amazon-credentials

A step-by-step guide to obtaining Amazon Ads API credentials and making your first successful API request.

I have recently completed the setup for NeoMutt to connect to Gmail and collect emails via an IMAP connection. The credentials that NeoMutt needs to authenticate itself to the Gmail API is rather complicated, and how to obtains these credentials proved to be a nightmare and painfully took me several days. To obtain the Amazon credentials proves to be following exactly the same steps as how to obtain the Gmail credentials.

Objective

By the end of this guide, you will have:

1. Applied for and received Amazon Ads API access
2. Registered a Login with Amazon (LWA) application
3. Generated your Client ID, Client Secret, and Refresh Token
4. Retrieved your Profile ID
5. Made your first successful API call to list campaigns

Prerequisites

• An active Amazon Advertising account with campaign management permissions
• An Amazon Developer account (can be the same as your advertising account)

Credentials Roadmap

flowchart TD
    A[**Start**<br>Amazon Advertising Account] --> B[**Step 1: API Access Request**<br>Apply via the Amazon Ads console<br>to enable API access for your account];
    B --> C[**Step 2: LWA App Registration**<br>Register an application in the<br>Login with Amazon (LWA) console];
    C --> D[**Step 3: Gather Credentials**<br>From LWA console, get your:<br>• **Client ID**<br>• **Client Secret**];
    D --> E[**Step 4: Generate Auth Code**<br>Build a URL with your Client ID<br>& redirect_uri, then visit in browser];
    E --> F[**Step 5: Exchange for Refresh Token**<br>Use a cURL command to exchange<br>the Auth Code for a Refresh Token];
    F --> G[**🎯 Final Step: Ready to Code!**<br>You now have:<br>• **Client ID**<br>• **Client Secret**<br>• **Refresh Token**<br>These go into your Python script<br>to connect to the API.];

Step 1: Ensure You Have an Amazon Advertising Account

This is the non-negotiable starting point. The API is an extension of the advertising platform, so you must have an active Amazon Advertising account with the necessary permissions to access the API . This is the account you use to log in to the Amazon Ads console.

Step 2: Apply for API Access

While API access is often automatically enabled for many newer accounts, some older accounts or specific marketplaces may require a formal request. You should check the Amazon Advertising API documentation portal within your console to see if you need to "Apply for API Access" . The process is usually straightforward and tied directly to your advertising account.

Useful Links

Amazon Ads API overviewAmazon Ads API onboarding overview

Application Process

1. Step 1: Create a Login with Amazon application (see Step 3 below)

2. Step 2: Apply for Amazon Ads API access

   • To apply for API access as a Partner
   • To apply for API access as a Direct Advertiser

Once you submit your request, you'll see a success message:

Thank you, your Amazon Ads API request has been successfully submitted. Expect a follow up email in 72 hours regarding next steps.

And very shortly, you will receive an email confirmation from Amazon Ads:

Thank you for submitting your Amazon Ads API access request. Our team is currently reviewing your application and will respond to this email address within one business day.

In the meantime, you’ll receive an invitation from our Jira service desk to set up an account. This account will serve as your primary channel for communicating with the Amazon Ads support team throughout your API onboarding process and beyond. Should you not receive the Jira invitation within the next few hours, please check your spam folder.

Thank you, Amazon Ads

Within 24 hours, you will receive an approval notification with next steps.

AO-37742 Amazon Ads API Access Request Approved - Next Steps

Congratulations! Your request for Amazon Ads API access has been approved and we’re thrilled to welcome you aboard. Your newly granted access allows you to oversee and manage your own advertising accounts. Please use the below link to complete on-boarding. Note: Ensure you are logged into your registered account before clicking the link.

Invitation Link: https://advertising-api.amazon.com/apim/logIn?state=A1UM7OJEZAY06P&locale=en_US

To get access to Amazon Ads API, please follow these steps after clicking the invitation link:

Sign in to an Amazon Developer account Submit the Amazon application you plan to use for the Amazon Ads API.

After copy and paste the link into the browser and click enter:

My Apps

We couldn't find any Login With Amazon (LWA) client applications that are actively using the Amazon Ads API. Please add the ads_api scopes to one of your LWA client apps or create a new one. If you've applied for access already, your request might still be pending. Congratulations! You are approved to use Amazon Advertising API. Please select the Login with Amazon application (s) you will use to access the Amazon Ads API. Scopes pending assignment: advertising::campaign_management

Amazon_Ads_AX “Use Python and Amazon API to collect ads data ” Client ID: amzn1.application-oa2-client.c73aae635e0644239fd1860292fxxxxx

API Scopes: profile, profile:contact, profile:mobile_number, profile:name This LWA app doesn't have access to the Amazon Ads API scopes.

Click Assign scopes and add advertising::campaign_management accordingly.

