Yojaka (SmartConnect) Connectors
Yojaka (SmartConnect) Connectors Authorization
prev | next

Authorization

Your connector will invoke Amazon Yojaka APIs on behalf of a seller. On each API call, Amazon Yojaka will validate that the seller has authorized your connector service to invoke the API on behalf of the seller.

Amazon Yojaka leverages the Login with Amazon (LWA) service to authorize API calls made by your connector on behalf of a seller.

Developer Account

The first step that you perform to on-board with LWA is to setup a developer account. This is a one-time activity that you have to perform for each connector that you develop. Instructions for setting up your developer account can be found here.

Security Profile

To enable your connector to work with LWA, you need to create a new security profile in the developer account that you setup in the previous activity. Instructions for this can be found here.

LWA will create a Client ID and Client Secret as part of the security profile. You will need these values as part of the seller authorization/consent web pages.

Note

Provide your LWA security profile’s Client ID to the Amazon Yojaka team (smartconnect-support@amazon.com) so that they can white-list your security profile to access our OAuth2.0 scopes.

Seller Authorization/Consent Web Page

You need to develop a simple web page which sellers wishing to use your connector can access. This web page should integrate with the LWA Javascript SDK, and include the Login with Amazon button on the page, apart from any other connector-related information that you wish to provide.

Sellers will visit the web page that you build, and click the Login with Amazon button. This will redirect the seller to Amazon’s login page where the seller would login with their credentials and authenticate your connector to invoke Amazon Yojaka’s inventories, orders and prices APIs.

The web-page could be something as simple as the screenshot below.

_images/my_yojaka_lwa.png

Tip

If you need assistance with building this web page or would like to use a simple web-page for this purpose, reach out to smartconnect-support@amazon.com.

OAuth2.0 Scopes

As part of the LWA authorization, your connector needs to request and obtain consent from the seller for the following OAuth2.0 scopes:

Note

The scope smartconnect::pricing is deprecated, for pricing and other sku related updates please use smartconnect::sku scope. Note that you’ll be needed to get permissions for ::sku scope from seller to be able to use the new updateSkuAttribute API.

  1. smartconnect::inventories

  2. smartconnect::orders

  3. smartconnect::pricing

  4. smartconnect::sku

  5. smartconnect::events

  6. smartconnect::returns

Post Authorization/Consent Steps

Once the seller provides authorization/consent to your connector to invoke Amazon Yojaka APIs, LWA will redirect the browser to a post-login URL. This page will receive an authorization_code which your connector code can then exchange for a refresh token and an access token. Instructions for this can be found here.

Below is a screenshot of what the post authorization/consent information looks like (including the authorization code, the access token and the refresh token).

_images/my_yojaka_post_signin.png

Seller Authorization Tokens

For every seller who on-boards with your connector, your connector application needs to maintain the current access token and the refresh token for the seller. Upon expiry of the access token, your connector application needs to obtain a new access token using the refresh token of the seller. Instructions for this can be found here.

Tip

LWA implements the standard OAuth2.0 mechanism. Your connector application could use any standard OAuth libraries that support OAuth2.0. You can find a list of such libraries here. Standard OAuth2.0 libraries from other vendors are also available for various programming languages.

Authorizing API Calls

Every API call that your connector makes to the Amazon Yojaka product must include the LWA access token that will indicate that the seller (on whose behalf your connector is making the API call) has authorized your connector to make that API call. The access token must be included as a HTTP header in the API call request. The name of the header is X-Amz-Access-Token and the value should be a valid LWA access token.

Sample Request Headers

Below is a sample of what the headers for a request to any Amazon Yojaka API should look like.

 Host: api.beta.dub.yojaka.xp.sellers.a2z.com
 X-Amz-Date: 20200219T135827Z
 X-Amz-Access-Token: Atza|IwEBIDRUHTG4rrGh2_eIAM_dkRnKjpLwb_dJ...
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko)
 Accept: */*
 Cache-Control: no-cache
 Accept-Encoding: gzip, deflate, br
 Content-Type: application/json
 Connection: keep-alive

References

No feedback URL or SIM folder provided | Edit in Code Browser

On this page