Troubleshooting Selling Partner API authorization errors
Context and troubleshooting tips for common error messages and codes that developers may encounter during the application authorization process for Selling Partner API
by Olivia S., Solutions Architect, Selling Partner Developer Services | March 16, 2022
Application authorization is one of the steps required for integrating with the Selling Partner API. In this step, you create an authorization workflow that allows sellers and vendors to authorize your application’s access to the seller’s or vendor’s selling data. Once authorized, the application can make calls to the Selling Partner API endpoints. You can complete the authorization process through self-authorization or a third-party OAuth workflow. After you have authorized the application, you use AWS Signature Version 4, a protocol for authenticating inbound API requests to AWS services, to sign the API request and call Selling Partner API endpoints.
During this process, you may encounter error codes and error messages. The following troubleshooting tips can help unblock you if you encounter errors during the process.
The following table provides common error codes that you may encounter in application authorization.
|Error code||Cause||Steps to resolve|
This error is returned when OAuth production workflow is authorizing an SP-API application that is in Draft state.
Add the version=beta parameter to the OAuth Authorization URI:
Once your application is published, you can remove the
|MD5101||This error is returned when the redirect URL provided during OAuth authorization does not match one of the redirect URLs listed for the SP-API application.||Verify that you are using the correct redirect URL. In Seller Central:|
On the Partner Network menu, choose Develop Apps, choose Edit App. Verify the redirect URL listed in the console matches the redirect URL of the page where you received the error. If the URL does not match, add the redirect URL to the console. If you are using the published version of your app, make sure to publish your update.
|MD5110||This error is returned when the Redirect URL contains fragments.|
For more details, see section 3.1.2 of the OAuth 2.0 Authorization Framework.
|Check the redirect URL for fragments. In Seller Central:|
On the Partner Network menu, choose Develop Apps, choose Edit App. Verify the redirect URL is valid syntactically and does not contain fragment characters such as `#`.
|MD9010||This error is returned when there is no MWS developer ID associated with the region where you are authorizing your MWS or hybrid application.||Verify that your app is published and that the MWS developer ID is valid for the region where you are authorizing your application. In Seller Central:|
On the Partner Network menu, choose Develop Apps, choose Edit App. Verify the app is in a published state. Verify a valid MWS developer ID is listed for the region where you are authorizing your MWS or hybrid application.
|MD9000||This error is returned when your SP-API application is missing Login URI and Redirect URI information.||Update your app Login URI and Redirect URI. In Seller Central:|
On the Partner Network menu, choose Develop Apps, choose Edit App, and update the Login URI and Redirect URI details.
|500||This error is returned due to errors in the header.||Check that the Content-Type header is set to |
The following section provides common error messages that you may encounter in application authorization.
Credential should be scoped to a valid region
While you are calculating the signature, make sure that the AWS Region you have added to the credentials scope matches the region of the endpoint you are sending the request to. See Selling Partner API Endpoints to find which AWS Region you should use for your respective selling region.
Access to requested resource is denied
Access denied error messages are returned due to Unauthorized errors or MissingAuthenticationToken errors.
An Unauthorized with status code 403 error is returned for the following scenarios:
- Account status: Check that seller account you are making a requests has a healthy status. You can check account status in Developer Central. Choose Performance, then Account Health.
- Region mismatch: Check the seller account that you are making request to is in the same region as the endpoint you are using in the request. The Selling Partner application is global but seller accounts are not global. See also SP-API Endpoints.
- API access: Check the API operation you are making a request to and verify that your application has access to that API. To verify role permissions, in Seller Central, navigate to Partner Network > Develop Apps. Choose Edit App and review the roles selected for your application.
- Missing SP-API Role: If you are missing the role you need for the API access, check your Developer Profile to verify you requested access to that role. If you are missing access to a restricted role, you may need to re-submit your Developer Profile for access to that restricted role. Once the role is added, re-authorize your application (that is, generate a new LWA Refresh token to make valid API calls). For more information, see Frequently Asked Questions in Roles in the Selling Partner API.
- Missing IAM ARN: If you have verified that you have all of the correct roles and permissions, check that your IAM ARN is added to the application. The IAM ARN you add should be the same IAM ARN to which the IAM policy was attached during registration process.
- If IAM ARN is associated with an IAM role, make sure that the IAM policy is attached to the role. In addition, make sure that you are using the temporary credentials and a session token obtained from AWS Security Token Service (AWS STS) in your request along with LWA access token. For more information, see Creating and configuring IAM policies and entities.
- If IAM ARN is associated with an IAM user, make sure that the IAM policy is attached to the IAM user and not to the IAM role. For more information, see Creating and configuring IAM policies and entities.
As Selling Partner API uses the AWS Signature Version 4 signing process for authenticating requests, make sure to sign the HTTP requests using your AWS access keys. If you have used AWS STS to request a set of temporary AWS access keys to sign your requests, verify that you are using the temporary AWS keys from AWS STS. For additional resources, see the AWS Selling Partner API QuickStart and example code.
This blog post walked through common Selling Partner error messages and codes that you may encounter during the authentication and authorization process and how to troubleshoot them.
See these additional resources for more information on error codes and authorization:
- Selling Partner API General FAQs
- Authorizing Selling Partner API Applications
- Authorization with the Restricted Data Token
- SP API Tutorial Videos
Need more support with error codes and messages? Refer to the SP-API Errors FAQ or contact us via the Selling Parter API Developer Support channel.
Have feedback on this post?
If you have questions or feedback on this post, we'd like to hear from you! Please vote and leave a comment using the tools at the bottom of this page.
Subscribe to updates via RSS feed.
Updated 11 months ago