Developer Console
Sign In
Sign In
Developer Console

One-Click Account Information Sharing for Quick Subscribe

One-click account information sharing allows customers to share their Amazon account information with your app with minimal effort, rather than having to manually enter their details. This feature improves the sign-up experience for customers. Use this guide to set up one-click account information sharing in your app.

Update app manifest

To indicate to the Appstore that your app supports the one-click account information sharing feature for Quick Subscribe, update your app's manifest with the following code.

<uses-feature android:name="amazon.lwa.quicksignup.supported"/>

Configure security profile

For one-click account information sharing to properly work, you must set up a security profile for your app. The security profile is essential because it allows Amazon to securely share customer data with you and lets you automatically create an account and sign in a user.

A security profile associates Amazon data, including security credentials, with one or more apps. For example, if you have two apps, "My Game - Free" and "My Game - HD", they can share data by using the same security profile. Name your security profile in a way that helps identify your app or app family. For more details, see Security Profile.

To configure a security profile for your app

  1. Go to the Developer Console dashboard, and sign in to your account.
  2. Select Apps & Services > My Apps, and then select your app.
  3. Select App Services and scroll to the Security Profile section.
  4. Click Select existing security profile or create new to expand the options.

  5. Use the drop-down to select the security profile that you want to map to this app, then click Enable Security Profile.

    Alternatively, you can create a new security profile by clicking Create Security Profile. If creating a new security profile, make sure to complete all required fields and then click Save.

After successfully attaching the security profile, the Security Profile section displays a success message and shows the attached profile's details.

Update your app's code

To add one-click account information sharing to your app, update your app's code with the following steps.

Step 1: Implement and register UserProfileAccessListener

Implement and register an instance of the UserProfileAccessListener interface in the onCreate() method so that your app can listen for and process the callbacks triggered by the ResponseReceiver.

@Override
protected void onCreate(Bundle savedInstanceState)
{
    super.onCreate(savedInstanceState);

    //...

    // Pass the reference of PurchasingListener to be registered
    PurchasingService.registerListener(this.getApplicationContext(), purchasingListener);

    // Pass the reference of UserProfileAccessListener to be registered
    PurchasingService.registerUserProfileAccessListener(this.getApplicationContext(), userProfileAccessListener);

    //...
}

Step 2: Implement getUserData changes

During the Quick Subscribe flow, the customer might have already provided consent to share their information. You can fetch the consent data during the app launch by implementing the following changes.

In the onResume() method of your app's main activity:

The following example shows how to build a UserDataRequest object and pass it to getUserData().

@Override
protected void onResume()
{
    super.onResume();

    //...

    // Implement logic to identify customer logged in status inside isLoggedIn()
    if (!isLoggedIn()) {
        PurchasingService.getUserData(UserDataRequest.newBuilder().setFetchUserProfileAccessConsentStatus(true).build());
    }

    //...
}

Implement the onUserDataResponse() callback method to get the UserDataResponse object, which contains customer consent data. The following code shows how to handle the consent data received from the UserDataResponse object.

@Override
public void onUserDataResponse(final UserDataResponse response) {

    UserDataResponse.RequestStatus status = response.getRequestStatus();

    switch (status) {
        case SUCCESSFUL:
            if (UserProfileAccessConsentStatus.CONSENTED.equals(response.getUserData().getUserProfileAccessConsentStatus())) {
                // Fetch the authorization code
                PurchasingService.requestUserProfileAccess();
            }
            break;

        case FAILED:
        case NOT_SUPPORTED:
            // Fail gracefully.
            break;
    }
}

The UserProfileAccessConsentStatus field of the UserData object can have one of the following values:

  • CONSENTED: Indicates that the customer has already provided consent. You can call the requestUserProfileAccess() method and update your server with the authorization code found in the response object. For an explanation on how to extract the authorization code, see Extract the authorization code.
  • UNAVAILABLE: Indicates that the consent token is unavailable or has expired. In this case, initiate your app's sign-up flow. During your app sign-up flow, request consent using the details in the next section, Update your app sign-up flow.

Step 3: Update your app sign-up flow

During your app sign-up flow, call the requestUserProfileAccess() method. This launches the consent screen, where you can request consent from the user and retrieve an authorization code.

The following example code shows how to invoke the consent screen using the requestUserProfileAccess() method.

@Override
public void invokeConsentScreen() {

    // Initiate customer data share consent screen
    PurchasingService.requestUserProfileAccess();

    return;
}

Now you can extract the user profile access authorization code, as described in the following section.

Step 4: Extract the authorization code

After a customer provides consent, you must extract the user profile access authorization code. You need this authorization code in your request to the Get Access Token API. The following code shows how to extract the authorization code from the UserProfileAccessResponse object.

@Override
public void onUserProfileAccessResponse(final UserProfileAccessResponse response) {

    UserProfileAccessResponse.RequestStatus status = response.getRequestStatus();

    switch (status) {
        case SUCCESSFUL:
            // Extract the auth code from the response
            final String userProfileAccessAuthCode = response.getUserProfileAccessAuthCode();
            
            // Here you should update your server with the userProfileAccessAuthCode 
            // to further interact with Appstore IAP REST APIs to get access token and customer profile.
            passAuthCodeToBackend(userProfileAccessAuthCode);

            break;

        case FAILED:
        case NOT_SUPPORTED:
            // Fail gracefully.
            break;
    } 
}

Next, use the Appstore In-App Purchasing (IAP) REST APIs to get an access token and the customer profile. When you have the customer profile, you can create an account in your system with that information. The following sections describe the Appstore IAP REST APIs.

