token
Reciprocal access token

Authorization code

For the authorization code grant type, your authorization server gives the Alexa service an authorization code so that the Alexa service can exchange the code for an access and refresh token pair. After the user logs into your authorization server, your authorization server gives the Alexa service the authorization code by including it in the query string when it redirects the user back to the Alexa app.

Access token

An access token is a credential vended by your token server when the Alexa service exchanges the authorization code provided during customer authentication. The access and refresh token pair identifies the user in your system and represents the user's permission for the Alexa skill to access their data in your system. After the Alexa service gets the access token from your token server, it includes the access token in requests sent to your skill when the user has successfully linked their account.

For access token URI requirements, see Access token URI requirements.

Refresh token

A refresh token is a credential that the Alexa service can use to request a new access token after the old access token expires.

Reciprocal access token

Reciprocal access tokens are used in reciprocal authorization, which is a way for the user to allow a pair of resources, such as the Amazon account they use with Alexa, and the account with your service, to be synced and updated between the two accounts.

Grant types

OAuth 2.0 defines a number of grant types. Grants are ways for a client application (here, an Alexa skill) to authorize the user and obtain an access token that it can use to authenticate a request to the resource server. Two grant types apply to Alexa skills: the authorization code grant (the vast majority of cases) and the implicit grant (limited use). The Alexa account linking documentation focuses on the authorization code grant type as the recommended grant type for security and usability reasons.

Authorization code grant type
Implicit grant type

Authorization code grant type

The grant type in which the Alexa service gets an authorization code from your authorization server, exchanges it for an access token, and then passes the access token in requests to your skill as described in Codes and tokens. In an authorization code grant, your authorization server gives the Alexa service the authorization code by including it in the query string when it redirects the user back to the Alexa app after the user logs into your authorization server. The Alexa service then uses this code to request an access and refresh token pair from your token server, using the access token endpoint (URI). After the access token expires, the Alexa service users the refresh token to request a new access token. Implement the authorization code grant type unless you're sure that you want the implicit grant type.

Implicit grant type

The grant type for requesting the user's authorization to access their information in another system. In an implicit grant, the authorization server returns the access token after the user logs in successfully. This grant type is less secure than the authorization code grant type. Only custom skills can use the implicit grant type.

Reciprocal authorization

Reciprocal authorization is when the user allows a pair of resources to be synced and updated. Typical account linking allows Alexa skills to access resources in your system. Reciprocal authorization goes a step further, in that it allows you to access Alexa resources as well.

Most OAuth servers only provide the ability to authenticate and authorize users in your system. However, some skills must proactively interact with the Alexa backend to make updates. In Alexa, reciprocal authorization is achieved by a reciprocal authorization endpoint, which you host to obtain an authorization code from Alexa.

URIs for account linking

Account linking uses the following URIs. Alexa passes parameters to the authorization server as part of the URI query string.

Name Description Where you specify or get it

Name	Description	Where you specify or get it
Authorization URI	The URI of your authorization server, which provides the Alexa service with an authorization code. The Alexa service calls the authorization URI with these query parameters. For a list of requirements for the authorization server, see Authorization URI requirements.	You specify this URI by using: Developer console (Authorization URI) ASK CLI (`Authorization URL`) SMAPI (`authorizationUrl`).
Alexa redirect URI	Your authorization server calls this URI to take the user back to the Alexa app after they log into your system.	Use the value that the Alexa service passes as the `redirect_uri` query parameter when it calls your authorization URI. You can also find the Alexa redirect URI in the developer console (Alexa Redirect URLs), ASK CLI, or SMAPI (`redirectUrls`). However, these sources list multiple redirect URIs because the final value depends on where the user registered their Alexa device. Instead, use the `redirect_uri` that Alexa passes to your authorization URI as a query parameter. You must register the Alexa redirect URI as described in Authorization URI requirements.
Access token URI	The URI of your token server, which is the endpoint of your authorization server that can receive an authorization code and return an access and refresh token pair that the Alexa service can use to access the user's data in your system. The Alexa service makes a POST request to the access token URI and includes the authorization code in the parameters. The token server responds and includes the access and refresh tokens in JSON. For a list of requirements, see Access token URI requirements.	You specify this using: Developer console (Access Token URI) ASK CLI (`Access Token URI`) SMAPI (`accessTokenUrl`).

Authorization URI

The URI of your authorization server, which provides the Alexa service with an authorization code. The Alexa service calls the authorization URI with these query parameters.

For a list of requirements for the authorization server, see Authorization URI requirements.

You specify this URI by using:

Developer console (Authorization URI)
ASK CLI (Authorization URL)
SMAPI (authorizationUrl).

Alexa redirect URI

Your authorization server calls this URI to take the user back to the Alexa app after they log into your system.

Use the value that the Alexa service passes as the redirect_uri query parameter when it calls your authorization URI.

You can also find the Alexa redirect URI in the developer console (Alexa Redirect URLs), ASK CLI, or SMAPI (redirectUrls). However, these sources list multiple redirect URIs because the final value depends on where the user registered their Alexa device. Instead, use the redirect_uri that Alexa passes to your authorization URI as a query parameter.

You must register the Alexa redirect URI as described in Authorization URI requirements.

Access token URI

The URI of your token server, which is the endpoint of your authorization server that can receive an authorization code and return an access and refresh token pair that the Alexa service can use to access the user's data in your system. The Alexa service makes a POST request to the access token URI and includes the authorization code in the parameters. The token server responds and includes the access and refresh tokens in JSON.

For a list of requirements, see Access token URI requirements.

You specify this using:

Developer console (Access Token URI)
ASK CLI (Access Token URI)
SMAPI (accessTokenUrl).

Was this page helpful?

Provide feedback

Last updated: May 06, 2025