My Apps

Congratulations! You are all set to use Amazon Advertising API.

Amazon_Ads_AX “Use Python and Amazon API to collect ads data ” Client ID: amzn1.application-oa2-client.c73aae635e0644239fd1860292fxxxxx

API Scopes: profile:contact, profile, profile:name, profile:mobile_number, advertising::campaign_management, advertising::test:create_account

Step 3: Register a Login with Amazon (LWA) Application

This is the core of the setup. After receiving API access approval, you need to create an application in Amazon's identity management system, which will generate your essential Client ID and Client Secret.

1. Go to the Login with Amazon Developer Console. The exact URL can vary, but it is typically found via the "Developer" section of your Amazon account or through direct links in the API documentation.
2. Create a New Security Profile with:
   • App name (e.g., "Amazon Ads Data Automation")
   • Description
   • Privacy Notice URL (can be a placeholder for internal tools)
   • Allowed Return URLs: Since you're writing a Python script for internal use, you can use https://amazon.com or https://localhost:3000/callback
3. After creating your app, you'll see it in the My Apps section
4. Click Assign scopes and add advertising::campaign_management scope
5. Once configured, you'll see your Client ID displayed

Step 4: Gather Your Client ID and Client Secret

After successfully registering your LWA application, you will be able to view its details. Make a secure note of these two critical pieces of information:

• Client ID (e.g., amzn1.application-oa2-client.c73aae635e0644239fd1860292xxxxxx)
• Client Secret

These are your application's username and password to identify itself to Amazon .

⚠️ Security Warning: Treat them like a password—never commit them to code repositories or share them.

Step 5: Generate an Authorization Code

To get a Refresh Token, you first need a one-time Authorization Code. This is done by constructing a specific URL and visiting it in your web browser while logged into your Amazon Advertising account.

Build the Authorization URL

The base URL depends on your region:

Region	Base URL
North America	https://www.amazon.com/ap/oa
Europe	https://eu.account.amazon.com/ap/oa
Far East	https://apac.account.amazon.com/ap/oa

URL Parameters

Construct your URL like this:

https://<YOUR_REGION_AUTH_URL>?client_id=<YOUR_CLIENT_ID>&scope=advertising::campaign_management&response_type=code&redirect_uri=<YOUR_REDIRECT_URI>

Example (North America):

https://www.amazon.com/ap/oa?client_id=amzn1.application-oa2-client.c73aae635e0644239fd1860292f93785&scope=advertising::campaign_management&response_type=code&redirect_uri=https://amazon.com

Get Your Authorization Code

1. Paste the full URL into your browser and hit Enter
2. Log in to your Amazon Advertising account if prompted
3. Authorize the application
4. After authorizing, your browser redirects to the redirect_uri
5. Look at the URL in the address bar—it will contain a code= parameter
6. Copy the long string after code= — this is your Authorization Code

Example redirect URL:

https://www.amazon.com/?code=ANcSWcmvBFyiQYyBzRYm&scope=advertising%3A%3Acampaign_management

⚠️ The Authorization Code expires quickly. Proceed to Step 6 immediately.

Step 6: Exchange the Authorization Code for a Refresh Token

The Authorization Code expires quickly. You need to exchange it for a long-lived Refresh Token. This is done via a command-line call. You can use a tool like cURL, which is available on most systems.

Using cURL

Open your terminal and execute the following command, replacing the placeholders with your actual information:

curl -X POST \
    --data "grant_type=authorization_code&code=YOUR_AUTH_CODE&redirect_uri=https://amazon.com&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET" \
    https://api.amazon.com/auth/o2/token

Full example with actual values:

curl  \
    -X POST \
    --data "grant_type=authorization_code&code=ANcSWcmvBFyiQYyBzRYm&redirect_uri=https://amazon.com&client_id=amzn1.application-oa2-client.c73aae635e0644239fd1860292xxxxxx&client_secret=amzn1.oa2-cs.v1.321e860063b33e346f59453efde2413c2476a13da379702cea972d6627xxxxxx" \
    https://api.amazon.com/auth/o2/token

Token URLs by Region

Region	Token URL
North America	https://api.amazon.com/auth/o2/token
Europe	https://api.amazon.co.uk/auth/o2/token
Far East	https://api.amazon.co.jp/auth/o2/token

Successful Response

A successful response returns JSON like this:

{
  "access_token": "Atza|...",
  "refresh_token": "Atzr|...",
  "token_type": "bearer",
  "expires_in": 3600
}

Actual example:

