Search code examples
amazon-web-servicesamazon-mwsamazon-selling-partner-api

How to convert Amazon MWS credentials to SP-API creds

Here are the seemingly clear instructions from Amazon.

Simply send the following: sellingPartnerId, developerId, and mwsAuthToken

I do this with httparty like so:

query = {
  sellingPartnerId: "A3Kxxxxx",
  developerId: "753xxxx",
  mwsAuthToken: "amzn.mws.8abxxxxx-xxxx-xxxx-xxxx-xxxxxx",
}

and then

send = HTTParty.get("https://sellingpartnerapi-na.amazon.com/authorization/v1/authorizationCode", 
  query: query
)

This returns the following error:

{"errors"=>
  [{"message"=>"Access to requested resource is denied.",
    "code"=>"MissingAuthenticationToken"}]}

I've adjusted the call everyway I've seen. I've read the following articles: This This

Paged through the 695 issues on github for this API and still no luck.. I've adjusted my query to this with no luck either:

query = {
  grant_type: "client_credentials",
  sellingPartnerId: "A3K98Oxxxxxx",
  developerId: "753xxxxxxxx",
  mwsAuthToken: "amzn.mws.8abxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx",
  client_id: "amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxxxxxxxx",
  client_secret: "a473e76XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  scope: "sellingpartnerapi::migration"
}

Nothing I've tried has worked.. Any suggestions? Has anyone actually migrated their MWS to SP-API credential successfully?

Solution

  • Unfortunately the specific Amazon docs that you link to don't tell the whole story. There are a few other requirements you'll need in order to get the authorizationCode response that you're looking for:

    Amazon OAuth Token

    You'll need an access token from Amazon's OAuth API (an entirely different API). You can use the grantless workflow for this, since in your case the user hasn't actually authorized the SP-API yet:

    POST https://api.amazon.com/auth/o2/token

body: {
    grant_type: 'client_credentials',
    scope: 'sellingpartnerapi::migration',
    client_id: 'amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxxxxxxxx',
    client_secret: 'a473e76XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
}

    This will return an access_token that you'll need for your actual migration request to https://sellingpartnerapi-na.amazon.com/authorization/v1/authorizationCode. The response will look something like:

    {
    "access_token": "Atc|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "scope": "sellingpartnerapi::migration",
    "token_type": "bearer",
    "expires_in": 3600
}

    Important: Take the access_token value from that response and add it as an x-amz-access-token header to your /authorization/v1/authorizationCode request.

    Sign Your Request

    This is the actual reason behind the error you're receiving. An unsigned request will not include the "authorization token" that you're being prompted for.

    You'll need to sign your request using Amazon's SigV4 signing mechanism. It looks like you're using Ruby (HTTParty), so you can use the aws-sdk's Aws::Sigv4::Signer for this. You'll need to have setup IAM credentials as documented in the generic developer guide, and those credentials being provided to your Aws::Sigv4::Signer somehow (hardcoding, env vars, Aws::SharedCredentials, etc.)

    Request signing will result in a few proprietary headers being added to your request. Once this is done, you should have all that you need to make the request successfully.