Reminder and best practices to keep Amazon LWA client credentials secure

Important: Public Exposure of Amazon LWA client credentials will lead to loss of SP-API access.

To protect customer data, any known compromise of Amazon LWA Client credentials or data will result in loss of access to SP-API, that is the ability to make API calls using compromised credentials.

What action is required?

Rotate your LWA client credentials as soon as you are aware of an exposure.

How do I rotate my LWA Client Secret to resume operations?

To generate new LWA credentials (client secrets), refer to the SP-API documentation on Rotating your application's LWA credentials.

Important: After you generate a new LWA credential (client secret), you must update your credentials for any applications that call Amazon Selling Partner APIs.

What more can I do to protect my credentials?

Your security is important to us, and exposure of your application's Amazon LWA client credentials poses a security risk data, for both you and your customer, and is a violation of our Acceptable Use Policy (AUP). You are responsible for keeping the data you retrieve from SP-API secure in accordance with our Data Protection Policy (DPP).

The following is a list of SP-API resources about how to protect your data:

• All Amazon SP-API developers are required to follow secure coding standards to uphold Personally Identifiable Information (PII) requirements in the DPP. Credentials and other sensitive information must never be hard-coded in your application code. Refer to the blogs Safeguarding Sensitive Credentials for SP-API Applications and Rotate your SP-API credentials using AWS.
• If an application is no longer in use, you may consider deleting your application by following the documentation to Delete an application from your developer account.
• You can configure code scanning to automatically identify vulnerabilities and errors in the code stored in your repository. Learn more at Github Configuring code scanning.