LWA Mobile SDK Overview

To access the Dash Replenishment Service (DRS), your DRS-enabled product needs to obtain a Login with Amazon access token, which will be sent up with each request. This document explains how to obtain an access token using the Login with Amazon SDK for Android or iOS.


Before you integrate the LWA SDK into your companion app, your product must be able generate a code verifier and create a code challenge. These values along with the code challenge method are used by LWA to validate requests from your product before tokens are exchanged. The LWA implementation of symmetric proof of possession is based on Proof Key for Code Exchange by OAuth Public Clients

  • Code Verifier

    A code verifier is a cryptographically random string generated by your product, which is hashed (SHA256) and handed off to your companion app. The string should be between 43 and 128 characters long and composed of characters from the URL and filename-safe alphabet ([A-Z], [a-z], [0-9], “-“, “_ “, “.”, “~”).

    The code verifier is sensitive data and should never be transferred from your product.

  • Code Challenge

    Your client/product is expected to create a code challenge derived from the code verifier using one of the following transformations of the code verifier, however, SHA-256 is recommended:

    • plain
      code challenge = code verifier

    • S256
      A Base64url encoding of your code verifier’s SHA256 hash. The Base64url encoded string should not contain the following characters: “=”, “+”, or “/”.

    See Proof Key for Code Exchange by OAuth Public Clients, Appendix A for detailed information on implementing Base64url encoding.

  • Code Challenge Method

    The method used to derive the code challenge. LWA accepts both plain and SHA-256.

Platform Options for Using the LWA SDK with DRS

See one of the following for instructions on using the Login with Amazon SDK for Android or iOS with DRS.