Authorizing Selling Partner API Applications

The authorization model for the Selling Partner API is based on Login with Amazon, Amazon's implementation of OAuth 2.0. In this model your application is authorized through interactions with pages displayed by Amazon and by your website. The web browser is the user-agent that passes parameters between your website and Amazon at each selling partner action. To implement OAuth authorization you must configure your website to:

• Accept and process the parameters that Amazon passes to it
• Redirect the web browser and pass parameters to Amazon

How is my application authorized?

• Public applications for sellers:Applications that are publicly available and are authorized by sellers. These applications can be authorized using the following methods:
  • Selling Partner Appstore authorization workflow An OAuth authorization workflow initiated from the Selling Partner Appstore detail page.
  • Website authorization workflow An OAuth authorization workflow initiated from your own website.
• Private applications for sellers : Applications that are available only to your organization. These can be seller applications. These applications can be authorized using the following method:
  • Self authorization

You can call grantless operations without explicit authorization from a selling partner.

Selling Partner API Roles

Learn how to use roles in the Selling Partner API. Roles are the mechanism by which the Selling Partner API (SP-API) determines whether a developer or application has access to an operation or resource. Roles protect access to personally identifiable information (PII) and other sensitive data, and ensure that developers only access data that their application requires. As a developer, you must request and qualify for a particular role to gain access to the operations and resources that the role provides. If you call an operation for which you don't have the required roles, you get a 403 error.

Below roles are required for external fulFillment APIs :

• Amazon Fulfillment
• Inventory & Order Tracking
• Direct to Consumer Shipping (Restricted)

You may require additional roles, basis required operations. Please refer roles mapping to identify necessary roles.

You request roles through your developer profile. Amazon evaluates the information your submit and approves or denies your request. If denied, you can address the reason for the denial and then resubmit your profile.

Construct an OAuth authorization URI

An OAuth authorization URI is a key component for creating and testing Selling Partner API authorization workflows. The OAuth authorization URI redirects a browser to an Amazon consent page, where you or a selling partner can give your application consent to make calls to the Selling Partner API.

If a selling partner authorizes your application starting from your own website using the Website authorization workflow, then your website uses an OAuth authorization URI to redirect the selling partner to the Amazon consent page. Even if a selling partner authorizes your application starting from the Selling Partner Appstore, the Selling Partner appstore authorization workflow, you still need an OAuth authorization URI to test your authorization workflow in draft status before creating a live listing in the Selling Partner Appstore.

When constructing an OAuth authorization URI, applications are grouped into two types:

• All public applications and private seller applications. This category includes:
  • Applications that are publicly available and are authorized by a seller or vendor
  • Self-authorized seller applications that are available only to your organization

The following procedures explain how to construct an OAuth authorization URI, depending on the application type.

You can find the application ID following the application name on the developer console.

Construct an OAuth authorization URI for public seller applications

1. Get the Seller Central URL for the marketplace where you want selling partners to authorize your application. Refer to Seller Central URLs for a list of URLs by marketplace. For example: https://sellercentral.amazon.com
2. Combine the Seller Central URL with /apps/authorize/consent?application_id={your application ID}. For example: https://sellercentral.amazon.com/apps/authorize/consent?application_id=amzn1.sellerapps.app.0bf296b5-36a6-4942-a13e-EXAMPLEfcd28

You must construct OAuth authorization URIs for the marketplaces in which selling partners will authorize your application.

For example, if a seller has a Seller Central account for Mexico, they will need an OAuth authorization URI for Mexico to initiate authorization of your application. Authorizations are regional. When the authorization is complete, your application will have access to the seller's account in any marketplace in the North America region. The same concepts apply to vendors using Vendor Central. You can use the GetMarketplaceParticipations API to discover the active marketplaces for a selling partner.

If you create an OAuth authorization URI to test your authorization workflow, add the version=beta tag. This indicates that the authorization workflow is for an application in draft status. For example: https://sellercentral-europe.amazon.com/apps/authorize/consent?application_id=amzn1.sellerapps.app.0bf296b5-36a6-4942-a13e-EXAMPLEfcd28&version=beta

For information about creating and testing an authorization workflow, refer to Selling Partner Appstore authorization workflow and Website authorization workflow.