Request Customer Contact Information for Use in Your Skill

When a customer enables your Alexa skill, your skill can request the customer's permission to the their contact information, which includes name, email address and phone number, if the customer has consented. You can then use this data to support personalized intents to enhance the customer experience without account linking. For example, your skill may use customer contact information to make a reservation at a nearby restaurant and send a confirmation to the customer.

This document describes how to enable this capability and query Alexa Customer Profile API for customer contact information.

The Customer Profile API uses information from the active default Alexa profile, which may or may not represent who is speaking to Alexa.

Because any of the requested information items such as customer name, email address or phone number may not be available to the skill when requested, the skill service code should handle missing information gracefully.

For information on how to request device address information, see Enhance Your Skill With Address Information.

Replace Account Linking with Customer Contact Permissions

If you use account linking in your skill to obtain customer information and fulfill one-time personalized customer requests such as making reservations and appointments, or to send detailed information to customers over email or text, consider using customer contact permissions instead, as they provide a seamless customer experience and greater ease of maintenance. If your skill uses slots to collect a customer email address or phone number, you can replace it with customer contact permissions and achieve higher accuracy and a more engaging customer experience.

If you would like to remove account linking and use customer contact permissions instead, please reach out through Contact Us with your skill ID. When you have removed account linking from a live skill, you should communicate the change to your users via voice. If you request profile permissions from a user who has previously linked their account, your voice prompt should provide the reason why you are asking for their profile information again. We also recommend that you mention the removal of account linking in the About this Skill section on your Skill Detail card.

Before you begin

To protect customer data, any skill that uses customer contact information must meet the requirements below. If Amazon determines that your skill violates any of these requirements, we will reject or suspend your submission and notify you using the email address associated with your developer account.

  • You must include a link to the Privacy Policy that applies to your skill on the Distribution page of the developer console.
  • Your skill must not be a child-directed skill. See here for more information on child-directed skills.
  • You must request permission to receive customer contact information only when required to support the features and services provided by your skill. You must use any personal information you request only as permitted by the user and in accordance with your privacy notice and applicable law.
  • You must not use customer information (name, email address, phone number) to link the customer's account in the background. That is, you must not associate an Alexa customer to a customer in your account pool with the same contact information. Customers’ Amazon account information is not verified and may be outdated.
  • The skill must call the Alexa Customer Profile API to get the latest customer information every time the customer invokes the skill with a request that needs this information.

How to request customer contact information

To request customer contact information within your skill, follow these steps:

  1. Configure your skill in the developer console to indicate that it requires customer contact information. As a result, when the customer enables the skill, the customer is prompted, in the Alexa app, to consent to provide the contact information. If the customer chooses to not grant these permissions when enabling your skill, you may request this information, when needed, during invocation via a permissions card. Ensure your skill handles the situation gracefully if the customer refuses to grant permission to access this information.
  2. Obtain the apiAccessToken from the Alexa LaunchRequest message when a customer invokes the skill. Do not store the apiAccessToken as it expires, but instead obtain it fresh from each subsequent request.
  3. Make a request to the correct endpoint that includes the apiAccessToken, as described in Get customer contact information.

Configure the skill to request customer permissions

If you are using the developer console to manage your skill, configure your skill as follows:

  1. Edit your skill in the developer console.
  2. Navigate to the Build > Permissions page in the console.

Select one or more of the following depending on which customer resources you require for your skill:

  • Customer Name - Full Name or Given Name (First Name)
  • Customer Email Address
  • Customer Phone Number

If you using SMAPI or ASK CLI to manage your skill, edit the skill manifest to request the desired permissions.

Get the API access token

Each request sent to your skill includes an API access token (apiAccessToken) that encapsulates the permissions granted to your skill. You need to retrieve this token and include it in requests for the customer's contact information.

The apiAccessToken is nested in the System object, which is nested in the context object. To see the full body of the request, refer to Request Format.

{
  "context": {
    "System": {
      "apiAccessToken": "AxThk...",
      "apiEndpoint": "https://api.amazonalexa.com",
	  ...
    }
  }
}

Thus: accessToken = this.event.context.System.apiAccessToken

When making the request for the data, include the access token in an Authorization header in this format:

Bearer < ACCESS_TOKEN >

where < ACCESS_TOKEN > is the value of the apiAccessToken field from the Alexa request message, as shown in this example:

Authorization: Bearer AxThk...6fnLok

The apiAccessToken is included in all requests to your skill, regardless of whether the user granted your skill the permissions needed to fulfill the request. Therefore, the token may not contain the right set of permissions for your skill to fulfill the request. Your skill can display a special permissions card to ask customers for consent dynamically.

New CardAskForPermissionsConsentCard
InterfaceCardRenderer
Definition{ "type": "AskForPermissionsConsent", "permissions": << list of scope strings >> }
Attributespermissions: this contains a list of scope strings that maps to Alexa permissions. Include only those Alexa permissions that are both needed by your skill and that are declared in your skill metadata in the developer console.

Because apiAccessToken is included in all skill requests, you cannot use the presence of apiAccessToken to determine whether or not you have the needed permissions. Instead, call the API and check the response code. A 403 Forbidden response indicates that your skill does not have the permissions, so at that point the skill can include the AskForPermissionsConsent card in its response to Alexa. The customer will be informed about the card and can then decide whether to grant the permissions.

Sample response with permissions card

An in-session interaction can return a response that includes the new AskForPermissionsConsent card.

The permissions values can be as shown in the following table:

Full Namealexa::profile:name:read
Given Name (First Name)alexa::profile:given_name:read
Email Addressalexa::profile:email:read
Phone Numberalexa::profile:mobile_number:read

Here is a sample response for a card with a request for name and phone number.