{"access_token":"Atza|gQA9em0EAwEBABQj9uAdTdZB-IG9WyGVNATFrakZopVz0u3C5YWMjvKxeN7FU8cVkNrSN0eGiwSCYJ1hqTAO14mCMc0JZ82Hi2G73oqcFgAkL0l-RCHUc6ssNGneLkg576cOoD1EbCdGMbKZ2tuMCgRAzV4FW48ws95nYGz78CZ5tOW3DcaUKxnFZu4XuUA3nLXQY-chP0RV9XtxxEfQEKooanh5zBc8stlcQ4a-9WLIE7bQQDUISBW9iAXDCgg3ClYa1YxeEsDPA04f262gzhShseCzD5S5WQs3Rh2Jo3c30Yy5hEfREJBTMaOpWSLsw48HSxIsopZAsilwi50c6wqJikDnWIN7E3Fqbc4xLXteLWi049WKI5XVzjFCoGdqUFnz1wIbwJMjvirs2j4YN9-bI4Bme1IqQCVLXr2U1DAhYacl8Idvxij1JJhAlFXp15Hp8XQXOFay_3W7XUhX_CyiNxPqgkLsqv9pAcng9BM9uXPn9bPNECqCr-KQSXKe31w1wOSKOoNMwGKFx4NTuCr15TzPEc2KD0RAjM16Wc_qTx63hqKV4ot_dcbDrYfwD3R1-fHS01xSPYMuJhYyZ2b9w1H5H8ABFD07V2DPOp-mNcWpEFFsllarWw","refresh_token":"Atzr|IwEBINgQ8X-bxIwNZkkxlIl92EQ3CyMVhEmN8JLXzCjkuwEzZ7xikE06aFTZpb9JfUYDUwD5t_LDpq3szLRFmW5rV7OBL2sGmbS9MWKQc6IKonaQdANRdJKthSSyZ7bIQ5tQ6e8oCwE3q5YfIlgMseNrOQrGJBe-hf_BPP2koCdjrwf3ytJttbLuYeFeBt9hXCAvPRGBC44APQZJrlXX55BIpdMdXSgi9oZG4tbZxULmt74PCyGbMSXvgK7_89aMKS9pNygsPY8PW_TpKh20ZV2rZ89HJ4kbePv_ssZtcpwD6y3M6yx6pq9i_k-nX4m6jhTrlRO6vzvi44ZUpoHdHvaDZhHHPSyDqLkYVWKGHhMN-iY5Ravq0XlyI0zaD6vi-bPIjrsa0UjC1Y3OgWLXx2b2EvTNarvN69blubEW9kuq3qpV8ot1uXOOyWPZEApzHgDu5_uAzUO_OdO8-WpR5diBzS4Jo3fM-iUR0qqiFecxSEmRO7ulNa-_SL51rFcP8QmMIFC8XnftAMtRaLT81JsiOJxaH8HbhSGoM49aAm3Xxxxxxx","token_type":"bearer","expires_in":3600}

✅ The refresh_token value is your final credential piece. Save this securely along with your client_id and client_secret. Unlike the access_token, the refresh token does not expire and will allow your Python script to generate new access tokens whenever needed.

Step 7: Obtain Your Profile ID

The Amazon Ads API requires you to specify which advertising "profile" you are acting on. A profile is linked to your specific seller or vendor account.

Once you have your refresh_token, client_id, and client_secret, make your first real API call to list your profiles:

curl -H "Amazon-Advertising-API-ClientId: amzn1.application-oa2-client.c73aae635e0644239fd1860292f93785" \
    -H "Authorization: Bearer Atza|YOUR_ACCESS_TOKEN" \
    https://advertising-api.amazon.com/v2/profiles

Full example:

curl  \
    -H "Amazon-Advertising-API-ClientId: amzn1.application-oa2-client.c73aae635e0644239fd1860292xxxxxx"\
    -H "Authorization: Bearer Atza|gQA9em0EAwEBABQj9uAdTdZB-IG9WyGVNATFrakZopVz0u3C5YWMjvKxeN7FU8cVkNrSN0eGiwSCYJ1hqTAO14mCMc0JZ82Hi2G73oqcFgAkL0l-RCHUc6ssNGneLkg576cOoD1EbCdGMbKZ2tuMCgRAzV4FW48ws95nYGz78CZ5tOW3DcaUKxnFZu4XuUA3nLXQY-chP0RV9XtxxEfQEKooanh5zBc8stlcQ4a-9WLIE7bQQDUISBW9iAXDCgg3ClYa1YxeEsDPA04f262gzhShseCzD5S5WQs3Rh2Jo3c30Yy5hEfREJBTMaOpWSLsw48HSxIsopZAsilwi50c6wqJikDnWIN7E3Fqbc4xLXteLWi049WKI5XVzjFCoGdqUFnz1wIbwJMjvirs2j4YN9-bI4Bme1IqQCVLXr2U1DAhYacl8Idvxij1JJhAlFXp15Hp8XQXOFay_3W7XUhX_CyiNxPqgkLsqv9pAcng9BM9uXPn9bPNECqCr-KQSXKe31w1wOSKOoNMwGKFx4NTuCr15TzPEc2KD0RAjM16Wc_qTx63hqKV4ot_dcbDrYfwD3R1-fHS01xSPYMuJhYyZ2b9w1H5H8ABFD07V2DPOp-mNcWpEFFsxxxxxx" \
    https://advertising-api.amazon.com/v2/profiles

