Skip to content
This repository has been archived by the owner on Jun 27, 2024. It is now read-only.

SP API General FAQs

Jump to bottom
Alex Rupprecht edited this page Apr 8, 2022 · 16 revisions
Do I need a Professional Selling Account to register as a Selling Partner API developer?

Yes, only Professional Selling Accounts can register to develop or integrate with Selling Partner API. Individual accounts are not eligible. You can upgrade your account to a professional plan at any time. You can view your selling plan type and the marketplace information under “Your Services” in Account info at https://sellercentral.amazon.com//hz/sc/account-information.

Why am I receiving "Credential should be scoped to a valid region"? The AWS region you have added to the credentials scope while calculating the signature match with the region matches with endpoint you are sending the request to.

Please review the AWS Regions and Endpoints at https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#selling-partner-api-endpoints.

Why am I receiving "The security token included in the request is invalid"? Verify that the AWS access key and secret key pair you are using in the request are the one associated with IAM entity that you added to your application. If you are using IAM Role, you need to make a request to AWS STS to request temporary AWS keys and use those for the request.
Why am I getting Unauthorized - Access Denied error (403 error code) for my API request after completing registration successfully?

If you are getting an Access Denied error for your API request, please refer to these troubleshooting tips:

  1. Check the seller account that you are making requests has a healthy status.

  2. Check the seller account that you are making request to is in the same region as the endpoint you are using in the request. Please note that application is global but not that Seller accounts.

  3. Check the API operation you are making a request to and verify if your application has access to that API. To verify role permissions, navigate to Apps & Services > Develop App's and click the Edit App button for the app you are using to view the App registration form. The check boxes selected will tell you what role you have added to your application.

  • If you are missing the role you need for the API access, navigate to Developer Profile to ensure you requested access to that role. Please note that for restricted roles you may need to re-submit your Developer Profile for access to it. Once the role is added, re-authorize your application i.e. Generate a new LWA Refresh token to make valid API calls.

  • If you have all the correct roles and permissions added, verify your IAM ARN added to the application (see screenshot). The IAM ARN added should be the one to which the IAM policy was attached during registration process (Step 3)

    • If IAM ARN is IAM Role, ensure that IAM policy is attached to the Role.
    • If IAM ARN is IAM User, ensure that IAM policy is attached to the User and there is no IAM Role created.

  • If the IAM ARN added to the application is IAM Role, you need to use AWS STS to request temporary credentials and a session token which is to be added to your request along with the LWA Access Token.

When you send HTTP requests to the Selling Partner API, you sign the requests so that Amazon can identify who sent them. You sign requests using your AWS access keys, which consists of an access key ID and a secret access key. If you registered your application with IAM role, you need to use AWS Security Token Service (AWS STS) to request temporary AWS access keys to sign your requests.

For more information about using AWS STS and the AWS SDKs that can help with your implementation, see Requesting temporary security credentials in the AWS documentation.

If the error persists, please log a support case with Amazon to further troubleshoot the issue. Please include below details in the support case:

  • Application ID
  • Request ID with timestamp
  • API operation (please specify if it is a sandbox request)
  • Error response received
Do I need to have a professional selling account to use Sandbox endpoint?

Yes, Making sandbox calls to the SP API is identical to making production calls except you direct the calls to the SP API sandbox endpoints. Calling the sandbox endpoints returns static, mocked responses for all Selling Partner APIs. Sandbox endpoint allows you to test your applications without affecting production data or triggering real-world events.

Why am I not able to make successful call to Authorizations API or why getAuthorizationCode returns No MWS authorization found?

This error is returned if you are making a request to Authorizations API using either a SP API application or a hybrid application that has not been published yet. Please note these prerequisites for making a valid request for Authorizations API:

  • Published MWS application
  • The published MWS application was converted to hybrid application
  • The hybrid application is also published to appstore
  • All developer IDs of MWS are added to the hybrid application and the seller had authorized this application in MWS as well.
Why am I getting “Error Code: MD1000” when I initiate OAuth workflow?

If you have a SP API application that is not published but the OAuth workflow points to Production workflow, this error is returned. To resolve, please confirm the application is in Draft stage. If so, add version=beta parameter to OAuth Authorization URI constructed. Once the application is published, this parameter can be removed.

Why am I getting “MD9999” or still seeing MWS authorization page instead of SP API consent page when I initiate OAuth workflow?

Check if your application is missing Login URI and Redirect URI. You can update Login URI and Redirect URI by editing the app. Navigate to Apps & Services > Develop App's and click Edit App for the app you are using to view the App registration form and update the Login URI and Redirect URI details.

Why am I getting “Developer ID not associated with App ID” error on using Authorization API?

An internal flag needs to be enabled for the published app for successful requests to the Authorization API. If you are receiving this error, please create a support case with us and provide your application ID information.

Can I change the IAM ARN once the SP API app has been created or when I have converted MWS to Hybrid app?

No, you cannot change the IAM ARN after saving the SP API application. Please ensure the IAM ARN is for the IAM entity to which the IAM policy is attached. Incorrect ARN associations can lead to Access Denied errors when making SP API requests.

Why is the MWS auth token not returned with spapi_oauth_code during oauth workflow process for a hybrid application?

For a self-authorization use case (i.e. authorizing your own seller account using OAuth workflow process), no MWS Auth Token is returned.

What are the Login and Redirect URI values to be added in OAuth information when I am registering my app?

The OAuth Login URI defines the login page of your website during authorization. This URI is shown after a seller consents to authorize your application.

The OAuth Redirect URI is used to redirect the browser to your application after authorization. You can specify more than one redirect by including the redirect_uri parameter in the OAuth URL. If the redirect_uri parameter is not specified, it will default to the first OAuth Redirect URI you’ve defined.

Note: OAuth Redirect URI does not support localhost: URIs. You must specify both the OAuth Login URI and the OAuth Redirect URI to successfully save them to your App registration.

How do I use multiple redirect URIs?

When a selling partner signs into your website ( Step 3 in the Marketplace Appstore authorization workflow ), your application loads the Amazon callback URI into the browser and adds the redirect URI, the amazon_state parameter, and the state parameter.

To use multiple redirect URIs for your app, you must add the OAuth Redirect URIs when you register your app. Note that both the OAuth Login URI and the OAuth Redirect URI(s) values must be specified to successfully save them to your app registration. OAuth Redirect URI does not accept localhost: URIs.

When your app is configured with multiple redirect URIs, pass the redirect URI that you want to use as a query parameter in Step 3. If you do not include the redirect_uri parameter, the default is the first OAuth Redirect URI you specified when you registered your application.

Why am I getting 500 error when I make a request to get LWA Access Token in Postman?

If you are receiving 500 Internal Server Error, please check that Content-Type header is set to application/x-www-form-urlencoded and the request parameters are added to the body and not as query parameters.

Why is the Confirm button not working when I test the Authorization Workflow?

For the Authorization workflow to work correctly (in both the Appstore and Website workflows), the SP-API application must include both the OAuth Login URI and Redirect URI details. Failure to add information for either of these fields results in Confirm button not working.

When will the refresh token expire?

When will the refresh token expire? The refresh token expires after one year. This is identical to MWS token expiration.
Clone this wiki locally