Validate and Use Access Tokens in Music Skill Code
After a user successfully enables a music skill that requires account linking and links their Alexa account with your authentication system, the API requests that Alexa sends to your skill include the user's access token (
accessToken). Add logic to your skill code (AWS Lambda function) to verify the token, then use it to access information about the user in the resource server.
- Get the access token from the request
- Verify that the token is valid
- Respond to the user when the token is invalid or expired
- Related topics
Get the access token from the request
When Alexa sends an API request to your skill, the request includes a RequestContext object that contains information about the user. The
user object contains an access token that you can use to authenticate the user in your system. For an example, see RequestContext in the music skill API components reference.
Your skill code should get the token from
Verify that the token is valid
payload.requestContext.user.accessToken property exists, verify that it identifies a user in your resource server.
If the token is valid, handle the request normally. You can use the token to access data from your system as needed. For example, the skill might look up the user's subscription level to determine whether the user is authorized to receive the requested content.
Respond to the user when the token is invalid or expired
If the token is invalid, it might be because:
- The user deleted his or her account in your authentication system. For example, an Alexa user might set up account linking with your music skill, then later delete his or her account from your service. In this case, the token that Alexa sends for this user might no longer exist in your authentication system.
- The token expired, and the Alexa service could not get a new token. This can occur when your authorization system does not provide refresh tokens.
When the token is invalid, return an error response with the
type set to one of the following:
EXPIRED_AUTHORIZATION_CREDENTIAL(for an expired token)
INVALID_AUTHORIZATION_CREDENTIAL(for an invalid token)