Keep getting Unauthorized using sample requests

[kingkong404]

Keep getting Unauthorized error using sample requests in docs. Should these examples work?

I'm trying to work out if I'm not authenticating properly or whether the API endpoint is giving the error as I'm trying to request data that I don't have access to (as it's your data)

Using a brand new marketplace seller account / no products / data.

CustomError: Access to requested resource is denied.
    at SellingPartner.callAPI (/Users/steven/Documents/boilerplate/versiontwo/node_modules/amazon-sp-api/lib/SellingPartner.js:203:13)
    at processTicksAndRejections (node:internal/process/task_queues:93:5)
    at /Users/steven/Documents/boilerplate/versiontwo/packages/amazon/lib/SP-api.ts:19:19 {
  code: 'Unauthorized',
  details: '',
  type: 'error'
}

require("dotenv").config();
require("source-map-support").install();

import SellingPartnerAPI from "amazon-sp-api";

(async () => {
  try {
    const sellingPartner = new SellingPartnerAPI({
      region: "eu",
      refresh_token:
        "XXX",
      options: {
        auto_request_tokens: true,
        auto_request_throttled: true,
      },
    });

    let res = await sellingPartner.callAPI({
      operation: "createReport",
      body: {
        reportType: "GET_FLAT_FILE_OPEN_LISTINGS_DATA",
        marketplaceIds: ["A1PA6795UKMFR9"],
      },
    });

    console.log(res);
  } catch (e) {
    console.log(e);
  }
})();

[amz-tools]

Hi there,

yes, it works for us and it should work for you as well and return a reportId. Looks like your are not authorized, but error messages from Amazon are currently not very helpful for some calls. Might be because you have no listings in the marketplace yet? Try the "getMarketplaceParticipations" operation, this should definetly work when credentials are correct: await sellingPartner.callAPI({ operation:'getMarketplaceParticipations' }); If not, check if your access_token and role_credentials are fetched corretly by calling them manually and check their values: await sellingPartner.refreshAccessToken(); console.log(sellingPartner.access_token); await sellingPartner.refreshRoleCredentials(); console.log(sellingPartner.role_credentials);

[kingkong404]

Hey, thanks for the quick reply.

require("dotenv").config();
require("source-map-support").install();

import SellingPartnerAPI from "amazon-sp-api";

(async () => {
  try {
    const sellingPartner = new SellingPartnerAPI({
      region: "na",
      refresh_token:
        "Atzr|IXXXXXXX",
      options: {
        auto_request_tokens: true,
        auto_request_throttled: true,
      },
    });

    await sellingPartner.refreshAccessToken();
    console.log(sellingPartner.access_token);

    await sellingPartner.refreshRoleCredentials();
    console.log(sellingPartner.role_credentials);

    let res = await sellingPartner.callAPI({ operation: "getMarketplaceParticipations" });

    console.log(res);
  } catch (e) {
    console.log(e);
  }
})();

Does that mean I'm authed as a security_token was returned?

(base) ➜  ts-node packages/amazon/lib/SP-api.ts
Atza|XXXXX
{
  id: 'ASIAXXXXXXXXX',
  secret: '1Nomv5x7c/JXXXXXXXXXX',
  security_token: 'FwoXXXXXXXXXXE='
}
CustomError: Access to requested resource is denied.
    at SellingPartner.callAPI (/Users/steven/Documents/boilerplate/versiontwo/node_modules/amazon-sp-api/lib/SellingPartner.js:203:13)
    at processTicksAndRejections (node:internal/process/task_queues:93:5)
    at /Users/steven/Documents/boilerplate/versiontwo/packages/amazon/lib/SP-api.ts:23:19 {
  code: 'Unauthorized',
  details: '',
  type: 'error'
}

[amz-tools]

Since you receive access_token and security_token the credentials seem to be correct, yes. Have you checked that you are using the correct IAM role and that it has access to the sellingpartner API? If yes, I'm afraid I'm running out of ideas. :-)

One more idea: Since you created a new seller account, have signed up to a professional selling plan? I know at least for the old MWS API it a a requirement to have a professional plan so I would guess its a requirement for access to the SP API as well.

