Onboarding Step 4: Authorize your Amazon Business API apps

Before you proceed to this section, make sure you've completed:

  • Onboarding Step 1: Submit your Developer profile request
  • Onboarding Step 2: Create and configure IAM policies and entities
  • Onboarding Step 3: Create app client in Developer Central

Here, you'll learn how to generate refresh token. Refresh token is required to access Amazon Business APIs. Each Amazon Business store has unique token. When generating token, you'll need to use the authorization (OAuth) URL of the country where you Amazon Business store is located. The list of Amazon Business store URLs is here.

🚧

Important! Tokens are unique for each Amazon Business store.

If you have accounts in multiple Amazon Business stores, you’ll need to get tokens for each Amazon Business store. Refer to frequently asked questions.

Generate refresh token

After you've accessed Developer Central, generate a refresh token by following these steps.

  1. In your browser, enter this URL.
https://www.amazon.com/b2b/abws/oauth?state=100&redirect_uri=
  1. Add your redirect_uri and applicationId.
https://www.amazon.com/b2b/abws/oauth?state=100&redirect_uri=https://www.your_redirect_uri.com&applicationId=amzn1.sp.solution.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

🚧

Important! Use the same redirect_uri and applicationId.

Use the same redirect_uri and applicationId you've provided in Developer Central. You'll encounter an error and will be unable to proceed if there's a mismatch. To verify your redirect_uri and applicationId, follow the steps here.

ParameterDescription
redirect_uriThe redirect URI for your application.
applicationIdPart of your LWA credentials. Refer to View your application information and credentials for details.
  1. The next screen prompts you to sign in. Sign in using your Amazon Business admin account.
344

🚧

Important! Amazon Business admin account is required.

Granting consent requires an admin account. Use your user account only if it has an admin role or is added to all legal entities on Amazon Business account. An error will occur if you don't have an admin role or not added to all legal entities on Amazon Business.

  1. The consent page displays.
546
  1. Select Allow.

The OAuth code is in the redirect URI. Make a note of this code.

563

📘

The OAuth code is valid only for five minutes. If the five minutes lapsed, you'll need to repeat the process.

Retrieve the access and refresh tokens

  1. Use the following CURL command to generate the access token and refresh token.
curl -k -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=code_obtained_after_providing_consent&client_id=clientid_from_developer_ profile&client_secret=secret_from_developer_profle&redirect_uri=redirect_url_from_developer_profile' 'https://api.amazon.com/auth/O2/token'

The LWA returns response in JSON format as shown here.

HTTP/l.l 200 OK
Content-Type: application/json;
charset UTF-8
Cache-Control: no-store
Pragma: no-cache
{
  "access_token":"Atza|IQEBLjAsAexampleHpi0U-Dme37rR6CuUpSR",
  "token_type":"bearer",
  "expires_in":3600,
  "refresh_token":"Atzr|IQEBLzAtAhexamplewVz2Nn6f2y-tpJX2DeX"
}

The following are definitions for various parameters present in an LWA response. The response is in JSON and includes these elements.

ParameterDescription
access_tokenA token that authorizes your application to take certain actions on behalf of Amazon Business account.
token_typeThe type of token returned. Should be bearer.
expires_inThe number of seconds before the access token becomes invalid.
refresh_tokenA long-lived token that can be exchanged for a new access token.
  1. Save the refresh token to generate access tokens for subsequent API calls.

📘

Access token is valid only for one hour. The LWA Authorization Server returns the LWA refresh token. Save the refresh token to generate access tokens for subsequent Amazon Business API calls. Use the same access token for multiple API calls until it expires.

Your app is now authorized to make calls to the Amazon Business API.

  1. If you're a public developer interested in developing applications for business customers, you need to add authorization workflow. Adding authorization workflow allows your customers to successfully grant consent to your app. There are two authorization workflow options for you.

Authorization workflow options

Amazon Business App Center authorization workflow
This workflow requires you to create a listing request for Amazon Business App Center through Developer Central. If you opted for this option, complete the integration by following the steps here.

Your website-based authorization workflow
This workflow requires you to create a UI-based authorization workflow on your website. If you opted for this option, complete your integration by following the steps here.

Frequently asked questions

Q: If I have accounts on multiple Amazon Business stores, do I use the same OAuth for each store?

A: No. If you have accounts in multiple Amazon Business stores, you’ll need to get tokens for each Amazon Business store. The tokens are unique for each Amazon Business store. The list of Amazon Business store URLs is here. If you have five Amazon Business account in different countries, here's your sample schema.

1758

Q: What happens if I’m not an admin of all legal entities in Amazon Business while performing authorization activity?

A: You’ll receive this error and will be unable to proceed.

782

To resolve this error, do these steps:

  1. Ask your Amazon Business account admin to add you as an admin to all legal entities on Amazon Business account.
  2. Sign in to Developer Central and remove access.
1444
  1. From the Actions drop-down list, select Remove Access. Remove Access? message displays.
1377
  1. Select Remove. A confirmation message displays.
1624
  1. The next screen prompts you to sign in. Sign in using your Amazon Business admin account.
344

The consent page displays.

546
  1. Select Allow. A success message displays.
616

The authorization code is in the redirect URI.

563

Q: Can I provide consent if I don't have an admin account or not added as an admin at a legal entity level?

A: No. You must sign in using an admin account to provide consent. An error will occur if you aren't using an admin account while providing consent. To resolve the error, follow the steps here.

Q: Why am I getting this error?

636

This error is caused by invalid redirect_uri and applicationId. You must use the same redirect_uri and applicationId you've provided in the Developer Central. Any missing or additional characters will cause an error.

To resolve the error, follow the steps here.

Q: What could cause an error while trying to generate an OAuth code?

A: An error occurs because of an invalid redirect_uri and applicationId. Use the same redirect_uri and applicationId you've provided in Developer Central. You'll encounter an error and will be unable to proceed if there's a mismatch.

To verify if you've provided a valid redirect_uri and applicationId, do these steps:

  1. Sign in to Developer Central. The App ID column displays your applicationId.
2588
  1. To view your redirect_uri, select Edit App in Action column. This displays the app registration. Your redirect_uri is provided here.
697

Q: Does the refresh token expire?

A: No. Refresh token doesn’t expire, but it won't work if the authorization is revoked.