[BUG] Failure to use Restricted Data Token

[tahir1122]

Describe the bug I am able to retrieve RDT for getOrders API but using the RDT as 'x-amz-access-token' results in 403 unauthorized

URL of the content on GitHub https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/use-case-guides/tokens-api-use-case-guide/tokens-API-use-case-guide-2021-03-01.md#step-1-get-an-rdt-getorders

Issue Details I am successful in retrieving RDT for getOrders API endpoint using the following POST request:

POST https://sellingpartnerapi-na.amazon.com/tokens/2021-03-01/restrictedDataToken

{ "restrictedResources": { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } }

The response contains the 'restrictedDataToken'. When I try to use this RDT for GetOrders API endpoint by replacing 'x-amz-access-token' with the RDT (as mentioned in the documentation), it fails with the following error:

403 Forbidden

{ "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }

I am able to retrieve Orders when using the Access token but it fails when using RDT

Any help would be appreciated

[kpconnell]

are you signing it with the RDT in place?

[tahir1122]

are you signing it with the RDT in place?

Yes, I am

[NeftaliAcosta]

I have the same problem, the documentation is not clear on how to generate an RDT. What headers go or what additional parameters do I have to send?

[KanishkVashisht]

I'm facing the same issue. Can someone on the amazon team look into this?

[foxfiring]

应该是APP没有PII权限

[daniel031699]

@tahir1122 I also encountered the same problem. Has it been solved? Ask for help

[tahir1122]

This issue is still not resolved. Can anyone please help?

[Valkozaur]

I have a similar problem, if somebody resolved it please let me know. Amazon If you read this, please give us accurate documentation on when we should add the access token, before the signing or after the signing. And also should we take in place the access token granted from the with the ClientSecret.

[RobertMartin-nz]

I have the exact same issue. My seller application tries calls getOrdes with an LWA token and I don't get all the shipping details. My app is registered for 'Direct-to-Consumer Delivery'. Searching the docs it seems I need to get an RDT (Restricted data token) and pass this as the 'x-amz-access-token' instead of the normal LWA token.

I can call and get an RDT passing the exact settings from the example docs

{ "restrictedResources": [ { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } ] }

but when I use it (by assigning it to x-amz-access-token and signing my messageas normal I get the 403 'Access to requested resource is denied.' error.

Does anyone have this working?

[GreaText]

I have the exact same problem listed here. I can get orders with LWA token that does not include restricted data. I can retrieve a restricted data token, but when I use the RDT to get orders I'm returned a 403 unauthorized error.

Has anyone found a workable solution? We have spent weeks with Amazon support and still do not have a solution.

[RobertMartin-nz]

Ok for everyone still struggling with this, I have found and fixed the issue I had with this.

The issue is that if you send invalid JSON in your request to get an RDT instead of returning an error, Amazon returns ok with a token that has no access to anything. When you use this token to call an API you then get an 'Access to requested resource is denied.' message. Which is true, because you don't have access but also horribly misleading. I was running around checking my Dev account, refreshing my permissions etc.

Anyway the JSON I was using actually not exactly as shown in the manual, I was passing restrictedResources as a JSON object but should have been a array.

[GreaText]

I had coded as you.. sending an object for restrictedResources and not an array. I changed the code to send an array, now I'm getting a different error, but I think this might be the solution to get past this particular problem.

[RobertMartin-nz]

Glad to hear it might have helped.

Just in case it helps others, there is the exact (working) JSON I am sending. This is for access to orders. This is the JSON body I pass through (UTF8 encoded)

{ "restrictedResources": [ { "method": "GET", "path": "/orders/v0/orders", "dataElements": [ "buyerInfo", "shippingAddress" ] } ] }

or unformatted

{"restrictedResources":[{"method":"GET","path":"\/orders\/v0\/orders","dataElements":["buyerInfo","shippingAddress"]}]}

[GreaText]

Here is the same code in PHP

['restrictedResources'][] = [
    'method'        => 'GET',
    'path'          => '/orders/v0/orders',
    'dataElements'  => [ 'buyerInfo', 'shippingAddress' ],
]

[machusko-deliverr]

Thank you Robert! I was having a similar issue and the json formatting was the culprit.

[Valkozaur]

Hey man, I am not sure if are going to receive this mail. The solution for my was checking up again the refresh token. Make sure you are calling for the right market ID and right market url.

On Thu, May 5, 2022, 01:23 RobertMartin-nz @.***> wrote:

I have the exact same issue. My seller application tries calls getOrdes with an LWA token and I don't get all the shipping details. My app is registered for 'Direct-to-Consumer Delivery'. Searching the docs it seems I need to get an RDT (Restricted data token) and pass this as the 'x-amz-access-token' instead of the normal LWA token.

I can call and get an RDT passing the exact settings from the example docs

{ "restrictedResources": [ { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } ] }

but when I use it (by assigning it to x-amz-access-token and signing my messageas normal I get the 403 'Access to requested resource is denied.' error.

Does anyone have this working?

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/2237, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN7RFRXJOGBTQF63VM5GOQDVIMBH5ANCNFSM5NPW35IQ . You are receiving this because you commented.Message ID: @.***>

[gesenlik]

Hi, have you been able to find a definitive solution for this? I am trying to solve the same error. The json is correct but does not accept the rdt token.

[Valkozaur]

Hello, for me I did not have enough rights. Therefore I was getting this error message.

[gesenlik]

thanks for your answer...

[DanyPell]

Same as OP. Can get RDT but can't get the orders when using the RDT. Where is Amazon?

[StormTech07]

Same ! using python : tokens_api = Tokens(credentials=credentials) response = tokens_api.create_restricted_data_token( restrictedResources=[ { "method": "GET", "path": "/orders/v0/orders", "dataElements": ["buyerInfo", "shippingAddress"] } ] )

return : sp_api.base.exceptions.SellingApiForbiddenException: [{'code': 'Unauthorized', 'message': 'Access to requested resource is denied.', 'details': ''}]

[darrelbott]

Python and Postman don't work. I get the RDT token, but it doesn't work on the path that I am calling. I get a 403 error that reads the token no longer valid, malfunctioned, etc.

I'm passing the RDT token in the header instead of the access token. Not getting this 403 error

I plan on getting in touch with Amazon tomorrow, but why would a token they just gave me not work on the very thing it gave me a token for? And they are getting rid of MWS lol.

[github-actions[bot]]

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.

[github-actions[bot]]

closed for inactivity