Authorization with the Restricted Data Token
Learn how to authorize SP-API operations that access restricted data.
Some Selling Partner API (SP-API) operations access sensitive information, such as personally identifiable information (PII). These operations are classified as restricted operations and require enhanced security through Restricted Data Tokens (RDTs).
Prerequisites for Using RDTs
Before you can request an RDT:
- Obtain the required restricted role access. For details about roles, refer to Selling Partner API Roles.
- Ensure that your application needs to perform functions that require PII access, such as shipping, tax invoicing, and so on. To determine whether your application needs restricted operations, browse Role Mappings for SP-API Operations and Role Mappings for SP-API Types to see if the required roles are marked as restricted.
How to get an RDT
There are two ways to get an RDT:
-
For most applications: Call the
createRestrictedDataTokenoperation of the Tokens API with a Login with Amazon (LWA) access token. -
For delegatee applications: Receive an RDT from the delegator application that your application is integrated with.
For more details on these methods, including delegation, refer to the Tokens API Use Case Guide.
How to use an RDT
To use an RDT:
-
Instead of using an LWA access token, pass the RDT in the
x-amz-access-token headerwhen you call a restricted SP-API operation. -
Follow the standard process to add headers to the URI, but substitute the RDT for the usual access token.
Important considerations
When you use RDTs, keep the following considerations in mind:
- RDTs are specific to restricted operations and cannot be used for standard SP-API calls.
- Ensure that your application handles RDTs securely due to their access to sensitive data.
Updated 6 days ago