{
  "version": "1.0",
  "response": {
    "card": {
      "type": "AskForPermissionsConsent",
      "permissions": [
        "alexa::profile:name:read",
        "alexa::profile:mobile_number:read"
      ]
    }
  }
}

The permissions value will always match the scope that you declared for the skill on the Build > Permissions page in the developer console.

Use Skill Permission Accepted events in your skill

Use Skill Permission Accepted Events in your skill to get notified when the customer has granted permissions to the skill.

Test the API as you develop your skill

You can do limited testing on the Test page in the developer console. When testing your skill with the Alexa Simulator, your skill can call the Alexa Customer Profile API and get back a non-error response, containing your own information. You can also test the flow when the user has not granted permissions.

To test the case where the customer has provided permissions to your skill, ensure that you have granted the contact permissions for your skill in the Alexa companion app. When you open the skill ("Alexa, open skill_name"), that will cause a LaunchRequest to be sent. If the permissions have been granted, you can obtain the apiAccessToken from the request.

To test the case where the customer has not provided permissions to your skill, ensure that the contact permissions for your skill in the Alexa companion app are not granted. When you open the skill ("Alexa, open skill_name"), that will cause a LaunchRequest to be sent. This request will contain the apiAccessToken value, but the apiAccessToken will not specify the correct permissions. Passing this token to the Alexa Customer Profile API will return a 403 Forbidden response code.

When a customer enables your skill, this customer is prompted to consent to requested permissions from within the Alexa app. The voice prompt should describe why the skill needs these permissions. If the customer does not consent, your skill can send a Permissions card to the Alexa app (or to the screen if the customer is using an Alexa-enabled device with a screen), to prompt the customer for the permissions required for the intent. Your skill should include a graceful fallback message, if needed, in your code.

You are encouraged to develop the skill such that some functionality is available without the requested permissions. You should prompt the customer for permissions when needed to fulfill a customer request.

Sample message to prompt customer to grant permissions through permissions card

"In order to <request from customer>, skill_name will need access to your email address. Go to the home screen in your Alexa app and grant me permissions."

Fallback message when customer contact information is not available

When your skill requests the customer's contact information, and the customer grants it, this information may still be unavailable, such as if a customer has not provided phone number to Alexa. In the case that requested customer information is unavailable, a 204 (no content) response will be returned.

In this situation, if your skill cannot fulfill the request without some piece of information, you may prompt the user to set up this information on their Amazon.com account.

Sample message if resource_name is unavailable

"Your resource_name was not set. You can enter these details in your Amazon account, and then invoke the skill again.

Suggested best practices when customer contact information is unavailable

As a skill developer, you can determine the appropriate response when the customer has not set up contact information.

You can provide a graceful fallback message that indicates the skill cannot function without this information, and end the session.

Alternatively, you can provide a message that indicates that the skill will continue to work, but with reduced functionality compared to having the requested information.

For a good customer experience, ensure that you consider the skill workflow for all of the scenarios in which you fail to get the desired information.

Base URIs and geographic location of the skill

The endpoint for the Alexa Customer Profile API varies depending on the geographic location of your skill. As shown in this JSON snippet, you can get the correct base URL to use from the apiEndpoint value in the System object: context.System.apiEndpoint.

{
  "version": "1.0",
  "session": {},
  "context": {
    "System": {
      "application": {
        "applicationId": "amzn1.ask.skill.<skill-id>"
      },
      "user": {},
      "apiAccessToken": "AxThk...",
      "apiEndpoint": "https://api.amazonalexa.com"
    }
  },
  "request": {}
}

The examples in this document use the US endpoint api.amazonalexa.com.

For more about configuring your skill for multiple languages, see Develop Skills in Multiple Languages.

Get customer contact information

Use the following endpoints to get the customer contact information (note that these are literal strings). The endpoints are case-sensitive.

Full Name/v2/accounts/~current/settings/Profile.name
Given Name (First Name)/v2/accounts/~current/settings/Profile.givenName
Email Address/v2/accounts/~current/settings/Profile.email
Phone Number/v2/accounts/~current/settings/Profile.mobileNumber

Request Example

Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer MQEWY...6fnLok
GET https://api.amazonalexa.com/v2/accounts/~current/settings/Profile.name
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer MQEWY...6fnLok
GET https://api.amazonalexa.com/v2/accounts/~current/settings/Profile.mobileNumber

Request Headers

Header Description Type Required
Authorization A current access token in the format: Bearer your access token string yes

Response Example

Header

Host: api.amazonalexa.com
X-Amzn-RequestId: xxxx-xxx-xxx
Content-Type: application/json

Body

{
  "countryCode" : "+1",
  "phoneNumber" : "999-999-9999"
}

Here is a list of return types (all JSON values).

Full Name"string"
Given Name (First Name)"string"
Email Address"string"
Phone Number{ "countryCode": "string", "phoneNumber": "string" }

The (mobile) phone number is a combination of countryCode and phoneNumber. The phoneNumber may additionally contain the countryCode, and is not guaranteed to be just the local part of the phone number. By itself, the phoneNumber value should be a valid number for dialing.

Thus, the phone number may have a variety of different formats, and some examples include: +917799827710, 7799827710, +91 7799 82 77 11, +91 7799-82-77-11. For just the country code, some possible formats include: +1, 001, 1.

Response Headers

Header Description
Content-Type application/json
X-Amzn-RequestId Unique identifier for the request. If a problem occurs, Amazon can use this value to troubleshoot the problem.

Possible Responses

Response Description
200 OK Successfully retrieved the requested information.
204 No Content The query did not return any results.
401 Unauthorized The authentication token is malformed or invalid.
403 Unauthorized The authentication token does not have access to the resource.
429 Too Many Requests The skill has been throttled due to an excessive number of requests.
500 Internal Error An unexpected error occurred.