Access Token Retrieval REST API Reference
Use the Access Token Retrieval REST API to request credentials to access Alexa. You can request access outside of a skill session from your app or service, or you can request access within a skill session on behalf of a customer. The API retrieves the access token from the Login with Amazon (LWA) OAuth 2.0 server.
API endpoint
The LWA endpoint is https://api.amazon.com/auth/o2/token.
Authentication
To retrieve an access token, you need your skill credentials. You can obtain your client ID and client secret for your skill from the Alexa developer console or by using the Alexa Skills Kit (ASK) Command Line Interface (CLI) get-skill-credentials command.
To get your credentials from the Alexa developer console
- Sign in to the developer console.
- On the Skills tab, under SKILL NAME, find your skill, and then, from the drop-down menu under ACTIONS, select Edit.
- In the sidebar, select Tools > Permissions or PERMISSIONS.
- Scroll to the bottom of the page, and then copy the value from the Alexa Client Id field.
- In a convenient place, such as Notepad on Windows or TextEdit on Mac, paste the client Id.
- Click SHOW, and then copy the value from the Alexa Client Secret field.
- Paste the client secret in the same place you pasted the client Id.
Operations
The Access Token Retrieval API includes the following operations.
| Operation | HTTP method and URI | 
|---|---|
| 
 | |
| 
 | |
| 
 | 
Get access token with authorization code
Generate an access token on behalf of the customer. You include your skill credentials and an authorization code that identifies the customer. Use the access token in subsequent requests to Alexa.
Request
To generate a token, you make a POST request to the /auth/o2/token resource.
Request path and header example
POST /auth/o2/token HTTP/1.1
Host: api.amazon.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Request path and header parameters
The request path and header have no parameters.
Request body example
grant_type: authorization.code.1
&code: customer.auth.code.1
&client_id: your.client.id
&client_secret: your.client.secret
Request body properties
| Property | Description | Type | Required | 
|---|---|---|---|
| 
 | Type of access grant requested. You must set this parameter to  | String | Yes | 
| 
 | Authorization code that identifies the customer.  | String | Yes | 
| 
 | Alexa client Id for the skill. | String | Yes | 
| 
 | Alexa client secret for the skill. Unique token known only to Alexa and the OAuth 2.0 server. | String | Yes | 
| 
 | Address to where the authorization service should redirect the user.   Required if you provided a  | String | No | 
Response
A successful response returns HTTP 200 OK, along with access and refresh bearer tokens.
On error, the response returns the appropriate HTTP status code, error code, and error description.
When you send requests to the Alexa, set the token type to bearer in the REST API Authorization header and the endpoint.scope object in smart home APIs. When the access token expires, obtain a new token by following the procedure in Refresh access token, and then use the new access token in your requests. After your token expires, the response returns HTTP 403 Forbidden with a message that says "Request is not authorized."
Response example
The following example shows a response with a JSON response body.
HTTP/1.1 200 OK
 Content-Type: application/json;charset UTF-8
 Cache-Control: no-store
 Pragma: no-cache
 {
    "access_token":"some.accesstoken.1",
    "token_type":"bearer",
    "expires_in":3600,
    "refresh_token":"some.refreshtoken.1"
 }
Response body properties
| Property | Description | Type | 
|---|---|---|
| 
 | Access token for the customer account.  | String | 
| 
 | Type of token. Always set to  | String | 
| 
 | Number of seconds before the access token becomes invalid. | Integer | 
| 
 | Refresh token for the customer account. Allows your skill to request a new access token from LWA.  | String | 
HTTP status codes
| Status | Description | 
|---|---|
| 
 | Response body contains the access and refresh tokens. | 
| 
 | Indicates one of the following errors: 
 For details about why the request failed, check the  | 
| 
 | Client credential authentication failed. | 
| 
 | Access or refresh token expired, revoked, or is invalid. | 
| 
 | Error occurred on the server. You can retry the request by using exponential back-off. | 
| 
 | Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request. | 
Sample cURL request
curl -k -X POST -H
 'Content-Type: application/x-www-form-urlencoded' -d
'grant_type=authorization_code&client_id=your.client.id&client_secret=your.client.secret&code=authorization.code.1'
 https://api.amazon.com/auth/o2/token
Get access token with skill credentials
Generate an access token to authenticate your app or service with Alexa. You include your skill credentials and the scope or operations that you want to use. You can use the access token in requests to the Alexa REST APIs outside of a skill session, such as in your app or skill management tools.
You can also generate access tokens by using the Alexa Skills Kit (ASK) Command Line Interface (CLI) generate-lwa-tokens command.
Request
To generate a token, you make a POST request to the /auth/o2/token resource.
Request path and header example
POST /auth/o2/token HTTP/1.1
Host: api.amazon.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Request path and header parameters
The request path and header have no parameters.
