Access Token API
Method: POST
Path: https://api.amazon.co.uk/auth/o2/token
Content Type: application/json
Description: This API returns a token pair, access_token, and refresh_token, serving as identifiers for user interaction.
Request Parameters
Body: (Using Auth grant for request via Mobile Applications)
| Parameter | Type | Description |
|---|---|---|
| grant_type | String | Constant authorization_code |
| code | String | Auth Code returned by client-side SDK or refresh token |
| client_id | String | Client ID returned by client-side SDK |
| code_verifier | String | Code Verifier passed to client-side SDK before SHA256 encryption and base64 encoding |
| redirect_uri | String | Redirect URI returned by client-side SDK |
Body: (Using Auth grant for request via website)
| Parameter | Type | Description |
|---|---|---|
| grant_type | String | Constant authorization_code |
| code | String | Auth Code returned by client-side SDK or refresh token |
| client_id | String | Client ID returned by client-side SDK |
| client_secret | String | Secret value assigned during registration |
| redirect_uri | String | Redirect URI returned by client-side SDK |
Body: (Using refresh token)
| Parameter | Type | Description |
|---|---|---|
| grant_type | String | Constant refresh_token |
| refresh_token | String | Refresh token returned by original Access token response |
| client_id | String | Client ID returned by client-side SDK |
| client_secret | String | Secret value assigned during registration (for Tokens obtained from web tokenization) |
Response Parameters
| Parameter | Type | Description |
|---|---|---|
| access_token | String | Access token for the user account (max size: 2048 bytes) |
| token_type | String | Type of token returned, should be bearer |
| expires_in | String | Number of seconds before the access token becomes invalid |
| refresh_token | String | Refresh token that can be used to request a new access token (max size: 2048 bytes) |
Sample Response
Successful Response
This response signifies a successful token retrieval, providing an access_token and a refresh_token. These tokens can be used for user identification and access in subsequent API calls. The expires_in field indicates the duration until the access token becomes invalid.
{
"access_token": "Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX"
}
Unsuccessful Response
In case of an error, this response suggests that the request encountered an issue due to an invalid grant parameter, specifically related to the refresh_token. It signifies that the user might have revoked the permission or didn't grant it initially. For this scenario, it's recommended to prompt the user to link their account again by displaying a "Link Account" button or similar action.
{
"error_description": "The request has an invalid grant parameter: refresh_token. User may have revoked or didn't grant the permission.",
"error": "invalid_grant"
}
Common Errors
| Error | Resolution |
|---|---|
| invalid_request | Check the API request to ensure that the API request:
|
| invalid_client | This error message means that the client authentication has failed. This error message is returned when the authorization service does not return an HTTP 401 (Unauthorized) status code. |
| invalid_grant | This error occurs when the authorization code is invalid, expired, revoked, or was issued to a different client_id. To resolve, show the link account option to user again and ask them to relink their Amazon Pay account. |
| unauthorized_client | This error can be caused either by an invalid value from the code_verifier or if the client is not authorized to use authorization codes. To resolve, ensure you are getting the right value from the code_verifier in your app (only for app integration). |
| unsupported_grant_type | This error occurs if the client specifies the wrong token_type. |
| ServerError | This error indicates that the server encountered a runtime error. Please try the action again. |