HomeDocumentationCode SamplesAPI ReferenceAnnouncementsModelsRelease NotesFAQGitHubVideos
Developer HubAPI StatusSupport
Documentation
Developer HubAPI StatusSupport

Authorization Errors

Describes common error codes and messages related to SP-API authorization.

Selling Partner API (SP-API) authorization is the process by which a selling partner authorizes your application to call the SP-API on the selling partner's behalf. The following troubleshooting tips can help unblock you if you encounter errors during the process.

For additional guidance, refer to the SP-API Errors FAQ.

Error codes

The following table provides common error codes that you might encounter with application authorization.

MD1000

This error occurs when the OAuth production workflow is authorizing an SP-API application that is in Draft state.

To resolve this error: Add the version=beta parameter to the OAuth authorization URI:

https://sellercentral.amazon.com/apps/authorize/consent?application_id=appidexample&state=stateexample&version=beta

After you publish your application, you can remove the version=beta parameter.

MD5101

This error occurs when the OAuth redirect URI provided during OAuth authorization doesn't match one of the redirect URIs listed for the SP-API application.

To resolve this error: Verify that you're using the correct redirect URI. For more information, refer to the following instructions.

Solution Provider Portal
  1. From the Solution Provider Portal menu, choose Apps, and then choose Develop Apps Console.
  2. Next to the app that you want to verify, choose Edit App.
  3. In the console, verify that the redirect URI and the redirect URI of the page where you received the error.
  4. If the URLs don't match, add the redirect URI to the console.
  5. If you're using the published version of your app, make sure that you publish the update.
Seller Central
  1. From the Seller Central menu, choose Apps and Services, and then choose Develop Apps.
  2. Next to the app that you want to verify, choose Edit App.
  3. In the console, verify that the redirect URI and the redirect URI of the page where you received the error.
  4. If the URLs don't match, add the redirect URI to the console.
  5. If you're using the published version of your app, make sure that you publish the update.

MD5110

This error occurs when the redirect URI contains fragments. For more information, refer to section 3.1.2 of the OAuth 2.0 authorization framework.

To resolve this error: Check the redirect URI for fragments. For more information, refer to the following instructions.

Solution Provider Portal
  1. From the Solution Provider Portal menu, choose Apps, and then choose Develop Apps Console.
  2. Next to the app that you want to verify, choose Edit App.
  3. Verify that the redirect URI is valid and doesn't contain fragment characters, such as #.
Seller Central
  1. From the Seller Central menu, choose Apps and Services, and then choose Develop Apps.
  2. Next to the app that you want to verify, choose Edit App.
  3. Verify that the redirect URI is valid and doesn't contain fragment characters, such as #.

MD9100

This error occurs when your SP-API application is missing a login URI and redirect URI.

To resolve this error: Update your app's login URI and redirect URI. For more information, refer to the following instructions.

Solution Provider Portal
  1. From the Solution Provider Portal menu, choose Apps, and then choose Develop Apps Console.
  2. Next to the app that you want to verify, choose Edit App.
  3. Update the login URI and redirect URI.
Seller Central
  1. From the Seller Central menu, choose Apps and Services, and then choose Develop Apps.
  2. Next to the app that you want to verify, choose Edit App.
  3. Update the login URI and redirect URI.

500

This error occurs due to errors in the header.

To resolve this error: Check that the Content-Type header is set to application/x-www-form-urlencoded and that you add the request parameters to the body, not as query parameters.

Error messages

The common error messages that you might encounter with application authorization include:

Credential should be scoped to a valid region

In the signature, make sure that the AWS region that you added to the credentials scope and the region of the endpoint to which you're sending the request match. To identify which AWS region you should use for your respective selling region, refer to Selling Partner API Endpoints.

Access to requested resource is denied

Access denied error messages occur due to Unauthorized or MissingAuthenticationToken errors.

Unauthorized

An Unauthorized with status code 403 error occurs for the following scenarios:

  • Region mismatch: Ensure that the seller account you're making a request to and the request endpoint are in the same region. The selling partner application is global but seller accounts are not. For details, refer to SP-API Endpoints.
  • API access: Ensure that your application has access to the API operation that you're using. To verify role permissions in Solution Provider Portal:
    1. Next to the app that you want to verify, choose Edit App.
    2. Review the roles selected for your application.
  • Missing SP-API role: If you're missing the role that you need for API access, check your developer profile to verify that you requested access to that role. If you're missing access to a restricted role, you might need to re-submit your developer profile to get access to that restricted role. After the role is added, re-authorize your application (that is, generate a new Login With Amazon (LWA) refresh token to make valid API calls). For more information, refer to Frequently Asked Questions in Roles in the Selling Partner API.

MissingAuthenticationToken

Make sure to sign the HTTP requests using your AWS access keys. If you used AWS STS to request a set of temporary AWS access keys to sign requests, verify that you're using the requested temporary AWS keys. For additional resources, refer to the AWS Selling Partner API QuickStart and example code.

Updated 12 days ago