Access tokens

An access token is granted by the authorisation server when a user logs in to a site. An access token is specific to a client, a user, and an access scope. A client must use an access token to retrieve customer profile data and allow access to shipping and payment information.

An access token is an alphanumeric code 350 characters or more in length. Access tokens begin with the characters Atza|.

When you receive an access token, it is structured in JSON format with three pieces of information:

  • access_token
  • token_type
  • expires_in (the number of seconds before the token expires)

For example:

 
{
"access_token":"Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR...",
  "token_type":"bearer",
  "expires_in":3600,
  "refresh_token":"Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX..."
}

The "expires_in" field can be used to proactively refresh the access token before it expires. Otherwise, you will need to include error handling in your call to retrieveProfile() when the access token expires.

Obtaining an access token

After users log in, they are returned to your website or mobile app. At this point, an authorisation code is sent to your client. Your client can obtain an access token by calling the Login with Amazon authorisation service with your client identifier and client secret.

During a redirect flow, the access token is in the URL. During a popup flow, Widgets.js has code for fetching the access token.