Developer Console

API Access

To use Developer Console APIs, you need to create a security profile and map the security profile to the API. Security profile is the mechanism used to generate access tokens for API access.

Create a Security Profile

To create a security profile, follow these steps:

  1. Login to your Amazon Developer Console account. You will be prompted to create an account if you do not already have one.
  2. In the main navigation, click Apps & Services.
  3. Click API Access in the sub-menu.
  4. Click the name of the API.

    API Access page

  5. Click the Create a new security profile button.
  6. Enter a Security Profile Name and Security Profile Description for your new profile, then click Save.
  7. Save your Client ID and Client Secret (from the Web Settings tab), as you will need this information to access the Sales Reporting API.
    Client ID and Client Secret

Map the Security Profile to the API

To map the security profile to the API, follow these steps:

  1. Return to the API Access page.
  2. Click the API name to select the API.
  3. Select your new security profile from the drop-down list.
  4. Select Attach to associate the security profile with this API. The API name and attached security profile is added to the Security Profile(s) in use panel.
    Client ID and Client Secret

You can now use the client ID and client secret to request a Login With Amazon (LWA) access token.

Request LWA Access Token

With your client ID and client secret, use the Login With Amazon API to request a Login with Amazon access token by following these steps:

1. Send token request

Send a POST request to https://api.amazon.com/auth/o2/token with the following header and content:

  • Header: Content-Type: application/x-www-form-urlencoded
  • Content:
    • client_id: The client ID you saved in step 7 of Create a Security Profile.
    • client_secret: The client secret you saved in step 7 of Create a Security Profile.
    • grant_type: Set to client_credentials.
    • scope: Set the value to appstore::apps:readwrite (or adx_reporting::appstore:marketer for the Reporting API).

Sample JSON content:

{
    "grant_type": "client_credentials",
    "client_id": "amzn1.application-oa2-client.<your-client-id>",
    "client_secret": "<your-client-secret>",    
    "scope": "appstore::apps:readwrite"
}

Sample cURL request:

curl -k -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&client_id=amzn1.application-oa2-client.<your-client-id>&client_secret=<your-client-secret>=appstore::apps:readwrite' https://api.amazon.com/auth/O2/token

2. Save the response

The response looks like this:

{
    "access_token": "Atc|MAEBI...",
    "scope": "appstore::apps:readwrite",
    "token_type": "bearer",
    "expires_in": 3600
}
  • access_token: The access token.
  • expires_in: The number of seconds until the access token expires.
  • scope: Will be appstore::apps:readwrite (or adx_reporting::appstore:marketer for the Reporting API).
  • token_type: Will always be bearer.

3. Handle any error responses

If your token request results in an error, the response message body includes one of the following error messages:

Error message body Details
{"error_description":"Client authentication failed", "error":"invalid_client"} Invalid secret key
{"error_description":"The request has an invalid parameter : scope", "error":"invalid_scope"} Invalid scope value
{"error_description":"The authorization grant type is not supported by the authorization server", "error":"unsupported_grant_type"} Incorrect authorization grant type
{"error_description":"The Content-Type is not supported by the authorization server", "error":"invalid_request"} Unsupported content-type