API Authentication
To programmatically manage, maintain, and access some of your app's data, Amazon Appstore offers several REST APIs. These APIs require configuration in the Developer Console for authentication and authorization.
You can use this guide to set up access for the following APIs:
To configure access to one of these APIs, you must first create a security profile and associate it with the API in the Developer Console. Then, request an access token using the Login With Amazon API and add the token to the HTTP header in each API request.
- Create a security profile
- Associate the security profile with the API
- Request an LWA access token
- How to use the access token
To configure access to the API, you must first create a security profile and associate it with the API in the Developer Console. Then, request an access token using the Login With Amazon API and add the token to the HTTP header in each API request.
Create a security profile
Before you can use the API, you must create a security profile. A security profile generates access tokens, which you use to access the API.
To create a security profile
- Log in to your Amazon Developer Console account.
- From the top navigation, select Apps & Services > API Access.
-
Select the name of the API
This example shows the App Submission API - Click Create a new security profile.
- Enter a security profile name and security profile description for your new profile, then click Save.
- From the Web Settings tab, save your client ID and client secret as you need this information to access the API.
Associate the security profile with the API
After you create the security profile, you must associate it with the API in the Developer Console.
To associate the security profile with the API
- Navigate to the API Access page by selecting Apps & Services > API Access.
- Click the API name to expand the panel.
- Select the security profile that you created in the previous section from the drop-down list.
- Select Attach to associate the security profile with this API.
The API name and attached security profile is added to the Security Profile(s) in use panel.
You can now use the client ID and client secret to request a Login With Amazon (LWA) access token.
Request an LWA access token
With your client ID and client secret, use the Login With Amazon API to request a Login with Amazon access token by following these steps.
Send a token request
Send a POST request to https://api.amazon.com/auth/o2/token with the following header and content:
- Header:
Content-Type: application/x-www-form-urlencoded - Content:
client_id: The client ID you saved in the final step of Create a Security Profile.client_secret: The client secret you saved in the final step of Create a Security Profile.grant_type: Set toclient_credentials.scope:- For App Submission APIs, set the value to
appstore::apps:readwrite. - For Reporting API, set to
adx_reporting::appstore:marketer.
- For App Submission APIs, set the value to
Sample JSON content:
{
"grant_type": "client_credentials",
"client_id": "amzn1.application-oa2-client.<your-client-id>",
"client_secret": "<your-client-secret>",
"scope": "appstore::apps:readwrite"
}
Sample cURL request:
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&client_id=amzn1.application-oa2-client.<your-client-id>&client_secret=<your-client-secret>&scope=appstore::apps:readwrite' https://api.amazon.com/auth/O2/token
Save the response
The following is an example response.
{
"access_token": "Atc|MAEBI...",
"scope": "appstore::apps:readwrite",
"token_type": "bearer",
"expires_in": 3600
}
access_token: The access token.expires_in: The number of seconds until the access token expires.scope:- For App Submission APIs:
appstore::apps:readwrite. - For Reporting API:
adx_reporting::appstore:marketer.
- For App Submission APIs:
token_type: Alwaysbearer.
Handle any error responses
If your token request results in an error, the response message body includes one of the following error messages:
| Error message body | Details |
|---|---|
| {"error_description":"Client authentication failed","error":"invalid_client"} | Invalid secret key |
| {"error_description":"The request has an invalid parameter : scope","error":"invalid_scope"} | Invalid scope value |
| {"error_description":"The authorization grant type is not supported by the authorization server","error":"unsupported_grant_type"} | Incorrect authorization grant type |
| {"error_description":"The Content-Type is not supported by the authorization server","error":"invalid_request"} | Unsupported content-type |
How to use the access token
Save your access token, which is the access_token field in the response from Request an LWA Access Token.
When you send requests to the API, set the Authorization header with a value of Bearer <YOUR_ACCESS_TOKEN>. The access token is a long string of characters beginning with "Atc|".
Sample cURL request:
curl -v -X GET "<endpoint URL>" -H "Authorization: Bearer Atc|MAEBIKfsULrH7jSzvJTV8UmiHWr9M86O3JRmv4t1hqoCBriSMEP5Gsey_FiBxteZ8oxGd6abGuOFga8fwnMhmSD_Sg4MI4odXLPgB2IVs8M1uswjuWjnsMcvehpWvf9tzQT8HTWiBigInJLB8BrMg5J3O02hlTvcF441XxXDXthyj993COJ2u5swOTKjC_dcijiN8amuzrj32rh9Fr3CNgCpoZ0WqXnBhoHUVMYSOBV-owA5rI4-OfysXC71Zbtv1hb8igk"
When the access token expires, obtain a new token by following the procedure in Request an LWA Access Token and start using the new access token in your requests. You will know your access token has expired if it has been over an hour since you last requested an access token and you start getting 403 Forbidden HTTP errors with a message that says "Request is not authorized."
Last updated: May 22, 2025