Renew Selling Partner Appstore Authorization Workflow

To allow users to annually reauthorize your application from the Manage Your Apps page (on Seller Central or Vendor Central), you must set up an OAuth workflow. You also require an OAuth workflow if you want users to authorize new roles within your application.

To create a new authorization in your application, use the Selling Partner Appstore authorization workflow or Website authorization workflow.

Step 1. Reauthorize from Manage Your Apps page

1. Sign in to Seller Central or Vendor Central and navigate to Manage Your Apps.
2. Find the application that you want to reauthorize.
3. Choose Re-authorize.
4. Review and accept the data access requested by your application.
5. Choose Login to [your application name] now.

Amazon loads your Login URI (which you provided when the app client was created from your developer account) into the browser with the following query parameters:

Example:

https://d2yzyfnnpjylxu.cloudfront.net/index.html?amazon_callback_uri=https://amazon.com/apps/authorize/confirm/amzn1.sellerapps.app.2eca283f-9f5a-4d13-b16c-474EXAMPLE57&amazon_state=amazonstateexample&selling_partner_id=A3FHEXAMPLEYWS

📘

DRAFT and PUBLISHED statuses

If the application is in DRAFT status, Amazon includes the version=beta parameter. If the application is in PUBLISHED status, Amazon does not include the parameter.

Step 2. Sign in to your website

Refer to Step 3. Sign in to your website for instructions.

Step 3. Amazon sends you the authorization information

Refer to Step 4. Amazon sends you the authorization information for instructions.

Step 4. Exchange the LWA authorization code for an LWA refresh token

📘

Note

You can optionally use the Login with Amazon SDK for JavaScript to help with the exchange of an LWA authorization code for an LWA refresh token. For more information, refer to the Login with Amazon documentation:

• Add the Login with Amazon SDK for JavaScript

• Authorization Code Grant

1. Your application calls the Login with Amazon (LWA) authorization server (https://api.amazon.com/auth/o2/token) to exchange the LWA authorization code for an LWA refresh token. The call must include the following query parameters:

   Parameter	Description
   grant_type	The type of access grant requested. Must be authorization_code.
   code	The LWA authorization code that you received in Step 4. Amazon sends you the authorization information.
   redirect_uri	The redirect URI for your application.
   client_id	Part of your LWA credentials. To get this value, refer to Viewing your application information and credentials.
   client_secret	Part of your LWA credentials. To get this value, refer to Viewing your application information and credentials.

   For example:

   HTTP

   POST /auth/o2/token HTTP/l.l
   Host: api.amazon.com
   Content-Type: application/x-www-form-urlencoded;charset=UTF-8
   grant_type=authorization_code&code=SplxlOexamplebYS6WxSbIA&client_id=foodev&client_secret=Y76SDl2F
   

2. The LWA Authorization Server returns the LWA refresh token. The response is in JSON and includes the following elements:

   Parameter	Description
   access_token	A token that authorizes your application to take certain actions on behalf of a selling partner. For more information, refer to Connecting to the Selling Partner API.
   token_type	The type of token returned (should be bearer).
   expires_in	The number of seconds before the access token becomes invalid.
   refresh_token	A long-lived token that can be exchanged for a new access token. For more information, refer to Connecting to the Selling Partner API.

   HTTP

   HTTP/l.l 200 OK
   Content-Type: application/json;
   charset UTF-8
   Cache - Control: no-store
   Pragma: no-cache
   {
     "access_token": "Atza|IQEBLjAsAexampleHpi0U-Dme37rR6CuUpSR",
     "token_type": "bearer",
     "expires_in": 3600,
     "refresh_token": "Atzr|IQEBLzAtAhexamplewVz2Nn6f2y-tpJX2DeX"
   }
   

3. Your application saves the refresh_token value. Delete the old refresh_token for the selling partner. The browser opens a page that indicates next steps for using your application.

   ⭐

   Tip

   An LWA refresh token is a long-lived token that you exchange for an LWA access token. An access token obtained through this token exchange must be included with calls to all Selling Partner API operations except restricted operations and grantless operations, which use somewhat different authorization models. After an access token is issued, it remains valid for one hour. The same access token can be used for multiple API calls, until it expires.

   To exchange a refresh token for an access token using a generated SDK, refer to Connecting to the Selling Partner API using a generated Java SDK. To manually exchange a refresh token for an access token, refer to Connecting to the Selling Partner API.

Step 5. Test your reauthorization workflow

We recommend that you test your reauthorization workflow while your application is in draft status to ensure that your application can exchange parameters with Amazon and receive authorization information. If this workflow is not set up correctly, existing sellers and vendors might lose access to your application when trying to reauthorize annually.

Application developers should test the reauthorization workflows for these two scenarios:

1. The seller or vendor is already logged in to your website at the start of Step 1.
2. The seller or vendor is logged out of your developer website at the start of Step 1.

To test the reauthorization flow:

• Use the Selling Partner Appstore authorization workflow or Website authorization workflow to create an authorization in your application.

• Visit the Manage Your Apps page within Seller Central or Vendor Central and choose the Re-authorize button to start the reauthorization workflow. If you are testing your workflow with a trusted selling partner, make sure they log in to their selling partner account on Seller Central or Vendor Central and navigate to the Manage Your Apps page to initiate the workflow.

Tips for integrating your Oauth workflow

Developers and selling partners are encouraged to take note of the following to ensure a seamless integration and user experience.

• Token expiration and refresh: OAuth codes that are issued to third-party applications expire after five minutes. If your application does not use this code before it expires, your application must obtain a new code. SP-API provides a long-term LWA refresh token that can be used to obtain a new LWA access token without requiring the selling partner to re-authorize. For more information, refer to Request a Login with Amazon access token.

  The selling partner must re-authorize the application every 365 days. Selling partners can visit the Manage Your Apps page, where the selling partner can select Re-authorize and be directed to a consent page. Amazon then directs the selling partner to your application’s OAuth redirect URI, where developers must handle OAuth exchange and refresh properly to ensure the application continues to function as expected.

• User consent and permissions: The OAuth workflow is the mechanism for third-party applications to gain access to Amazon Selling Partner account information. Selling partners must be informed of the permissions the application is requesting and must be given the option to grant or deny consent. Developers must ensure that their application requests only the permissions it needs to function, and they must provide clear and concise explanations of why each permission is necessary in the application detail page, as well as on their website marketing page.

• Endpoints: Seller Central provides different endpoints for each region (North America, Europe, and Japan) and marketplace. Developers must ensure their application uses the correct endpoint specific to the region and marketplace they are targeting to avoid unexpected behavior.