Request body example
grant_type: client_credentials
&client_id: your.client.id
&client_secret: your.client.secret
&scope=alexa.api.scope
Request body properties
| Property | Description | Type | Required | 
|---|---|---|---|
| 
 | Type of access grant requested. You must set this parameter to  | String | Yes | 
| 
 | Alexa client Id for the skill. | String | Yes | 
| 
 | Alexa client secret for the skill. Unique token known only to Alexa and the OAuth 2.0 server. | String | Yes | 
| 
 | Requested scope of access.   | String | Yes | 
Response
A successful response returns HTTP 200 OK, along with a bearer token.
On error, the response returns the appropriate HTTP status code, error code, and error description.
When you send requests to the Alexa, set the token type to bearer in the REST API Authorization header and the endpoint.scope object in smart home APIs. When the access token expires, obtain a new token by following the same procedure, and then use the new access token in your requests. 
After your token expires, the response returns HTTP 403 Forbidden with a message that says "Request is not authorized."
Response example
The following example shows a response with a JSON response body.
HTTP/1.1 200 OK
 Content-Type: application/json;charset UTF-8
 Cache-Control: no-store
 Pragma: no-cache
 {
    "access_token":"some.accesstoken.1",
    "token_type":"bearer",
    "expires_in":3600,
    "scope": "alexa.api.scope"
 }
Response body properties
| Property | Description | Type | 
|---|---|---|
| 
 | Token for the skill.  | String | 
| 
 | Type of token. Always set to  | String | 
| 
 | Number of seconds before the access token becomes invalid. | Integer | 
| 
 | Granted scope of access. | String | 
HTTP status codes
| Status | Description | 
|---|---|
| 
 | Response body contains the access token. | 
| 
 | Indicates one of the following errors: 
 For details about why the request failed, check the  | 
| 
 | Client credential authentication failed. | 
| 
 | Access or refresh token expired, revoked, or is invalid. | 
| 
 | Error occurred on the server. You can retry the request by using exponential back-off. | 
| 
 | Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request. | 
Sample cURL request
curl -k -X POST -H
 'Content-Type: application/x-www-form-urlencoded' -d
'grant_type=client_credentials&client_id=your.client.id&client_secret=your.client.secret&scope=alexa.api.scope'
 https://api.amazon.com/auth/o2/token
Refresh access token
Get a new access token from the refresh token. You include your skill credentials and the previous access code. Use the new access token in subsequent requests to Alexa.
For more details, see Using Refresh Tokens with LWA.
Request
To generate a token, you make a POST request to the /auth/o2/token resource.
Request path and header example
POST /auth/o2/token HTTP/1.1
Host: api.amazon.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Request path and header parameters
The request path and header have no parameters.
Request body example
grant_type: refresh_token
&refresh_token: some.refreshtoken.1
&client_id: your.client.id
&client_secret: your.client.secret
Request body properties
| Property | Description | Type | Required | 
|---|---|---|---|
| 
 | Type of access grant requested. You must set this parameter to  | String | Yes | 
| 
 | Refresh token from a previous Get access token with authorization code or Refresh access token request. | String | Yes | 
| 
 | Unique identifier for the skill. | String | Yes | 
| 
 | Unique token for the skill, known only to Alexa and the OAuth 2.0 server. | String | Yes | 
Response
A successful response returns HTTP 200 OK, along with the bearer access token, the refresh token, and the number of seconds before the access token becomes invalid.
On error, the response returns the appropriate HTTP status code, error code, and error description.
When you send requests to Alexa, set the token type to bearer in the REST API Authorization header and the smart home API[endpoint.scope] object. When the access token expires, obtain a new token by following the procedure in Refresh access token and use the new access token in your requests. After your token expires, the response returns HTTP 403 Forbidden with a message that says "Request is not authorized."
Response example
The following example shows a response with a JSON response body.
HTTP/1.1 200 OK
 Content-Type: application/json;charset UTF-8
 Cache-Control: no-store
 Pragma: no-cache
 {
    "access_token":"some.accesstoken.1",
    "token_type":"bearer",
    "expires_in":3600,
    "refresh_token":"some.refreshtoken.1"
 }
Response body properties
| Property | Description | Type | 
|---|---|---|
| 
 | New access token for the customer account.  | String | 
| 
 | Type of token. Always set to  | String | 
| 
 | Number of seconds before the access token becomes invalid. | Integer | 
| 
 | Refresh token for the customer account. Allows your skill to request a new access token from LWA.  | String | 
HTTP status codes
| Status | Description | 
|---|---|
| 
 | Response body contains the access and refresh tokens. | 
| 
 | Indicates one of the following errors: 
 For details about why the request failed, check the  | 
| 
 | Client credential authentication failed. | 
| 
 | Access or refresh token expired, revoked, or is invalid. | 
| 
 | Error occurred on the server. You can retry the request by using exponential back-off. | 
| 
 | Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request. | 
Sample cURL request
curl -k -X POST -H
 'Content-Type: application/x-www-form-urlencoded' -d
'grant_type=refresh_token&client_id=your.client.id&client_secret=your.client.secret&code=authorization.code.1'
 https://api.amazon.com/auth/o2/token
Related topics
Last updated: Nov 26, 2024