[kingkong404]

I believe everything has been set up correctly. I followed the guide linked to create a role/ user etc although I'm going to redo the whole process again.

Also yes, I believe I'm a pro seller and all it set up correctly

Will report back shortly.

[kingkong404]

Same error as before :/

Are there any other basic requests I could try other than await sellingPartner.callAPI({ operation: "getMarketplaceParticipations" })?

[amz-tools]

You could try the catalog item calls, i.e.:

await sellingPartner.callAPI({
  operation:'getCatalogItem',
  path:{
    asin:'B084J4QQFT'
  },
  query:{
    MarketplaceId:'A1PA6795UKMFR9'
  }
});

await sellingPartner.callAPI({
  operation:'listCatalogItems',
  query:{
    MarketplaceId:'A1PA6795UKMFR9',
    Query:'alexa'
  }
});

[kingkong404]

Unfortunately still getting Unauthorized. Is there any way of increasing logging level or further investigating?

[amz-tools]

We haven't built in any debugging possibility yet, but you could log the request and result objects in lib/request.js, maybe this might help you in resolving the issue.

[kingkong404]

Did you follow steps 1 to 6 listed here? Did you do anything else to get it working?

I'm wondering if their docs are missing a step.

[amz-tools]

Yes, just followed the steps. Only information missing in the guide is how to add the security_token, but thats handled inside our client. For the IAM ARN of your app client in sellercentral, did you make sure you put the IAM role created in step 4? This should correspond with the value in the envvar AWS_SELLING_PARTNER_ROLE. Whereas AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY need to include the credentials from the IAM user created in step 2. And have you made sure you are using the right region?

[kingkong404]

And have you made sure you are using the right region?

I believe I just created everything in my default AWS Region does that make a difference?

Or did you meanregion: "na" inside of the library config as my Seller Account is currently registered in the US?

Will go over the other items again now.

UPDATE: did you make sure you put the IAM role created in step 4? Yes the Role not user is listed in the IAM ARN during the App creation screen.

And yes Key + Secret are from User created in Step 2

[amz-tools]

Hm, I'm afraid I'm running out of ideas here. Might be something with the region, as we tested with the EU region and not the NA region, but only the API endpoint subdomains and the region for signing the requests are different and both is implemented and working. So probably the best chance is to log the response headers of a failing request, copy the Request-ID returned ("x-amzn-requestid"-Header), open up a case with the SP/MWS-Team at Amazon and send them the Request-ID. Please let me know if you find a solution!

[tday]

FWIW, I can confirm I was able to use this package in NA using the instructions in the README.

[kingkong404]

FWIW, I can confirm I was able to use this package in NA using the instructions in the README.

@tday Thanks for clarifying. Must be something up with my amazon account then.

[kingkong404]

@amz-tools So just to be 100% certain here are my regions.

1. I am registered as a UK company with Amazon.
2. In my Seller portal I have access to North America / Mexico and Canada. (I'm not planning on selling, this was default)

3. AWS is US East although I looked into creating an EU Role / User although those assets in AWS seem to be global / not specific to any region.

   How should I be configuring the region settings / configurations.

[amz-tools]

@Stevenje The region setting depends on the marketplace you want to request data from, not the region you registered in. Since you have access to the North America selling region (US, Canada, Mexico) you can use "na" as region. I think you are right on the role settings, they shouldn't be specific to any region and the STS (security token service) request inside our module is using the global endpoint (sts.amazonmws.com). Also, as you successfully received role credentials and an access token at least your AWS configuration and the refresh token seem to be correct. If you are also sure that your SELLING_PARTNER_APP_CLIENT_ID and SELLING_PARTNER_APP_CLIENT_SECRET settings are correct you should receive data.

[tday]

@Stevenje it's worth reaching out to Amazon to see if they gave you access correctly if all things check out on your end.

Amazon had notified us on two separate occasions we had access, but we in fact did not. We had to escalate three times to Amazon before they gave us proper access.

[meteci]

@Stevenje Can you please try below request?

let res = await sellingPartner.callAPI({ operation: "getOrder", path: { orderId: "ORDER-NUMBER-HERE", }, });

I'm having the same unauthorized issue but I was able to use the API with the above request without any problem. Seems like it has an issue with your Developer Profile Auths.

