'400 bad request' without error message in all of my calls to SP-API

[yablichdada]

Good afternoon, all. I have a problem when trying to receive orders using SP-API. I get the authorization token correctly. After I make a request using the GET method: https://sellingpartnerapi-eu.amazon.com/orders/v0/orders?MarketplaceIds=A13V1IB3VIYZZH,...,2CA1F83G8C2ARO7P&createdAfter=2023-04-25

And the headers: "x-amz-content-sha256": "e3b0c......c1c149afbf4c8996fb92427ae......9b934ca495991b7852b855" "Accept": "/" "Accept-Encoding": "gzip" "host": "sellingpartnerapi-eu.amazon.com" "x-amz-access-token": "Atza|Iredacted" "Authorization": "AWS4-HMAC-SHA256 Credential=AKIA56........V3QN6E/20230525/eu-west-1/execute-api/aws4_request, SignedHeaders=host;x-amz-access-token;x-amz-content-sha256;x-amz-date, Signature=9f809769c....................f8bae920fef59f6ed9bddff0c4cba30482a" "x-amz-date": "20230525T152824Z" "Connection": "keep-alive" "user-agent": "1CDrive/1.0(Language=1C/8.3;Platform=Windows/10)"

The answer I get: StatusCode 400 The body of the answer is a string of the form:

<!DOCTYPE html>

Who can tell me what the problem is and how to solve it? Thanks

[hinavinayak]

@yablichdada

Hello, can you please confirm that the client is not passing a {} body or content-length header in a GET request?

[KQuiskamp]

same error here.

All requests are "400 - bad request" and data response is <!DOCTYPE html><html><head><title>x</title></head><body></body></html>\n

[yablichdada]

I have the same error. I didn't insert it into the post correctly.

[vanlaptop]

same error here. Most of the report requests returns HTTP/1.1 400 Bad Request error

[sungolivia]

Hey @yablichdada I redacted your access token for security purposes. Please understand!

[maliknaik16]

I faced this same issue. Make sure you are not passing the body even if it is an empty body. It'll use the empty body {} to sign the signature for the get request and might have weird responses as you are seeing.

[KQuiskamp]

I faced this same issue. Make sure you are not passing the body even if it is an empty body. It'll use the empty body {} to sign the signature for the get request and might have weird responses as you are seeing.

Wow, yep, that was the mistake. If you use Node.js, check your body before signing Object.keys(req.body).length !== 0

[hinavinayak]

Hello,

We have begun to reject requests that are not consistent with HTTP RFC spec. We have been enforcing this restriction to a portion of requests, but will temporarily reduce the portion of requests seeing enforcement through the weekend. We will begin enforcing this on all requests in the near future. If you have received an error with 400 status code with an html response, please ensure your request is consistent with HTTP RFC 7230. The most common cause of errors is a GET request that contains a body or content length header. We have also seen some clients send duplicate host header.

[yablichdada]

Hello,

I read all of your posts. And today I started checking. Error of request GET orders/v0/orders has changed. Although I haven't made any changes in my code. Today the error sounds like this: "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."

How is it that there is no change on my end, and different answers come to the same request?

P.S.: I checked the request for body{} It's not in my request.

[tekka]

I encountered the same error last week. When I stopped setting the body in the GET request, the error was resolved.

update: It seems there have been changes again...

[booktrakker]

We are in much the same boat. We rotated the LWA key and can no longer access the APIs. The Signature does not match, and that is clearly visible in the error when compared to the String to Sign.

We use the Amazon Swagger Generated SDK and have no clue as to how the signing code works. Amazon is refusing to fix this, so we may have to tell our Amazon Sellers that we cannot support Amazon now. It is infuriating and absurd.

We have been down for 2 weeks now with no solution in sight.

[hinavinayak]

Hello,

Please use this announcement with the recommendations and troubleshooting steps to resolve 400 error issues.

