Configure an Authorization Code Grant


For the authorization code grant type, your authorization server provides an authorization code after the user authenticates with the service. Alexa then uses this code to request an access token and refresh token pair from the authorization server. Alexa uses the refresh token to request a new access token after the old access token expires.

The Alexa service implements Proof Key for Code Exchange (PKCE) security measures in the authorization code grant account linking flow. This process verifies that the token request comes from the same client that initiated the authorization request.

The Alexa Skills Kit supports authorization code grants for account linking in custom, smart home, video, and music skills. For details about how the authorization code grant flow works at runtime, see Standard Account Linking.

Prerequisites

Make sure that you have an authorization server that meets the requirements described in Requirements for Account Linking.

Before you start, make sure you have the following items:

  • Amazon developer account.
  • Alexa skill that supports account linking (smart home skill, video skill, custom skill, or music skill).

Gather your account linking information

You can turn on account linking in the Alexa developer console on the Build > Account Linking page. Or, you can configure account linking with the ASK CLI or the Account Linking REST API.

Account linking settings

Under Settings, you enable and disable the account linking options available to your skill. The service provider options in the next section are based on the settings that you enable here.

The following table describes the settings fields to configure account linking.

Field Description

Do you allow users to create an account or link to an existing account with you?

Turn on to enable account linking for a custom skill. This option is automatically selected for smart home and video skills.

Allow users to enable the skill without account linking (Recommended)

Turn on to let users bypass the account linking flow when they enable your skill. Available for custom skills only. This option is useful if your skill offers meaningful functionality without an account, in addition to the features that require an account. For more details, see Let Users Enable Your Skill without Account Linking.

This option is on by default.

Allow users to link their account to your skill from within your application or website

Turn on to allow users to authenticate by using your website.

Allow users to authenticate using your mobile application

Turn on to enable app-to-app account linking and allow users to authenticate by using your mobile app.

Allow users to link their account to your skill using voice

Turn on to enable customers to use their voice to link their Amazon account with the account they have with your service.

Security provider information

Under Security provider information, select the authorization grant type, and then configure the service provider information as shown in the following table. The options displayed here are based on the settings that you enabled in the settings section. If you use a third-party OAuth provider, see the documentation for that provider to determine the values to enter in these fields.

Field Description

Authorization Grant Type

The OAuth 2.0 authorization grant type to use to obtain the access token. Select Auth Code Grant. For smart home and video skills, this is automatically selected, as this is the only supported grant type.

PKCE Authorization

Enable PKCE security if your authorization endpoint supports PKCE using SHA-256. If your endpoint doesn't fully support PKCE with SHA-256 or you're unsure, disable PKCE. For more details, see Requirements for Account Linking.

The Login with Amazon (LWA) authorization server supports PKCE.

Your Web Authorization URI

The URI to open the authorization page on your website for the user to sign in to your service. The Alexa app displays the login page when the user begins the account linking process. For more details, see Authorization URI.

For a third-party OAuth provider, look for the URI provided for authorization requests. For example, for the Login with Amazon (LWA) OAuth provider, the authorization URI is https://www.amazon.com/ap/oa.

Your iOS App Authorization URI

The Universal Link to open the authorization page in your iOS mobile app for the user to log into your service. The Alexa app opens the app when the user begins the account linking process from an iOS mobile app. For more details, see Authorization URI.
Required when you enable authentication from your mobile app.

Your Android App Authorization URI

The App Link to open the authorization page in your Android mobile app for the user to log into your service. The Alexa app opens the app when the user begins the account linking process from an Android mobile app. For more details, see Authorization URI.
Required when you enable authentication from your mobile app.

Access Token URI

The URI for the access token endpoint on your authorization server.

The Alexa service calls this URI to exchange the authorization code for an access token. When the access token expires, Alexa also calls this URI to exchange the refresh token for a new access token.

For a third-party OAuth provider, look for the URI provided for access token requests. For example, for Login with Amazon, the URI for the access token request is https://api.amazon.com/auth/o2/token.

For more details about token requirements and details, see Access and Refresh Tokens.

Your Client ID

A unique string that identifies the client requesting authentication. This value is passed to the authorization URI in the client_id parameter.

This client ID is also part of the client credentials that the Alexa service includes when requesting an access token from the Access Token URI.

For a third-party OAuth provider, look for the client identifier that the provider expects. For example, for Login with Amazon, this ID is created when you create a security profile for Login with Amazon.

Your Secret

A credential you provide that lets the Alexa service authenticate with the Access Token URI. This value is combined with Your Client ID to identify the request as coming from Alexa.

For a third-party OAuth provider, look for the client identifier that the provider expects. For example, for Login with Amazon, the client secret is created when you create a security profile for Login with Amazon.

Your Authentication Scheme

Identifies the type of authentication Alexa should use when requesting tokens from the Access Token URI.

Your Redirect URLs

These URLs point to your own app and are only for app-to-app account linking implementations.

Scope

An optional list of permissions for the other service. If your resource server supports different scopes for access, enter those here. You can provide up to 15 scopes.

Alexa includes all of the scopes entered here in the scope parameter (separated by URL-encoded spaces) when the Alexa app calls your authorization URI.

For a third-party OAuth provider, specify a scope from the set of scopes that the provider supports. For example, Login with Amazon supports profile, profile:user_id, and postal_code.

Domain List

An optional list of domains from which the authorization URI can retrieve data. If your login page retrieves content from other domains, enter those in this list.

This field is only necessary for domains beyond your authorization URI. For example, suppose your authorization URI is https://www.ridehailer.com/login. If your page pulls in any content, such as images from domains other than www.ridehailer.com, add the domains to the Domain List. You can provide up to 30 domains.

Default Access Token Expiration Time

The time in seconds for which the access token is valid. The Alexa service uses this value when the OAuth client doesn't return expires_in. If the OAuth client returns expires_in, the value provided by the OAuth client is used instead.

Alexa Client ID

Credentials for your Alexa skill.

Alexa Client Secret

Credentials for your Alexa skill.

Alexa Redirect URLs

The Amazon-provided redirection endpoints to which your login page must redirect the user after the user authenticates with your service. Alexa passes the value to use for a given request to your login page as the redirect_uri parameter included with the authorization URI. This field displays region-specific redirect URLs. For more details, see Alexa redirect URLs.

Configure account linking

You can turn on account linking in the Alexa developer console. Or, you can configure account linking with the ASK CLI or the Account Linking REST API.

To configure account linking in the Alexa developer console

  1. Sign in to the Alexa developer console.
  2. From the skill list, under STATUS, locate the development version of your skill, and then, in the dropdown under ACTIONS, select Edit.
  3. Navigate to ACCOUNT LINKING.
  4. Under Settings, enable and disable the account linking options available to your skill.
  5. Under Security provider information, select the authorization grant type, and then configure the service provider information
  6. To save the account linking configuration, choose Save.

Next steps

After you configure the authorization code grant, implement the authorization flow in your skill code.


Was this page helpful?

Last updated: Jul 14, 2026