Console

Settings

Sign out

Notifications

Alexa

Amazon Appstore

AWS

Documentation

Support

My Cases

Console

Fire OS Developer Docs

Home

Develop

Test

Publish

Monetize

Engage users

Device specifications

Resources

One-Click Account Information Sharing for Quick Subscribe

Important: At this time, Quick Subscribe is available to select partners only.

One-click account information sharing allows customers to share their Amazon account information with your app with minimal effort, rather than having to manually enter their details. This feature improves the sign-up experience for customers. Use this guide to set up one-click account information sharing in your app.

Update app manifest

To indicate to the Appstore that your app supports the one-click account information sharing feature for Quick Subscribe, update your app's manifest with the following code.

<uses-feature android:name="amazon.lwa.quicksignup.supported"/>

Configure security profile

For one-click account information sharing to properly work, you must set up a security profile for your app. The security profile is essential because it allows Amazon to securely share customer data with you and lets you automatically create an account and sign in a user.

A security profile associates Amazon data, including security credentials, with one or more apps. For example, if you have two apps, "My Game - Free" and "My Game - HD", they can share data by using the same security profile. Name your security profile in a way that helps identify your app or app family. For more details, see Security Profile.

Warning: Make sure to attach the correct security profile to your app. After you attach a security profile to an app, you can't change it through the Developer Console. If you need to update the security profile attached to an app, you must contact an Amazon representative.

To configure a security profile for your app

Go to the Developer Console dashboard, and sign in to your account.
Select Apps & Services > My Apps, and then select your app.
Select App Services and scroll to the Security Profile section.
Click Select existing security profile or create new to expand the options.
Use the drop-down to select the security profile that you want to map to this app, then click Enable Security Profile.

Alternatively, you can create a new security profile by clicking Create Security Profile. If creating a new security profile, make sure to complete all required fields and then click Save.

After successfully attaching the security profile, the Security Profile section displays a success message and shows the attached profile's details.

Implement getUserData changes

To determine whether a customer has explicitly consented to share their Amazon account details with your app, you must implement the following process during your app's initialization.

In the onResume() method of your app's main activity:

Create a new UserDataRequest object and configure it to request the customer's profile consent status information. To configure the UserDataRequest object to request consent status, set its setFetchUserProfileAccessConsentStatus() method to true.
Call the getUserData() method and pass the configured UserDataRequest object to it.

The following example shows how to build a UserDataRequest object and pass it to getUserData().

@Override
protected void onCreate(Bundle savedInstanceState)
{
    super.onCreate(savedInstanceState);

    //...

    // Pass the reference of PurchasingListener to be registered
    PurchasingService.registerListener(this.getApplicationContext(), purchasingListener);

    // Pass the reference of UserProfileAccessListener to be registered
    PurchasingService.registerUserProfileAccessListener(this.getApplicationContext(), userProfileAccessListener);

    //...
}

@Override
protected void onResume()
{
    super.onResume();

    //...

    // Implement logic to identify customer logged in status inside isLoggedIn()
    if (!isLoggedIn()) {
        PurchasingService.getUserData(UserDataRequest.newBuilder().setFetchUserProfileAccessConsentStatus(true).build());
    }

    //...
}

Implement the onUserDataResponse() callback method to get the UserDataResponse object, which contains customer consent data. The following code shows how to handle the consent data received from the UserDataResponse object.

@Override
public void onUserDataResponse(final UserDataResponse response) {

    UserDataResponse.RequestStatus status = response.getRequestStatus();

    switch (status) {
        case SUCCESSFUL:
            if (UserProfileAccessConsentStatus.CONSENTED.equals(response.getUserData().getUserProfileAccessConsentStatus())) {
                // Initiate the custom loader screen or spinner.
                PurchasingService.requestUserProfileAccess();
            }
            break;

        case FAILED:
        case NOT_SUPPORTED:
            // Fail gracefully.
            break;
    }
}

If a customer provides consent, the UserProfileAccessConsentStatus of the UserData object has the status CONSENTED. If a customer doesn't provide consent or if the consent token expires, UserProfileAccessConsentStatus has the status UNAVAILABLE.

Note: A consent token expires after the first query.

If the customer provides consent, call the requestUserProfileAccess() method and update your server with the authorization code found in the response object. Then, use the REST APIs provided by Appstore IAP to get an access token and the customer profile. Create an account in your system with the user information shared.

The following code shows how to extract the user profile access authorization code from the UserProfileAccessResponse object.

@Override
public void onUserProfileAccessResponse(final UserProfileAccessResponse response) {
    
    UserProfileAccessResponse.RequestStatus status = response.getRequestStatus();
    
    switch (status) {
        case SUCCESSFUL:
            // Here you should update your server with the userProfileAccessAuthCode 
            // to further interact with Appstore IAP REST APIs to get access token and customer profile.
            final String userProfileAccessAuthCode = response.getUserProfileAccessAuthCode();
            break;
    
        case FAILED:
        case NOT_SUPPORTED:
            // Fail gracefully.
            break;
    } 
}

If the customer doesn't provide consent, show your own sign-in screen. The customer can then enter their credentials using the keyboard to sign in to your app.