Example error response

 {
    HTTP/1.1 400 Bad Request Server: 
    Server Date: Tue, 16 May 2023 06:02:44 GMT
    Content-Type: text/html 
    Transfer-Encoding: chunked Connection: close
 }

For AWS Sigv4 related issues please leverage the AWS troubleshooting doc to understand the error. This is a great starting point for that. For additional support please contact developer support.

[booktrakker]

Hi,

Our error does not look like what you show below, but other aspects closely resemble this post, and I think someone else also mentioned something like what we are seeing.

Prior to the LWA Key rotation our code worked. After the key rotation it worked sporadically until it stopped working. No changes in code during any of this – we use the SDK Generated from the Swagger model provided by Amazon.

Developer support has been unable to resolve this for more than two weeks, largely because they do not want to understand that I use the SDK and keep insisting that it is my code that is the problem. It may well be the code, but it is not my code, it is the Code that is part of the Swagger Generated SDK and I am not qualified to resolve any errors in that code.

We are getting a 403 error, and it is due to something not being right in the string to be signed, which does not match. No one has been able to identify the cause and I keep being told it is my code, but I use the Swagger Generated SDK, so I did not write the code.

One thing I observe is that the time stamps in the String to be Signed differ, and I have no idea why that would be. It is also clear that the encoded string differs. This string is generated by SDK code at our end, using a process opaque to me.

This is what it says, but the keys are correct. I do not know how to check the signing method, I look at the code and more or less understand each line, but have no idea what it is doing overall. Amazon does not want to help us because we used an Amazon SDK, so we are now two weeks out with 150 Sellers unable to use our product to access their listings.

"errors": [

{

  "message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

We have repeatedly checked they keys, they are correct and current.

I do not know how to check the Signature code, so we are unable to proceed.

Jim Gutterman

Director of Development

BookTrakker.com

[haakon24]

I have the same error, only that for me the request will randomly work at certain (but not consistent / predictable) times of the week. I don't understand how the exact same request can be valid one minute and invalid the next, if anyone has any ideas on what I could do to diagnose I would be extremely grateful as this has been driving me crazy for weeks.

[yablichdada]

I don't understand what the reason is. Requests work and come with the correct data, then do not work. And there is no error text. I get an empty html file. The code from our side was not changed. A month ago everything was working correctly, and now it's not. Please help.

[digitalEyez]

I am migrating our Amazon APIs from MWS to SP-API. First step was to get STS and LWA APIs up and running so I could generate the keys to test a Postman call using Amazon's Postman template obtained here: https://github.com/amzn/selling-partner-api-models/blob/main/models/orders-api-model/ordersV0.json . My getOrders call worked initially, about a month ago, and now that I'm getting back to testing, I've generated numerous LWA (access_token, refresh_token) and STS keys for use with my getOrders test-call but to no avail -- consistently getting 400 error with the html output others have noted above: <!DOCTYPE html><html><head><title>x</title></head><body></body></html> . As @booktrakker mentioned above ... am concerned about what the Amazon Team may be changing to have something go offline after having been working. Anyone been lucky getting support from Amazon via submitting support-case on Developer Central?

[booktrakker]

We went through an extremely painful migration process due to the disconnect between Developer Support and the SDK team. It seems that Developer Support does not really support the SDK so it really replaces one set of problems with another.

In terms of your question, we used SP-API successfully until the LWA Key Rotation, and the solution, after two weeks of useless responses from Developer Support, was to grab the two files from the SDK that handle signing the requests. Something changed, and those libraries clearly were updated to work with the new Keys.

Had Developer Support pointed this out, our 150 Sellers would not have been down for two weeks...

[hinavinayak]

Hello all,

This announcement indicates if you receive a response same as below, there are specific actions you should take. Please read the announcement.

Example error response

{
    HTTP/1.1 400 Bad Request Server: 
    Server Date: Tue, 16 May 2023 06:02:44 GMT
    Content-Type: text/html 
    Transfer-Encoding: chunked Connection: close
 }

Best

[hinavinayak]

For LWA rotation related errors, please check out this doc. It gives you LWA related error and how to resolve these.

If you are getting other error message. I recommend starting a new issue. This thread mainly talks about HTTP RFC protocol change.

