Rotate your Application's LWA Credentials
Learn how to rotate your application's Login With Amazon (LWA) credentials (client secrets).
As of February 6, 2023, you must rotate your Login With Amazon (LWA) credentials (client secrets) for all applications every 180 days. All credentials must be rotated by May 22, 2023. If you do not update your LWA credentials before your target rotation date, your application will lose access to SP-API.
Tip
For a video overview of rotating your application's LWA credentials, refer to Rotating Your Application's LWA Credentials
What is credential rotation?
Credential rotation is the process of periodically updating your client secrets.
Regular and timely rotation of Login With Amazon (LWA) credentials limits the duration of your application’s credentials in the event that credentials are exposed or compromised.
Note
Rotating credentials does not impact end users. End users do not need to re-authorize applications.
Why do you need to rotate the LWA client secret on SP-API application(s)?
Your application’s LWA credentials are like a username and password. Even if you are very careful with your access credentials, you might find yourself in a situation where your credentials have been exposed or compromised. Regular and timely rotation of your LWA client secret help to make your applications more secure by limiting the lifespan of credentials.
Failure to rotate the LWA client secret for your app by the due date will result in the loss of ability to make any API calls. This will directly impact any customers that have authorized your application by restricting critical business functions.
Rotate the Login With Amazon (LWA) credential (client secret) for your application programmatically
To rotate your LWA credentials programmatically, refer to Rotate your application's client secret.
Rotate the Login With Amazon (LWA) credential (client secret) for your application in the Developer Console
Follow these steps to rotate LWA credentials (client secrets).
- Sign in to your developer account on Seller Central, Vendor Central, or Developer Central and navigate to the Developer Console page that lists all your applications.
- From the LWA credentials column, find the expiration alert and select View.
- (Optional) For ease of reference, you can securely store your existing LWA credentials in an encrypted form.
- Choose Rotate secret, read the warning, then choose Rotate secret again.
- View the updated target rotation date on the LWA credentials page.
- Repeat Steps 2 through Step 6 for every application showing an expiration alert.
Important
After you generate a new LWA credential (client secret), you must update your credentials for any applications that call the Amazon APIs. Your old credentials expire seven days after you generate new credentials.
For a list of URLs by marketplace, refer to Seller Central URLs and Vendor Central URLs.
Do you need to generate new refresh tokens when you rotate LWA credentials?
No. Refresh tokens are tied to the LWA client identifier. Upon LWA rotation, a new LWA client secret will be created. You will need to use this new secret along with its existing client identifier and refresh token to retrieve new access tokens. Refresh tokens do not need to be recreated.
If you have any questions, contact us through SP-API Developer Support or Amazon Vendor Central.
Troubleshooting and error handling
Note
If your application is blocked due to failure to rotate LWA credentials by the deadline, initiating LWA credential rotation will result in your application becoming unblocked automatically. You will still need to begin using the new secret before the old secret expires. How long it takes for the old secret to expire depends on authorizations and security concerns. In some cases they will expire immediately after rotation, and in other cases will last seven days.
You might encounter the following errors when rotating your credentials.
You fail to rotate your LWA credentials in a timely manner and action is taken against your application.
You get the following error message if you fail to rotate your credentials in time:
{
"errors": [
{
"code": "Unauthorized",
"message": "Access to requested resource is denied.",
"details": "The LWA secret token you provided has expired."
}
]
}
In this scenario, all calls made by the application are blocked. This messaging will not change. You can get the latest LWA credentials by following these steps and using them to make the the API requests:
- Log in to your developer account.
- Navigate to the Developer Console page that lists all your applications.
- From the LWA credentials column, choose View.
- Use the credentials displayed in Step 3 for the LWA exchange.
If the issue persists you can open a case to resolve the issue.
You rotate your credentials, but continue to use the old credentials instead of the new credentials.
Your old credentials expire seven days after you generate new credentials. You get the following error message if you continue to use old credentials for more than seven days after you rotate your credentials.
{
"error_description": "Client authentication failed",
"error": "invalid_client"
}
This error occurs during the Request a Login with Amazon access token step, resulting in loss of API access for the application. Use the following procedure to resolve the issue:
- Log in to your developer account.
- Navigate to the Developer Console page that lists all your applications.
- From the LWA credentials column, choose View.
- Use the credentials displayed in Step 3 for the LWA exchange.
Updated 3 months ago