Authorization Errors

This topic describes common error codes and messages related to SP-API authorization.

Application authorization is required for integrating with the Selling Partner API. During this process, you may encounter error codes and error messages. The following troubleshooting tips can help unblock you if you encounter errors during the process.

For additional guidance, refer to the SP-API Errors FAQ.

Error codes

The following table provides common error codes that you may encounter with application authorization.

Error codeCauseSteps to resolve
MD1000

This error returns when OAuth production workflow is authorizing an SP-API application that is in draft state.

Add the version=beta parameter to the OAuth Authorization URI:

https://sellercentral.amazon.com/apps/authorize/consent?application_id=appidexample&state=stateexample&version=beta

After your application is published, you can remove the version=beta parameter.

MD5101This error returns when the redirect URL provided during OAuth authorization does not match one of the redirect URLs listed for the SP-API application.Verify that you are using the correct redirect URL.
In Seller Central:
On the Partner Network menu, choose Develop Apps, then choose Edit App. Verify the redirect URL listed in the console and the redirect URL of the page where you received the error match. If the URLs do not match, add the redirect URL to the console. If you are using the published version of your app, make sure you publish the update.
MD5110This error returns when the URL Redirect contains fragments.
For more details, refer to section 3.1.2 of the OAuth 2.0 Authorization Framework.
Check the redirect URL for fragments. In Seller Central:
From the Partner Network menu, choose Develop Apps, then choose Edit App. Verify the redirect URL is valid syntactically and does not contain fragment characters such as #.
MD9010This error returns when there is no MWS developer ID associated with the region where you are authorizing your MWS or hybrid application.Verify that your app is published and that the MWS developer ID is valid for the region where you are authorizing your application. In Seller Central:
On the Partner Network menu, choose Develop Apps, then choose Edit App. Verify the app is in a published state. Verify a valid MWS developer ID is listed for the region where you are authorizing your MWS or hybrid application.
MD9000This error returns when your SP-API application is missing Login URI and Redirect URI information. Update your app Login URI and Redirect URI. In Seller Central:
From the Partner Network menu, choose Develop Apps, choose Edit App, and update the Login URI and Redirect URI details.
500This error returns due to errors in the header. Check that the Content-Type header is set to application/x-www-form-urlencoded and the request parameters are added to the body, and not as query parameters.

Error messages

The following table provides common error messages that you may encounter with application authorization.

Error messagePossible scenarios
Credential should be scoped to a valid regionIn the signature, make sure that the AWS Region you added to the credentials scope and the region of the endpoint you are sending the request match. Refer to Selling Partner API Endpoints to identify which AWS Region you should use for your respective selling region.
Access to requested resource is deniedAccess denied error messages returns due to Unauthorized errors or MissingAuthenticationToken errors.
UnauthorizedAn Unauthorized with status code 403 error returns for the following scenarios:
  • Account status: Check that the seller account in your request has a healthy status. You can check account status in Developer Central. Choose Performance, then choose Account Health.
  • Region mismatch: Ensure that the seller account you are making a request to and the request endpoint are in the same region. The Selling Partner application is global but seller accounts are not. Refer to SP-API Endpoints for more information.
  • API access: Ensure that your application has access to the API operation you are using. To verify role permissions in Seller Central, navigate to Partner Network > Develop Apps. Choose Edit App and review the roles selected for your application.
  • Missing SP-API Role: If you are missing the role you need for API access, check your Developer Profile to verify you have requested access to that role. If you are missing access to a restricted role, you may need to re-submit your Developer Profile to get access to that restricted role. Once the role is added, re-authorize your application (that is, generate a new Login With Amazon (LWA) refresh token to make valid API calls). For more information, refer to Frequently Asked Questions in Roles in the Selling Partner API.
  • Missing Identity and Access Management (IAM) Amazon Resource Name (ARN): If you have verified that you have all of the correct roles and permissions, check that your IAM ARN is added to the application. This should be the same IAM ARN to which the IAM policy was attached during registration process.

    • If the IAM ARN is associated with an IAM role, make sure that the IAM policy is attached to the role. In addition, make sure to use the temporary credentials and session token obtained from AWS Security Token Service (AWS STS) in your request, along with an LWA access token. For more information, refer to Creating and configuring IAM policies and entities.

    • If the IAM ARN is associated with an IAM user, ensure that the IAM policy is attached to the IAM user and not to the IAM role. For more information, refer to Creating and configuring IAM policies and entities.
MissingAuthenticationTokenAs Selling Partner API uses the AWS Signature Version 4 signing process for authenticating requests, make sure to sign the HTTP requests using your AWS access keys. If you used AWS STS to request a set of temporary AWS access keys to sign your requests, verify that you are using the requested temporary AWS keys. For additional resources, refer to the AWS Selling Partner API QuickStart and example code.