Buy with Prime | Developer Documentation
Documentation

Authenticate to the Buy with Prime API

📘

Buy with Prime API is now available for early access

Sign up for early access to the Buy with Prime API using the 'Sign Up' button below. The API may change as Amazon receives feedback and iterates on it.

Sign Up

When you make a request to the Buy with Prime GraphQL API, you must provide an access token in the header of the request. To get an access token, you first get your API credentials from the Buy with Prime merchant console. You then exchange your API credentials for an access token by making a POST request to a Buy with Prime token endpoint.

This topic explains how to get your API credentials and how to use your API credentials to get an access token. After you get an access token, you use the access token to call the Buy with Prime GraphQL API. For details, see Call the Buy with Prime API.

Terminology

Access token


Buy with Prime uses the OAuth 2.0 authentication framework. In OAuth 2.0, an access token signifies that a resource owner has given a client permission to perform a list of operations on a set of resources. In this case, the resource owner is Buy with Prime, the operations are the Buy with Prime APIs, the client is your website, and the resources are information such as orders, delivery previews, and so on.

In Generate API credentials, you create a set of long-lived credentials that you use to generate an access token. An access token is a set of short-lived credentials. You use the access token to call the Buy with Prime API. For more details on how OAuth works, see the OAuth 2.0 documentation.

Buy with Prime access tokens expire every 15 minutes. After your access token expires, you can request a new access token by using the same client permissions.

API credentials


You use API credentials to get the access token that you use to call the Buy with Prime API. API credentials are a set of information that contains following elements, which you can download from the Buy with Prime merchant console:

  • Client ID: This ID identifies your API client to Buy with Prime.
  • Client secret: This secret authenticates your API client to Buy with Prime. It is a secret that only you and your application know.
  • Target ID: The Buy with Prime account that the API credentials have access to.
  • Permissions: A list of the types of site data that the API credentials have access to. For example, API credentials might provide access to view a delivery preview for a store.

Amazon identity token


Some Buy With Prime APIs optionally take (or require) a shopper's Amazon identity token. The identity token enables APIs to vend data related to the shopper, such as the shopper's location. For example, the Delivery Preview interface can provide a more accurate delivery preview if you provide the optional IdentityTokenInput field.

Buy with Prime currently supports the following types of shopper identity tokens:

  • Login with Amazon (LWA) access token: Login with Amazon is a user authentication system based on OAuth 2.0. For details about LWA, see the LWA documentation. For details about access tokens, see Login with Amazon Access Tokens. The following code shows an example IdentityTokenInput from LWA.

    {
    lwaAccessToken: {
        value: "EXAMPLE_LWA_ACCESS_TOKEN",
        externalId: "EXAMPLE_EXTERNAL_ID"
    }
}

  • Amazon Pay checkout session token: An Amazon Pay checkout session represents a single active session for a shopper on your website. Every checkout session has a session ID. You can use the session ID as the shopper identity token for Buy with Prime. For details about Amazon Pay, see Introduction to Amazon Pay. For details about checkout sessions, see Checkout Session. The following code shows an example IdentityTokenInput from an Amazon Pay checkout session.

    {
    apayCheckoutSessionId: {
        value: "EXAMPLE_CHECKOUT_SESSION_ID",
        externalId: "EXAMPLE_EXTERNAL_ID"
    }
}

The externalId field should represent a unique property about the shopper's session on your website. It could be the shopper's sessionId, the shopper's userId, and so on.

Generate API credentials

You generate your API credentials by using the Buy with Prime merchant console.

To generate API credentials by using the merchant console

  1. Sign in to the Buy with Prime merchant console as an owner/admin.

  2. On the left, click Settings.

  3. Under Settings, click API credentials.

  4. Click Generate credentials.

  5. For Credentials name, enter a name that helps you identify the purpose of the credentials.

  6. Choose the permissions that you want the API credentials to have. You can choose Full Access or Custom. We recommend that you adhere to the principle of least privilege and choose granular access depending on the functionality that you are building using the API credentials.

    • Full access: Allows edit and view access to all the listed permissions. Choosing this option automatically chooses all APIs in the list and automatically includes access to any future Buy with Prime APIs.
    • Custom: Allows you to select permissions from a list. If you choose this option, you must manually choose the specific APIs that you need.

  7. Click Generate.
    Buy with Prime generates your API credentials and then takes you to a page where you can download a file that contains the credentials. The file contains a client ID, client secret, target ID, and a list of permissions that the credentials have access to.

  8. Download the credentials file to your computer.

    🚧

    You must download the credentials file and save it securely. If you navigate away without downloading the credentials, you will not be able to download the credentials later.

