Rotating your application's LWA credentials

This topic describes the process for rotating your application's LWA credentials (client secrets).

🚧

Important!

As of February 6, 2023, you must rotate your Login With Amazon (LWA) credentials (client secrets) for all applications every 180 days. All credentials must be rotated by May 22, 2023. If you do not update your LWA credentials before your target rotation date, your application will lose access to SP-API. You will be notified 90 days prior to the target rotation date of LWA credentials, and you will receive periodic reminder emails as you approach your credential's target rotation date.

What is credential rotation?

Credential rotation is the process of periodically updating your client secrets.

Regular and timely rotation of Login With Amazon (LWA) credentials limits the duration of your application’s credentials in the event that credentials are exposed or compromised.

Note: Rotating LWA credentials DOES NOT impact end users. Sellers/ Shippers DO NOT have to re-authorize application (Refresh Token isn't impacted).

Rotate the Login With Amazon (LWA) credential (client secret) for your application

Follow these steps to rotate LWA credentials (client secrets).

  1. Sign in to your developer account on Seller Central, Vendor Central, or Developer Central and navigate to the Developer Console page that lists all your applications.
  2. From the LWA credentials column, find the expiry alert and select View.
  3. (Optional) For ease of reference, you can store your existing LWA credentials securely in an encrypted form.
  4. Choose Rotate secret, read the warning, then choose Rotate secret again.
  5. Repeat Steps 2 through Step 5 for every application showing an expiry alert.

🚧

Important!

After you generate a new LWA credential (client secret), you must update your credentials for any applications that call the Amazon APIs. Your old credentials expire 7 days after you generate new credentials.

For a list of URLs by marketplace, refer to Seller Central URLs and Vendor Central URLs.

If you have any questions, contact us through SP-API Developer Support or Amazon Vendor Central.

Troubleshooting & Error handling

You might encounter the following errors when rotating your credentials.

- You fail to rotate your LWA credentials in a timely manner and action is taken against your application.

You will see the following error message if you fail to rotate your credentials in time:

Access Denied with an x-amzn-errortype of AccessDeniedException.

In this scenario, all calls made by the application are blocked. This messaging will not change. You can get the latest LWA credentials by following the steps below and using them to make the the API requests:

  1. Log in to your developer account.
  2. Navigate to the Developer Console page that lists all your applications.
  3. From the LWA credentials column, choose View.
  4. Use the credentials displayed in Step 3 for the LWA exchange.

If the issue persists you can open a case to resolve the issue.

- You rotate your credentials, but continue to use the old credentials instead of the new credentials.

Your old credentials expire 7 days after you generate new credentials. You will see the following error message if you continue to use old credentials for more than 7 days after you rotate your credentials.

{
 "error_description": "Client authentication failed",
 "error": "invalid_client"
}

This error occurs during the Request a Login with Amazon access token step, resulting in loss of API access for the application. Use the following procedure to resolve the issue:

  1. Log in to your developer account.
  2. Navigate to the Developer Console page that lists all your applications.
  3. From the LWA credentials column, choose View.
  4. Use the credentials displayed in Step 3 for the LWA exchange.