Profile Response

This call returns a list of your profiles. Note the profileId for the account you want to manage:

[
  {
    "profileId": 2502259796xxxxxx,
    "countryCode": "US",
    "currencyCode": "USD",
    "dailyBudget": 9.99999999E8,
    "timezone": "America/Los_Angeles",
    "accountInfo": {
      "marketplaceStringId": "ATVPDKIKXXXXX",
      "id": "A1ZU3V2ZXZXXXX",
      "type": "seller",
      "name": "Soundfreaq Store",
      "validPaymentMethod": true
    }
  }
]

With your Client ID, Client Secret, Refresh Token, and Profile ID, you now have everything you need to start writing your Python automation script as outlined in our previous discussion. This will allow you to finally pull down your campaign data and populate your master Excel file.

Make your first call

URL prefixes

Headers

Sponsored Products

Following is the construct of my first attempted request, which proved to be a failure, because I mistakenly used the access_token for this construct.

curl --location --request POST 'https://advertising-api.amazon.com/sp/campaigns/list' \
--header 'Amazon-Ads-ClientId: amzn1.application-oa2-client.c73aae635e0644239fd1860292xxxxxx' \
--header 'Amazon-Advertising-API-Scope: 2502259796xxxxxx' \
--header 'Authorization: Bearer Atza|gQA9em0EAwEBABQj9uAdTdZB-IG9WyGVNATFrakZopVz0u3C5YWMjvKxeN7FU8cVkNrSN0eGiwSCYJ1hqTAO14mCMc0JZ82Hi2G73oqcFgAkL0l-RCHUc6ssNGneLkg576cOoD1EbCdGMbKZ2tuMCgRAzV4FW48ws95nYGz78CZ5tOW3DcaUKxnFZu4XuUA3nLXQY-chP0RV9XtxxEfQEKooanh5zBc8stlcQ4a-9WLIE7bQQDUISBW9iAXDCgg3ClYa1YxeEsDPA04f262gzhShseCzD5S5WQs3Rh2Jo3c30Yy5hEfREJBTMaOpWSLsw48HSxIsopZAsilwi50c6wqJikDnWIN7E3Fqbc4xLXteLWi049WKI5XVzjFCoGdqUFnz1wIbwJMjvirs2j4YN9-bI4Bme1IqQCVLXr2U1DAhYacl8Idvxij1JJhAlFXp15Hp8XQXOFay_3W7XUhX_CyiNxPqgkLsqv9pAcng9BM9uXPn9bPNECqCr-KQSXKe31w1wOSKOoNMwGKFx4NTuCr15TzPEc2KD0RAjM16Wc_qTx63hqKV4ot_dcbDrYfwD3R1-fHS01xSPYMuJhYyZ2b9w1H5H8ABFD07V2DPOp-mNcWpEFFsxxxxxx' \
--header 'Accept: application/vnd.spCampaign.v3+json' \
--header 'Content-Type: application/vnd.spCampaign.v3+json' \

With the incorrect construct, you will receive an error message:

{"message":"Unauthorized exception while handling 3P Request: Unauthorized exception while authenticating LwA token: Invalid token"}

The correct construct should populate the Authorization field with refresh_token:

curl --location --request POST 'https://advertising-api.amazon.com/sp/campaigns/list' \
--header 'Amazon-Ads-ClientId: amzn1.application-oa2-client.c73aae635e0644239fd1860292xxxxxx' \
--header 'Amazon-Advertising-API-Scope: 2502259796xxxxxx' \
--header 'Authorization: Bearer Atza|xxx...xxx' \
--header 'Accept: application/vnd.spCampaign.v3+json' \
--header 'Content-Type: application/vnd.spCampaign.v3+json' \

Request again and you will receive a success response.

Next steps

Now that you understand the basic request and response structure for the Amazon Ads API, you can start working on the use case that suits your needs.

For advertisers with active campaigns

• Understand what ads reports are available
• Pull sponsored ads performance data
• Retrieve all sponsored ads campaigns, ad groups, ads, and targets
• Create a Sponsored Products manual campaigns

The Difference: SDKs vs. PyAirbyte

• Direct SDK approach = Building a car engine from parts (more control, more work)
• PyAirbyte approach = Buying a pre-assembled engine and installing it (faster, more reliable, less control over internals)