Note: After you request access to the user profile and update your server with the response, you'll call the Appstore IAP REST APIs to get the access token and customer profile. The next sections explain these APIs.

Get Access Token API

Appstore IAP provides the Get Access Token REST API for you to obtain an access token. This section describes the request, response, and errors.

Access token request

After the app receives a response to requestUserProfileAccess() with a valid authorization code, it can use that code to obtain an access token. With an access token, the client can read a customer profile.

The Get Access Token API must use a POST request rather than a GET request, as shown in the following example.

POST https://appstore-sdk.amazon.com/version/1.0/auth/o2/token?
grant_type=authorization_code
&code=SplxlOBezQQYbYS6WxSbIA
&client_id=foodev
&client_secret=foosecret

The following table describes the access token request parameters.

Access token request parameters
Request parameter	Description
`grant_type`	Required. The type of access grant requested. Must be `authorization_code`.
`code`	Required. The authorization code returned by the `requestUserProfileAccess()` method.
`client_id`	Required. The client identifier.
`client_secret`	Required. The secret value assigned to the client during registration. Don't use the client secret in browser-based apps because client secrets can't be reliably stored on web pages.

Access token response

To access customer data, you must provide an access token to the Appstore IAP Get User Profile API. An access token is an alphanumeric code 350 characters or more in length, with a maximum size of 2048 bytes. Access tokens begin with the characters Atza|.

Response parameters are encoded using the application/json media type. For more information, see RFC4627. The following is an example response from an access token request.

{
"access_token":"Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR...",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX..."
}

The following table describes the access token response parameters.

Access token response parameters
Response parameter	Description
`access_token`	The access token for the user account. Maximum size of 2048 bytes.
`token_type`	The type of token returned. Value is `bearer`.
`expires_in`	The number of seconds before the access token becomes invalid.
`refresh_token`	A refresh token that can be used to request a new access token. Maximum size of 2048 bytes.

An access token is a bearer token and can be used by another client. For more information, see The OAuth 2.0 Authorization Framework: Bearer Token Usage.

Access token errors

For some errors, the authorization service may return an HTTP 401 (Unauthorized) status code. This includes cases where the client passed the client_id and client_secret values in the authorization header and the client could not be authenticated.

The following table describes the error parameters in an unsuccessful response.

Access token error response parameters
Error parameter	Description
`error`	An ASCII error code with an error code value.
`error_description`	A human-readable ASCII string with information about the error, useful for client developers.
`request_id`	ID associated to your access token request.

The following error codes can be returned as the value for error.

Access token error response codes
Error code	Description
`invalid_request`	The request is missing a required parameter, has an invalid value, or is otherwise improperly formed.
`invalid_client`	The client authentication failed. This is used in cases when the authorization service does not return an `HTTP 401 (Unauthorized)` status code.
`invalid_grant`	The authorization code is invalid, expired, revoked, or was issued to a different `client_id`.
`unauthorized_client`	The client is not authorized to use authorization codes. Can be caused by invalid `code_verifier`.
`unsupported_grant_type`	The client specified the wrong `token_type`.
`ServerError`	The server encountered a runtime error.

Get User Profile API

Appstore IAP provides the Get User Profile REST API to get user profile data. This section describes the request, response, and errors.

User profile request

To access authorized user profile data, use the Get User Profile API to submit the access token to the Appstore. The Get User Profile API uses an HTTPS GET request and takes the access token that you received from the Get Access Token API as it's only parameter.

The following example shows a GET request to obtain user profile data.

GET https://appstore-sdk.amazon.com/version/1.0/user/profile?
access_token=Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR...

User profile request parameters
Request parameter	Description
`access_token`	Required. The access token received from the Get Access Token API.

User profile response

If your access token is valid, you receive the customer's profile data as an HTTP response in JSON, as shown in this example.

{
"user_id": "amznl.account.K2LI23KL2LK2",
"email":"mhashimoto-04@plaxo.com",
"name" :"Mork Hashimoto",
"postal_code": "98052"
}

If there is a problem fulfilling your profile request, you receive an HTTP error and might receive a JSON payload with more information, as shown in the following example.

{
"error": "machine-readable error code",
"error_description": "human-readable error description",
"request_id": "bef0c2f8-e292-4l96-8c95-8833fbd559df"
}

The following table describes the error codes that can be returned in an unsuccessful user profile request.

User profile error response codes
HTTP status code	Status message	Description
200	Success	The request was successful.
400	invalid_request	The request is missing a required parameter or otherwise malformed.
400	invalid_token	The access token provided is expired, revoked, malformed, or invalid for other reasons.
401	insufficient_scope	The access token provided does not have access to the required scope.
500	ServerError	The server encountered a runtime error.

Best practices for account setup

Follow these best practices for setting up customer accounts.

If UserProfileAccessConsentStatus has the value CONSENTED in the getUserData() response, do the following:
- Fetch the user information from the Appstore IAP Get User Profile API. Use this information to create a login account with a temporary password. Sign the customer in to the app without requesting a password reset or additional details from the customer.
- Later, ask the customer to reset the password through email.
If UserProfileAccessConsentStatus is UNAVAILABLE, use the default app sign-up experience for the customer.

Last updated: Jan 07, 2026