[booktrakker]

In my case it turned out that I needed to update the CS files that have the code that signs the request. Once I replaced the older files with the new ones everything worked.

[yablichdada]

I would like to know what's inside these files. I would rewrite my code.

[hinavinayak]

@yablichdada Please note the issue with booktrakker was related to a AWS signv4 being invalid, while the issue you have reported on originally is different which is due to the HTTP RFC security protocol restrictions on how the request is sent.

I highly suggest using this as a source to inspect your request and troubleshoot it accordingly.

[booktrakker]

I fully agree, my issue was very specific and the error made it very clear that the signing algorithm needed to be updated, which apparently was done shortly after I started using the SDK.

The two files were:

AWSSigV4Signer.cs

AWSSignerHelper.cs

When I replaced these I no longer got the invalid signature error – which was a form of a 403 error, not a 400 error.

Jim Gutterman

Director of Development

BookTrakker.com

@.> @.

From: hinavinayak @.> Sent: Thursday, June 8, 2023 8:49 AM To: amzn/selling-partner-api-docs @.> Cc: booktrakker @.>; Mention @.> Subject: Re: [amzn/selling-partner-api-docs] '400 bad request' without error message in all of my calls to SP-API (Issue amzn/selling-partner-api-models#2590)

@yablichdada https://github.com/yablichdada Please note the issue with booktrakker was related to a AWS signv4 being invalid, while the issue you have reported on originally is different which is due to the HTTP RFC security protocol restrictions on how the request is sent.

I highly suggest using this https://developer-docs.amazon.com/sp-api/changelog/api-request-validation-for-400-errors-with-html-response as a source to inspect your request and troubleshoot it accordingly.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/2590 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANTYX7LV52CPWZ6AGYSD4KTXKHX57ANCNFSM6AAAAAAYPBFB3M . You are receiving this because you were mentioned. https://github.com/notifications/beacon/ANTYX7KBOHBTVWXVN5ODZ23XKHX57A5CNFSM6AAAAAAYPBFB3OWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTS6LCDOO.gif Message ID: @. @.> >

[tobidon]

Hello all,

we currently also have a problem with 400 errors in some SP-API calls. For us, the response we get back with a Bad Request error is something like the following:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" `"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Website Temporarily Unavailable</title>
</head>

In our case, fortunately, not every call is affected, but the errors run unsystematically through all API sections. When trying to recreate these errors, the affected calls then always work.

We have been using the Swagger-generated Java libraries from the beginning which have worked very well, and do not change anything in the headers of the (GET) requests manually.

I would be very happy to hear about any news / progress on the issue....

[hinavinayak]

Hi @tobidon

Regarding the error message, we believe this is actually a 503 status code and would like more information. if you can please open a developer support case here and please share the request id and timestamp in the case where you received this above error and if you can share the case-id here. We can then investigated further.

[tobidon]

Hi @hinavinayak,

thanks for your reply. The message of the ApiException´s definitely is "Bad Request", followed by the given messageBody. But I try to find out more on monday.

[yablichdada]

In my case, the problem was in the "x-amz-content-sha256" header. I removed it and it worked.

[yablichdada]

Apparently "Signature" was calculated incorrectly so

[gusbarba]

same error here.

All requests are "400 - bad request" and data response is <!DOCTYPE html><html><head><title>x</title></head><body></body></html>\n

That error with HTTP status 400 and an HTML body with just an X is due to the validation of HTTP RFC 7230. In my case, it was because I was sending an empty body ("") even in GET requests. Throughout the year, Amazon was testing this, so suddenly, our requests started returning this error, and then they would start working properly again, making everything even more confusing. However, since June 3rd, it has been implemented for 100% of the requests. Below, I provide a link with more information.

https://developer-docs.amazon.com/sp-api/changelog/api-request-validation-for-400-errors-with-html-response

I hope this is helpful for whoever reads it.

[hinavinayak]

Update: SP-API no longer requires AWS IAM or AWS Signature Version 4

[yatanasov]

@tobidon have you found out what the issue was? :) Thanks!