Get Access Token API

Appstore IAP provides the Get Access Token REST API for you to obtain an access token. This section describes the request, response, and errors.

Access token request

After the app receives a response to requestUserProfileAccess() with a valid authorization code, it can use that code to obtain an access token. With an access token, the client can read a customer profile.

The Get Access Token API must use a POST request rather than a GET request, as shown in the following example.

POST https://appstore-sdk.amazon.com/version/1.0/auth/o2/token?
grant_type=authorization_code
&code=SplxlOBezQQYbYS6WxSbIA
&client_id=foodev
&client_secret=foosecret

The following table describes the access token request parameters.

Access token request parameters
Request parameter Description
grant_type Required. The type of access grant requested. Must be authorization_code.
code Required. The authorization code returned by the requestUserProfileAccess() method.
client_id Required. The client identifier.
client_secret Required. The secret value assigned to the client during registration. Don't use the client secret in browser-based apps because client secrets can't be reliably stored on web pages.

Access token response

To access customer data, you must provide an access token to the Appstore IAP Get User Profile API. An access token is an alphanumeric code 350 characters or more in length, with a maximum size of 2048 bytes. Access tokens begin with the characters Atza|.

Response parameters are encoded using the application/json media type. For more information, see RFC4627. The following is an example response from an access token request.

{
"access_token":"Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR...",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX..."
}

The following table describes the access token response parameters.

Access token response parameters
Response parameter Description
access_token The access token for the user account. Maximum size of 2048 bytes.
token_type The type of token returned. Value is bearer.
expires_in The number of seconds before the access token becomes invalid.
refresh_token A refresh token that can be used to request a new access token. Maximum size of 2048 bytes.

An access token is a bearer token and can be used by another client. For more information, see The OAuth 2.0 Authorization Framework: Bearer Token Usage.

Access token errors

For some errors, the authorization service may return an HTTP 401 (Unauthorized) status code. This includes cases where the client passed the client_id and client_secret values in the authorization header and the client could not be authenticated.

The following table describes the error parameters in an unsuccessful response.

Access token error response parameters
Error parameter Description
error An ASCII error code with an error code value.
error_description A human-readable ASCII string with information about the error, useful for client developers.
request_id ID associated to your access token request.

The following error codes can be returned as the value for error.

Access token error response codes
Error code Description
invalid_request The request is missing a required parameter, has an invalid value, or is otherwise improperly formed.
invalid_client The client authentication failed. This is used in cases when the authorization service does not return an HTTP 401 (Unauthorized) status code.
invalid_grant The authorization code is invalid, expired, revoked, or was issued to a different client_id.
unauthorized_client The client is not authorized to use authorization codes. Can be caused by invalid code_verifier.
unsupported_grant_type The client specified the wrong token_type.
ServerError The server encountered a runtime error.

Get User Profile API

Appstore IAP provides the Get User Profile REST API to get user profile data. This section describes the request, response, and errors.

User profile request

To access authorized user profile data, use the Get User Profile API to submit the access token to the Appstore. The Get User Profile API uses an HTTPS GET request and takes the access token that you received from the Get Access Token API as it's only parameter.

The following example shows a GET request to obtain user profile data.

GET https://appstore-sdk.amazon.com/version/1.0/user/profile?
access_token=Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR...
User profile request parameters
Request parameter Description
access_token Required. The access token received from the Get Access Token API.

User profile response

If your access token is valid, you receive the customer's profile data as an HTTP response in JSON, as shown in this example.

{
"user_id": "amznl.account.K2LI23KL2LK2",
"email":"mhashimoto-04@plaxo.com",
"name" :"Mork Hashimoto",
"postal_code": "98052"
}

If there is a problem fulfilling your profile request, you receive an HTTP error and might receive a JSON payload with more information, as shown in the following example.

{
"error": "machine-readable error code",
"error_description": "human-readable error description",
"request_id": "bef0c2f8-e292-4l96-8c95-8833fbd559df"
}

The following table describes the error codes that can be returned in an unsuccessful user profile request.

User profile error response codes
HTTP status code Status message Description
200 Success The request was successful.
400 invalid_request The request is missing a required parameter or otherwise malformed.
400 invalid_token The access token provided is expired, revoked, malformed, or invalid for other reasons.
401 insufficient_scope The access token provided does not have access to the required scope.
500 ServerError The server encountered a runtime error.

Best practices for account setup

Follow these best practices for setting up customer accounts.

  • If the user provides consent and you can retrieve the authorization code, do the following:
    • Fetch the user information from the Appstore IAP Get User Profile API. Use this information to create a sign-in account with a temporary password. Sign the customer in to the app without requesting a password reset or additional details from the customer.
    • Later, ask the customer to reset the password through email.
  • If the user provides consent, but their information matches an existing account in your company's system, you can direct the user to your app's default sign-in flow.
  • If the user declines to provide consent, use the default app sign-up experience for the customer.

Last updated: Aug 13, 2025