The security token included in the request is invalid when using the C# SP-API on GetOrders

[jbyte2009]

I am trying to get orders from the SP-API. I have followed the documentation and I have downloaded the GitHub projects (AWSSDK.Core, AWSSDK.IdentityManagement, AWSSDK.SecurityToken). I am using the C# project, SellingPartnerAPIAuthAndAuthCSharp - Amazon.SellingPartnerAPIAA that is included in the SP-API GitHub location. I tried adding a security token via the AWSSDK.SecurityToken nuget package to get the x-amz-security-token. But I get the following error message: The security token included in the request is invalid. Any help would be appreciated.

[jbyte2009]

One more item. I am trying to create a console application in C# using Visual Studio .NET 2017 Professional. If you are going to replace MWS, you will have to consider that programmers will not be doing website applications that are hosted on a web server.

[rogersv]

I would assume that you have an incorrect token :). What steps did you do in the documentation and which information did you send into the functions (not asking for secrets). I might be able to help you. I got the calls to work but I did not use an sdk.

You would at least need to:

• Create an AWS user, role and policy according to the docs.
• Register the app with the arn role
• Get a refresh token from the app
• Request an access token by using the refresh_token
• Assume a role and get new temporary credentials.
• Use the temp credentials in the call that will get the orders.
• Use the correct signature during each call.
• For the sandbox. Remember that the calls must contain the correct sandbox parameters that is specified in the models.

[jbyte2009]

No secrets here. I used the following C# project, https://github.com/amzn/selling-partner-api-models/tree/main/clients/sellingpartner-api-aa-csharp. This gave me the LWA AccessToken. This worked fine. Success! I was reading that you will need a header of "x-amz-security-token" in one of the posts here and that you would need to AssumeRole, This involved "STS". Amazon Web Services gives a Nuget Package called "AWSSDK.SecurityToken" This has a client called, "AmazonSecurityTokenServiceClient", "AssumeRoleRequest" to fill out the properties. I had to pass the "RoleARN" and "RoleSessionName". This resulted in Credentials coming back. Success! Back to the GetOrders request. I added the "version=beta" header to the request due to a new post. Since the AssumeRole returns credentials, I instatntiated an AWSAuthenticationCredentials with those credentials (like you stated above). I sign it with the above selling partner api model C# library. Now, I get the following issue, "Access to requested resource is denied.". LIke the Dude states, "New sh@t has come to light."

[rogersv]

The sounds correct. Not sure that I can help. Did you add both the x-amz-access-token and the x-amz-security-token in the call that gets the order? security-token is the session-token you get from the role and the other one is the access token you get from the refresh token. I think that is how it works. Edit: @charliecode is right the version=beta is not used in the call to get orders.

[charliecode]

@jbyte2009 Are you authenticating with the SP-API or just making a request to it? Maybe I'm missing something but I thought the version=beta is mentioned to be added to the url when authorizing a user with the API, not for making requests. For testing there is the sandbox, who's flow does not mention adding the version=beta param.

[jbyte2009]

@charliecode `I am authenticating using the code provided in the following location, https://github.com/amzn/selling-partner-api-models/tree/main/clients/sellingpartner-api-aa-csharp. They have a class "LWAClient" that has a method GetAccessToken. This does not have a version property to set. Then, I am using the AWS Nuget Package (AWSSDK.SecurityToken) to get the STS Credentials.

[jbyte2009]

@rogersv Did you add both the x-amz-access-token and the x-amz-security-token in the call that gets the order? Answer Yes.

[charliecode]

@jbyte2009 Yes, they both get added. I can't speak to the C# library as I haven't used it but it looks like they def have some of the heavy lifting done for you already. If you haven't yet, you may want to go over Connecting to the Selling Partner API really well as it explains the whole process. That may help you find what you're missing at the moment.

[jbyte2009]

Thanks @rogersv and @charliecode for helping yesterday. I am going through the Connecting to the Seller Partner API to see if there is something I missed.

[dsokolowski]

It may be due to your http client changes your header keys like you set "x-amz-access-token" but "X-Amz-Access-Token" is sent. It looks like header key names are case sensitive.

[seanevan]

Hi @jbyte2009, did you manage to get past this error? Please feel free to open a support case with us if you'd like to deeper assistance.

Thanks, Sean Evans Manager, Support Engineering

[voronytskyi]

Having same error on my end. Did same as described here. Pls advice.

[BeeBee234]

Greetings,

The C# SDK does not seem to be a working solution at this time (for many users).

However, the sample C# example code in https://github.com/amzn/selling-partner-api-models/issues/31 works for the following sandbox calls on my end:

    var resource = $"/orders/v0/orders";
    IRestRequest restRequest = new RestRequest(resource, Method.GET);
    restRequest.AddParameter("MarketplaceIds", "ATVPDKIKX0DER", ParameterType.QueryString);
    restRequest.AddParameter("CreatedAfter", "TEST_CASE_200", ParameterType.QueryString);

FYI, I encountered many 'Access denied/Unauthorized/Forbidden' responses before finally making a successful sandbox call to the following (which also works):

var resource = $"/vendor/orders/v1/purchaseOrders";
IRestRequest restRequest = new RestRequest(resource, Method.GET);
restRequest.AddParameter("createdAfter", "2019-08-20", ParameterType.QueryString);
restRequest.AddParameter("createdBefore", "2019-09-21", ParameterType.QueryString);

This confirmed to me that my credentials were set up properly and that 'Access denied' is bogus. So even if you get 'Access denied' you might be very close to the correct syntax.

Good luck and have a grand day,

Brian

[ShivikaK]

Hi @jbyte2009, did you manage to get past this error? Please feel free to open a support case with us if you'd like to deeper assistance. If you have reported a case with us please share the case ID and we will help assist you further with this issue.

Thanks, Shivika Khare Selling Partner API Developer Support