search

amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
611 stars 733 forks source link

Calls to /authorization/v1/authorizationCode not possible without access token #2995

Closed vquynh closed 2 years ago

vquynh commented 2 years ago

We have a running MWS application and need to convert it to a hybrid MWS/SP-API application. Our plan is to get authorizationCode using the given mwsAuthToken, so that we can request LWA access token and refresh token to make calls to the Selling Partner API without needing to ask the sellers to authorise us again for SP-API.

According to the documentation, the Authorization API would allow us to do just that.

With the getAuthorizationCode operation, you can request a Login With Amazon (LWA) authorization code that will allow you to call a Selling Partner API on behalf of a seller who has already authorized you to call Amazon Marketplace Web Service (Amazon MWS). You specify a developer ID, an MWS auth token, and a seller ID. Taken together, these represent the Amazon MWS authorization that the seller previously granted you. The operation returns an LWA authorization code that can be exchanged for a refresh token and access token representing authorization to call the Selling Partner API on the seller's behalf. By using this API, sellers who have already authorized you for Amazon MWS do not need to re-authorize you for the Selling Partner API.

However, when I try to make a request GET https://sandbox.sellingpartnerapi-eu.amazon.com/authorization/v1/authorizationCode as described in the documentation with

I get the error 403 Access token is missing in the request header.

So my questions are:

  1. Which access token do we need to use here to get the authorizationCode?
  2. Isn't the whole idea of this authorization/v1/authorizationCode endpoint is to get an authorizationCode to then retrieve an access token? So why do I need an access token to call this endpoint? If I already have an access token for the SP-API I wouldn't need to use this endpoint or am I understanding it wrong?
  3. Can you update the documentation to give more details about the authorization and signature of the request because it is not mentioned at all.

Many thanks for your help

vquynh commented 2 years ago

I found out that the request to authorization/v1/authorizationCode is grantless and I need to provide a scope in the LWS credentials. I guess that's what missing.