Renew Selling Partner Appstore Authorization Workflow
Renew and reauthorize an app using the Selling Partner Appstore.
To allow users to annually reauthorize your application from the Manage Your Apps page (on Seller Central or Vendor Central), you must set up an OAuth workflow. You also require an OAuth workflow if you want users to authorize new roles within your application.
To create a new authorization in your application, use the Selling Partner Appstore authorization workflow or Website authorization workflow.
Step 1. Reauthorize from Manage Your Apps page
- Sign in to Seller Central or Vendor Central and navigate to Manage Your Apps.
- Find the application that you want to reauthorize.
- Choose Re-authorize.
- Review and accept the data access requested by your application.
- Choose Login to [your application name] now.
Amazon loads your Login URI (which you provided when the app client was created from your developer account) into the browser with the following query parameters:
Parameter | Description |
---|---|
amazon_callback_uri | A URI for redirecting the browser to Amazon. |
amazon_state | A state value generated by Amazon to guard against cross-site request forgery attacks. |
selling_partner_id | The identifier of the selling partner who is authorizing your application. |
Example:
https://d2yzyfnnpjylxu.cloudfront.net/index.html?amazon_callback_uri=https://amazon.com/apps/authorize/confirm/amzn1.sellerapps.app.2eca283f-9f5a-4d13-b16c-474EXAMPLE57&amazon_state=amazonstateexample&selling_partner_id=A3FHEXAMPLEYWS
DRAFT
andPUBLISHED
statusesIf the application is in
DRAFT
status, Amazon includes theversion=beta
parameter. If the application is inPUBLISHED
status, Amazon does not include the parameter.
Step 2. Sign in to your website
Refer to Selling Partner Appstore Authorization Workflow for instructions.
Step 3. Amazon sends you the authorization information
Refer to Selling Partner Appstore Authorization Workflow for instructions.
Step 4. Exchange the LWA authorization code for an LWA refresh token
Note
You can optionally use the Login with Amazon SDK for JavaScript to help with the exchange of an LWA authorization code for an LWA refresh token. For more information, refer to the Login with Amazon documentation:
-
Your application calls the Login with Amazon (LWA) authorization server (
https://api.amazon.com/auth/o2/token
) to exchange the LWA authorization code for an LWA refresh token. The call must include the following query parameters:Parameter Description grant_type
The type of access grant requested. Must be authorization_code
.code
The LWA authorization code that you received in Step 4. Amazon sends you the authorization information. redirect_uri
The redirect URI for your application. client_id
Part of your LWA credentials. To get this value, refer to Viewing your application information and credentials. client_secret
Part of your LWA credentials. To get this value, refer to Viewing your application information and credentials. For example:
POST /auth/o2/token HTTP/l.l Host: api.amazon.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=authorization_code&code=SplxlOexamplebYS6WxSbIA&client_id=foodev&client_secret=Y76SDl2F
-
The LWA Authorization Server returns the LWA refresh token. The response is in JSON and includes the following elements:
Parameter Description access_token
A token that authorizes your application to take certain actions on behalf of a selling partner. For more information, refer to Connecting to the Selling Partner API. token_type
The type of token returned (should be bearer
).expires_in
The number of seconds before the access token becomes invalid. refresh_token
A long-lived token that can be exchanged for a new access token. For more information, refer to Connecting to the Selling Partner API. HTTP/l.l 200 OK Content-Type: application/json; charset UTF-8 Cache - Control: no-store Pragma: no-cache { "access_token": "Atza|IQEBLjAsAexampleHpi0U-Dme37rR6CuUpSR", "token_type": "bearer", "expires_in": 3600, "refresh_token": "Atzr|IQEBLzAtAhexamplewVz2Nn6f2y-tpJX2DeX" }
-
Your application saves the
refresh_token
value. Delete the oldrefresh_token
for the selling partner. The browser opens a page that indicates next steps for using your application.Tip
An LWA refresh token is a long-lived token that you exchange for an LWA access token. An access token obtained through this token exchange must be included with calls to all Selling Partner API operations except restricted operations and grantless operations, which use somewhat different authorization models. After an access token is issued, it remains valid for one hour. The same access token can be used for multiple API calls, until it expires.
To exchange a refresh token for an access token using a generated SDK, refer to Connecting to the Selling Partner API using a generated Java SDK. To manually exchange a refresh token for an access token, refer to Connecting to the Selling Partner API.
Step 5. Test your reauthorization workflow
We recommend that you test your reauthorization workflow while your application is in draft status to ensure that your application can exchange parameters with Amazon and receive authorization information. If this workflow is not set up correctly, existing sellers and vendors might lose access to your application when trying to reauthorize annually.
Application developers should test the reauthorization workflows for these two scenarios:
- The seller or vendor is already logged in to your website at the start of Step 1.
- The seller or vendor is logged out of your developer website at the start of Step 1.
To test the reauthorization flow:
-
Use the Selling Partner Appstore authorization workflow or Website authorization workflow to create an authorization in your application.
-
Visit the Manage Your Apps page within Seller Central or Vendor Central and choose the Re-authorize button to start the reauthorization workflow. If you are testing your workflow with a trusted selling partner, make sure they log in to their selling partner account on Seller Central or Vendor Central and navigate to the Manage Your Apps page to initiate the workflow.
Tips for integrating your OAuth workflow
Developers and selling partners are encouraged to take note of the following to ensure a seamless integration and user experience.
-
Token expiration and refresh: OAuth codes that are issued to third-party applications expire after five minutes. If your application does not use this code before it expires, your application must obtain a new code. SP-API provides a long-term LWA refresh token that can be used to obtain a new LWA access token without requiring the selling partner to re-authorize. For more information, refer to Request a Login with Amazon access token.
The selling partner must re-authorize the application every 365 days. Selling partners can visit the Manage Your Apps page, where the selling partner can select Re-authorize and be directed to a consent page. Amazon then directs the selling partner to your application’s OAuth redirect URI, where developers must handle OAuth exchange and refresh properly to ensure the application continues to function as expected.
-
User consent and permissions: The OAuth workflow is the mechanism for third-party applications to gain access to Amazon Selling Partner account information. Selling partners must be informed of the permissions the application is requesting and must be given the option to grant or deny consent. Developers must ensure that their application requests only the permissions it needs to function, and they must provide clear and concise explanations of why each permission is necessary in the application detail page, as well as on their website marketing page.
-
Endpoints: Seller Central provides different endpoints for each region (North America, Europe, and Japan) and marketplace. Developers must ensure their application uses the correct endpoint specific to the region and marketplace they are targeting to avoid unexpected behavior.
Updated 2 months ago