  9. Locate and open the downloaded credentials file on your computer.
    The file has the name that you chose for the credentials. The file looks like the following image, which contains fictitious data.

Use API credentials to get an access token

After you get your API credentials, you use the API credentials to request a Buy with Prime access token. You then use the access token to call the Buy with Prime API.

To get an access token for the Buy with Prime API

  1. Make an HTTPS POST request to https://api.buywithprime.amazon.com/token with the following fields in the body of the request.

    Request Fields

    FieldDescriptionRequired?
    client_idThe client ID of the API credentials that you downloaded in Generate API credentials.Yes
    client_secretThe client secret of the API credentials that you downloaded in Generate API credentials.Yes
    grant_typeOAuth 2.0 grant type. Use client_credentials.Yes

    Example Request

    In the following example request, replace the following placeholders:

    • EXAMPLE_CLIENT_ID with the client_id from the API credentials that you downloaded
    • EXAMPLE_CLIENT_SECRET with the client_secret from the API credentials that you downloaded

    POST /token HTTP/1.1
Host: api.buywithprime.amazon.com
Content-Type: application/x-www-form-urlencoded
x-api-version: $api_version
 
client_id=EXAMPLE_CLIENT_ID&client_secret=EXAMPLE_CLIENT_SECRET&grant_type=client_credentials

    curl --location --request POST 'https://api.buywithprime.amazon.com/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'x-api-version: $api_version' \
--data-urlencode 'client_id=EXAMPLE_CLIENT_ID' \
--data-urlencode 'client_secret=EXAMPLE_CLIENT_SECRET' \
--data-urlencode 'grant_type=client_credentials'

    import requests
url = "https://api.buywithprime.amazon.com/token"
payload='client_id=EXAMPLE_CLIENT_ID&client_secret=EXAMPLE_CLIENT_SECRET&grant_type=client_credentials'
headers = {
  'Content-Type': 'application/x-www-form-urlencoded', 
  'x-api-version': '$api_version'  
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)

    const url = "https://api.buywithprime.amazon.com/token";
const headers = {
  "Content-Type": "application/x-www-form-urlencoded",
  "x-api-version": "$api_version"  
};
const payload="client_id=EXAMPLE_CLIENT_ID&client_secret=EXAMPLE_CLIENT_SECRET&grant_type=client_credentials";

fetch(url, {
  method: "POST",
  headers: headers,
  body: payload
}).then(response => {
    return response.json();
}).then(json => {
  console.log(json);    
});

  2. Get the access token from the response, which contains the following fields.

    Example Successful Response

    {
    "access_token": "EXAMPLE_BUY_WITH_PRIME_ACCESS_TOKEN",
    "expires_in": 885
}

    Successful Response Fields

    FieldDescription
    access_tokenToken that you use to access the Buy with Prime API.
    expires_inTime until the token expires, in seconds.

    Example Failed Response (HTTP 400)

    {
    "message": "Content type is null or invalid. Ensure content type is: application/x-www-form-urlencoded",
    "code": "InvalidContentType",
    "type": "ValidationError"
}

    Failed Response Fields

    FieldDescription
    messageDescription of the cause of the error.
    code(Only present for HTTP 400 InvalidParameterException responses.) Code that further describes the cause of the HTTP 400 error. For a list of possible codes, see the table in the following section.
    typeThe exception type thrown by the service. Examples: ValidationError or AccessDeniedError.

    Error Codes

    HTTP Status CodeError TypeError CodeDescription
    400ValidationErrorInvalidContentTypeThe Content-Type field in the request is missing or invalid. The Content-Type field must be application/x-www-form-urlencoded.
    400ValidationErrorNonDeserializableContentThe request payload isn't in a format that the server can interpret.
    400ValidationErrorInvalidClientIdThe request payload doesn't contain a client_id field, or the specified client_id is incomplete, malformed, or invalid.
    400ValidationErrorInvalidClientSecretThe request payload doesn't contain a client_secret field, or the specified client_secret is incomplete, malformed, or invalid.
    400ValidationErrorInvalidGrantTypeThe request payload doesn't contain a grant_type field, or the specified grant_type is incomplete, malformed, or invalid. The grant_type must be client_credentials.
    401AccessDeniedErrorN/AThe requested payload doesn't have permission to receive an access token.
    429ThrottlingErrorN/AThe request was throttled by the service. Requests are throttled after a limit of 12 requests per second per client_id is reached.
    500InternalServerErrorN/AAn internal error occurred. Try again.

Now that you have a Buy with Prime access token, you can call the Buy with Prime API. For details, see How to Call the Buy with Prime API.

Related topics

Updated 20 days ago