Authorize Private Applications
Self-authorize a private SP-API application.
Before your private application can call the Selling Partner API (SP-API) on behalf of your organization, you must authorize the application to access your account information. This process is called self-authorization. You can self-authorize your application in draft status because there is no reason to publish a private application.
This topic explains how to self-authorize your private application. If your application is public, a selling partner must authorize your application. In this case, refer to Authorize Public Applications.
Self-authorization workflow
The following table shows the authorization flow when you self-authorize your private application.
| Step | Actor | Action | Additional details |
|---|---|---|---|
| 1 | You | Review authorization limits. (You can't add authorizations to an application after it reaches the maximum authorization limit.) | Authorization limits |
| 2 | You | Sign in to Solution Provider Portal, Seller Central, or Vendor Central. | Tool sign-in details | 3 | You | Locate your application and choose Authorize app for each account that you want to authorize. This process generates a refresh token for each authorized account. | Generate a refresh token |
| 4 | You | Store the refresh tokens securely. | Token storage details |
| 5 | Your application | (During runtime) Exchanges refresh tokens for access tokens to call the SP-API. | Runtime token exchange |
Authorization details
The following sections provide additional information about specific elements of the authorization process.
Tool sign-in details
To begin the self-authorization process, sign in to one of the following tools:
- Solution Provider Portal: To authorize a Seller Central account, use the sign-in link on the Manage Authorizations page.
- Seller Central: Choose Apps and Services, and then choose Develop Apps.
- Vendor Central: Choose Integration, and then choose API Integration. Administrators can also authorize apps for each vendor group.
Generate a refresh token
A refresh token is a long-lived credential that your application uses to get new access tokens when you call the SP-API. To generate a refresh token, take the following steps:
-
Navigate to the Authorize application page of the Solution Provider Portal, Seller Central, or Vendor Central.
-
Choose Authorize app for each selling partner account that you want your application to access. Each time you choose Authorize app, a new refresh token appears. Generating a new refresh token doesn't invalidate previous refresh tokens.
For selling partner accounts that are merged with accounts in other regions: The Authorize app button appears for each of your merged accounts.
Token storage details
When you store refresh tokens, follow these security best practices:
- Store tokens in a secure, encrypted database.
- Never store tokens in client-side code or logs.
- Never share or expose tokens in URLs.
- Implement secure backup and recovery procedures for your token database.
- Create an access control system that restricts token access to only the necessary parts of your application.
- Implement a process to handle token rotation and revocation.
Runtime token exchange details
During runtime, unless the operation is grantless or accesses restricted data, your application exchanges a refresh token for an access token. To exchange a refresh token for an access token, your application sends a POST request to the Login with Amazon (LWA) authorization server (https://api.amazon.com/auth/o2/token) with the following parameters:
| Parameter | Description |
|---|---|
grant_type | The type of access grant requested. Must be refresh_token. |
refresh_token | The refresh token you received and stored during the authorization process. |
client_id | Your application's client ID, which you can view in Seller Central, Vendor Central, or the Solution Provider Portal. For details, refer to View your Application Information and Credentials. |
client_secret | Your application's client secret, which you can view in Seller Central, Vendor Central, or the Solution Provider Portal. For details, refer to View your Application Information and Credentials. |
Example request to exchange a refresh token for an access token:
POST /auth/o2/token HTTP/1.1
Host: api.amazon.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=refresh_token&refresh_token=Atzr|IQEBLzAtAhexample&client_id=foodev&client_secret=EXAMPLESECRET
The LWA server returns a JSON response with the following parameters:
| Parameter | Description |
|---|---|
access_token | The access token to use in SP-API calls. |
token_type | Token type. Set to bearer. |
expires_in | Number of seconds until this access token expires (typically 3600). |
Example response that contains an access token:
{
"access_token": "Atza|IQEBLjAsAexampleHpi0U-Dme37rR6CuUpSR",
"token_type": "bearer",
"expires_in": 3600
}
Use the returned access token in the authorization header of your SP-API requests. For more information about making SP-API calls, refer to Connect to the Selling Partner API.
You can also use an SDK to help you with this step. For details, refer to SP-API SDK.
Updated 7 days ago