HomeDocumentationCode SamplesAPI ReferenceAnnouncementsModelsRelease NotesFAQGitHubVideos
Developer HubAPI StatusSupport
Documentation
Developer HubAPI StatusSupport

LWA Credentials FAQ

Frequently asked questions about LWA Credentials, including rotation.

What is Login with Amazon (LWA) credentials rotation?

Select to expand the answer.

Login with Amazon (LWA) credential rotation is the process of periodically updating your client secrets. Regular and timely rotation of LWA credentials limits the duration of exposed or compromised credentials.

Why do I need to rotate the LWA credentials for my applications?

Select to expand the answer.

Your application’s LWA credentials are like a username and password. Even if you are very careful with your access credentials, you might find yourself in a situation where your credentials have been exposed or compromised.

Failure to rotate the LWA credentials for your app by the rotation deadline results in the loss of ability to make any API calls. This directly impacts any customers that have authorized your application by restricting critical business functions.

Do I need to rotate LWA credentials for all my applications?

Select to expand the answer.

Yes, you need to rotate the LWA credentials for all your active SP-API applications before the rotation deadline. You can rotate credentials for all your applications at the same time so that they all share the same LWA credentials rotation deadline.

Do I need to generate new refresh tokens when I rotate LWA credentials or ask my users to reauthorize the applications?

Select to expand the answer.

No. Refresh tokens are linked to the LWA client identifier. You receive a new client secret when you rotate your LWA credentials. You can use this new secret with the existing client identifier and refresh token to retrieve new access tokens. You do not need to regenerate refresh tokens.
If you have any questions, contact us through SP-API Developer Support or Amazon Vendor Central Support.

Is my application's access to SP-API disrupted if I rotate LWA credentials?

Select to expand the answer.

Yes, you can use your old LWA credentials for seven days after you rotate them. You can also open a case to invalidate your old LWA credentials before the seven-day period after you complete credentials rotation. Update your application’s code to use the new LWA credentials within this period to avoid disruption in your application’s SP-API access,

What steps must I take if my application loses access to SP-API because I did not update the LWA credentials on time?

Select to expand the answer.

Failure to rotate LWA credentials can block your application's access to SP-API. You can unblock your application by initiating a new rotation. However, you must update your application’s code with the new credentials before the old one expires. The expiration time for old credentials depends on authorizations and security concerns. In some cases, the credentials expire immediately after rotation, while in others, they may last up to seven days.

What steps must I take if my application's LWA credentials get exposed?

Select to expand the answer.

If you suspect your LWA credentials have been compromised, you must follow Amazon Data Protection Policy to inform Amazon by email (security@amazon.com) within 24 hours. For more information on how to handle security incidents, refer to the Protect Amazon API Applications with Incident Response guide.

Troubleshooting and Error Handling

How do I resolve Access to requested resource is denied error message?

The following error message appears if you fail to rotate your credentials in time:

{
  "errors": [
    {
      "code": "Unauthorized",
      "message": "Access to requested resource is denied.",
      "details": "The LWA secret token you provided has expired."
    }
  ]
}

In this scenario, all calls made by the application are blocked. This message remains in effect until you rotate your LWA credentials.

To resolve this issue, refer to Rotate the Login With Amazon (LWA) credentials for your application in the Developer Console.

If the issue persists after you rotate the credentials, you can open a case to resolve the issue.

How do I resolve an invalid_client error message?

If you fail to update your application’s code with the new LWA credentials after you successfully rotate them, you receive an invalid_client error from the LWA endpoint when you attempt to exchange a refresh token for an access token. Update your application’s code within seven days of rotating the LWA credentials to avoid this issue and potential business disruption:

{
 "error_description": "Client authentication failed",
 "error": "invalid_client"
}

This error can occur when you Request a Login with Amazon access token. It can also result in loss of API access for the application.

After you rotate your Login with Amazon (LWA) credentials, update your application's code to use the new credentials. To generate a new access token with the updated credentials, refer to Rotate the Login With Amazon (LWA) credentials for your application in the Developer Console.

If the issue persists even after you update your application’s code, you can open a case.

Updated 18 days ago