Skip to content

Access Token API

Method: POST

Path: https://api.amazon.co.uk/auth/o2/token

Content Type: application/json

Description: This API returns a token pair, access_token, and refresh_token, serving as identifiers for user interaction.

Request Parameters

Body: (Using Auth grant for request via Mobile Applications)

Parameter Name Data Type Description Mandatory Constraints
grant_type String This is a constant value Yes Allowed value: "authorization_code"
code String Auth Code returned by client-side SDK Yes
client_id String Client ID returned by client-side SDK Yes
code_verifier String Value returned by client-side SDK using Code Verifier Generation method Yes
redirect_uri String Redirect URI is provided by the client-side SDK Yes

Body: (Using Auth grant for request via website)

Parameter Name Data Type Description Mandatory Constraints
grant_type String This is a constant value Yes Allowed value: "authorization_code"
code String Auth Code returned by client-side SDK Yes
client_id String Client ID fetched from Developer profile under Web Settings by clicking Show Yes
client_secret String Client Secret fetched from
Developer profile under Web Settings by clicking Show		 Yes
redirect_uri String Redirect URI returned by client-side SDK Yes

Body: (Using refresh token)

Parameter Name Data Type Description Mandatory Constraints
grant_type String This value is constant Yes Allowed value: "refresh_token"
refresh_token String This is returned by original Access token API response Yes
client_id String Client ID Returned by client-side SDK (app-based linking) OR
Retrieved from Developer profile (web-based linking)		 Yes
client_secret String Fetched from Developer profile under web setting by clicking show (Applicable only for website) Yes

Sample Response

Successful Response

This response signifies a successful token retrieval, providing an access_token and a refresh_token. These tokens can be used for user identification and access in subsequent API calls. The expires_in field indicates the duration until the access token becomes invalid.

{
  "access_token": "Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX"
}

Unsuccessful Response

In case of an error, this response suggests that the request encountered an issue due to an invalid grant parameter, specifically related to the refresh_token. It signifies that the user might have revoked the permission or didn't grant it initially. For this scenario, it's recommended to prompt the user to link their account again by displaying a "Link Account" button or similar action.

{
  "error_description": "The request has an invalid grant parameter: refresh_token.  User may have revoked or didn't grant the permission.",
  "error": "invalid_grant"
}

Common Errors

Error Resolution
invalid_request Check the API request to ensure that the API request:
  • is not missing any required parameters
  • does not have any invalid values
  • is properly formed
invalid_client This error message means that the client authentication has failed. This error message is returned when the authorization service does not return an HTTP 401 (Unauthorized) status code.
invalid_grant This error occurs when the authorization code is invalid, expired, revoked, or was issued to a different client_id. To resolve, show the link account option to user again and ask them to relink their Amazon Pay account.
unauthorized_client This error can be caused either by an invalid value from the code_verifier or if the client is not authorized to use authorization codes. To resolve, ensure you are getting the right value from the code_verifier in your app (only for app integration).
unsupported_grant_type This error occurs if the client specifies the wrong token_type.
ServerError This error indicates that the server encountered a runtime error. Please try the action again.