[kingkong404]

@Stevenje Can you please try below request?

let res = await sellingPartner.callAPI({ operation: "getOrder", path: { orderId: "ORDER-NUMBER-HERE", }, });

I'm having the same unauthorized issue but I was able to use the API with the above request without any problem. Seems like it has an issue with your Developer Profile Auths.

Hey @metecicek unfortunately the account I have is purely for development so it has no products or orders, so I don't think I can do the request as it would be lacking an order number.

[callumb123]

let res = await sellingPartner.callAPI({ operation: "getOrder", path: { orderId: "ORDER-NUMBER-HERE", }, });

Hey @metecicek, I have been getting the same 403 unauthorised error and can confirm that this getOrder API call also worked for me. I have an open case with amazon support but let me know if you ever get to the bottom of it as so far they have been pretty useless.

[kingkong404]

@callumb123 how did you open a support request with them? When I tried to open a request in seller central everything seemed very focused around sellers. Is there a way to get dev support?

Also any responses in the interim on your end from amazon?

Would love to get this fixed.

[callumb123]

@Stevenje I'm based in the UK so I used this link: https://sellercentral.amazon.co.uk/gp/mws/contactus.html

My first case got picked up by someone who was no help at all and didn't understand the question so I have had to submit a new ticket.

I have had one response where they have told me the LWA details I have used in the request are wrong and to double check them. I'm fairly sure they aren't (since the getOrder endpoint works) so have asked for more information on which details they think are wrong. I will update here again if I get to the bottom of it as I am also pretty desperate to get this working.

[kingkong404]

@metecicek any updates on your end?

[kingkong404]

@callumb123 thanks! Yeah me too, I'm burning cash paying for access with nothing working. Will update also.

[kingkong404]

Hey @callumb123 I just tried re-running my code and now everything has started working... guessing it was something amazons side that they have now fixed.

try running this.

    let res2 = await sellingPartner.callAPI({ operation: "getMarketplaceParticipations" });

    console.log(res2);

[callumb123]

@Stevenje Awesome! Just tested a few endpoints there and they all seem to be working. I would be really curious to find out what was wrong as Amazon's end to affect so many people. Thanks a lot for letting me know, much appreciated!

[Tanveer-LowCoder]

This is weird, as I just hit this issue with an app that was already working yesterday!.

Ah, the perks of being a dev. Works one day, and it mysteriously stops working the next. Have raised a ticket, let's see what they say.

[Tanveer-LowCoder]

So, on further testing, found the following:

1. when running a test on my own store, where I get null object back for getOrders - its working.
2. When I try to get the getOrder for a clients store, where we got the spapi_auth correctly, and generated the refresh_token successfully. Get the following error:

020-12-26T12:51:26.034Z fa99489f-358c-4d9e-a07d-ec94d104a2fe INFO CustomError: Access to requested resource is denied. at SellingPartner.callAPI (/var/task/node_modules/amazon-sp-api/lib/SellingPartner.js:229:13) at processTicksAndRejections (internal/process/task_queues.js:97:5) at async Runtime.exports.handler (/var/task/index.js:22:15) { code: 'Unauthorized', details: '', type: 'error' }

[pavel-labbmiljo]

I got the same "Access to requested resource is denied" issue. Does it work for the vendor central account, also?

[amz-tools]

Hi @pavel-labbmiljo,

we haven't tested it, maybe somebody else is here who can confirm it works. It should work, but it seems that vendors have a subset of operations of the SP API available, found this blog post here, maybe that helps.

[uythoang]

@Stevenje Can you please try below request?

let res = await sellingPartner.callAPI({ operation: "getOrder", path: { orderId: "ORDER-NUMBER-HERE", }, });

I'm having the same unauthorized issue but I was able to use the API with the above request without any problem. Seems like it has an issue with your Developer Profile Auths.

So this getOrder operation works for me, but getMarketplaceParticipations also gives me the "Access to requested resource is denied." error. I've opened a case with the MWS team, so we'll see...