Authorization Errors
Describes common error codes and messages related to SP-API authorization.
Selling Partner API (SP-API) authorization is the process by which a selling partner authorizes your application to call the SP-API on the selling partner's behalf. The following troubleshooting tips can help unblock you if you encounter errors during the process.
For additional guidance, refer to the SP-API Errors FAQ.
Error codes
The following table provides common error codes that you might encounter with application authorization.
| Error code | Cause | Steps to resolve |
|---|---|---|
| MD1000 | This error occurs when the OAuth production workflow is authorizing an SP-API application that is in Draft state. | Add the version=beta parameter to the OAuth authorization URI:https://sellercentral.amazon.com/apps/authorize/consent?application_id=appidexample&state=stateexample&version=betaAfter you publish your application, you can remove the version=beta parameter. |
| MD5101 | This error occurs when the OAuth redirect URI provided during OAuth authorization doesn't match one of the redirect URIs listed for the SP-API application. | Verify that you're using the correct redirect URI. In Seller Central: 1. From the Seller Central menu, choose Apps and Services, and then choose Develop Apps. 2. Next to the app that you want to verify, choose Edit App. 3. In the console, verify that the redirect URI and the redirect URI of the page where you received the error. 4. If the URLs don't match, add the redirect URI to the console. 5. If you're using the published version of your app, make sure that you publish the update. |
| MD5110 | This error occurs when the redirect URI contains fragments. For more details, refer to section 3.1.2 of the OAuth 2.0 authorization framework. | Check the redirect URI for fragments. In Seller Central: 1. From the Seller Central menu, choose Apps and Services, and then choose Develop Apps. 2. Next to the app that you want to verify, choose Edit App. 3. Verify that the redirect URI is valid and doesn't contain fragment characters such as #. |
| MD9100 | This error occurs when your SP-API application is missing a login URI and redirect URI. | Update your app's login URI and redirect URI. In Seller Central: 1. From the Seller Central menu, choose Apps and Services, and then choose Develop Apps. 2. Next to the app that you want to verify, choose Edit App. 3. Update the login URI and redirect URI. |
| 500 | This error occurs due to errors in the header. | Check that the Content-Type header is set to application/x-www-form-urlencoded and that you add the request parameters to the body, not as query parameters. |
Error messages
The following table provides common error messages that you might encounter with application authorization.
| Error message | Possible scenarios |
|---|---|
Credential should be scoped to a valid region | In the signature, make sure that the AWS region that you added to the credentials scope and the region of the endpoint to which you're sending the request match. To identify which AWS region you should use for your respective selling region, refer to Selling Partner API Endpoints. |
Access to requested resource is denied | Access denied error messages occur due to Unauthorized or MissingAuthenticationToken errors. |
Unauthorized | An Unauthorized with status code 403 error occurs for the following scenarios: - Region mismatch: Ensure that the seller account you're making a request to and the request endpoint are in the same region. The selling partner application is global but seller accounts are not. For details, refer to SP-API Endpoints. - API access: Ensure that your application has access to the API operation that you're using. To verify role permissions in Solution Provider Portal: 1. Next to the app that you want to verify, choose Edit App. 2. Review the roles selected for your application. - Missing SP-API role: If you're missing the role that you need for API access, check your developer profile to verify that you requested access to that role. If you're missing access to a restricted role, you might need to re-submit your developer profile to get access to that restricted role. After the role is added, re-authorize your application (that is, generate a new Login With Amazon (LWA) refresh token to make valid API calls). For more information, refer to Frequently Asked Questions in Roles in the Selling Partner API. |
MissingAuthenticationToken | Make sure to sign the HTTP requests using your AWS access keys. If you used AWS STS to request a set of temporary AWS access keys to sign requests, verify that you're using the requested temporary AWS keys. For additional resources, refer to the AWS Selling Partner API QuickStart and example code. |
Updated 1 day ago