Amazon Ads API - Getting Credentials

A step-by-step guide to obtaining Amazon Ads API credentials and making your first successful API request.

Objective

By the end of this guide, you will have:

1. Applied for and received Amazon Ads API access
2. Registered a Login with Amazon (LWA) application
3. Generated your Client ID, Client Secret, and Refresh Token
4. Retrieved your Profile ID
5. Made your first successful API call to list campaigns

Prerequisites

• An active Amazon Advertising account with campaign management permissions
• An Amazon Developer account (can be the same as your advertising account)

Credentials Roadmap

flowchart TD
    A[**Start**<br>Amazon Advertising Account] --> B[**Step 1: API Access Request**<br>Apply via the Amazon Ads console<br>to enable API access for your account];
    B --> C[**Step 2: LWA App Registration**<br>Register an application in the<br>Login with Amazon (LWA) console];
    C --> D[**Step 3: Gather Credentials**<br>From LWA console, get your:<br>• **Client ID**<br>• **Client Secret**];
    D --> E[**Step 4: Generate Auth Code**<br>Build a URL with your Client ID<br>& redirect_uri, then visit in browser];
    E --> F[**Step 5: Exchange for Refresh Token**<br>Use a cURL command to exchange<br>the Auth Code for a Refresh Token];
    F --> G[**Step 6: Get Profile ID**<br>Make your first API call to<br>retrieve your profile ID];
    G --> H[**🎯 Ready to Code!**<br>You now have:<br>• **Client ID**<br>• **Client Secret**<br>• **Refresh Token**<br>• **Profile ID**];

Step 1: Ensure You Have an Amazon Advertising Account

This is the non-negotiable starting point. The API is an extension of the advertising platform, so you must have an active Amazon Advertising account with the necessary permissions to access the API. This is the account you use to log in to the Amazon Ads console.

Step 2: Apply for API Access

While API access is often automatically enabled for many newer accounts, some older accounts or specific marketplaces may require a formal request. You should check the Amazon Advertising API documentation portal within your console to see if you need to "Apply for API Access".

Useful Links

• Amazon Ads API overview
• Amazon Ads API onboarding overview

Application Process

1. Step 1: Create a Login with Amazon application (see Step 3 below)

2. Step 2: Apply for Amazon Ads API access

   • To apply for API access as a Partner
   • To apply for API access as a Direct Advertiser

Once you submit your request, you'll see a success message:

Thank you, your Amazon Ads API request has been successfully submitted. Expect a follow up email in 72 hours regarding next steps.

Shortly after, you'll receive an email confirmation:

Thank you for submitting your Amazon Ads API access request. Our team is currently reviewing your application and will respond to this email address within one business day.

Within 24 hours, you'll receive approval notification with next steps.

Step 3: Register a Login with Amazon (LWA) Application

After receiving API access approval, you need to create an application in Amazon's identity management system. This generates your essential Client ID and Client Secret.

1. Go to the Login with Amazon Developer Console

2. Create a New Security Profile with:

   • App name (e.g., "Amazon Ads Data Automation")
   • Description
   • Privacy Notice URL (can be a placeholder for internal tools)
   • Allowed Return URLs: Since you're writing a Python script for internal use, you can use https://amazon.com or https://localhost:3000/callback

3. After creating your app, you'll see it in the My Apps section

4. Click Assign scopes and add advertising::campaign_management scope

5. Once configured, you'll see your Client ID displayed

Step 4: Gather Your Client ID and Client Secret

After successfully registering your LWA application, view its details and securely note:

• Client ID (e.g., amzn1.application-oa2-client.c73aae635e0644239fd1860292xxxxxx)
• Client Secret

⚠️ Security Warning: Treat these like passwords—never commit them to code repositories or share them publicly.

Step 5: Generate an Authorization Code

To get a Refresh Token, you first need a one-time Authorization Code. This is done by constructing a specific URL and visiting it in your web browser while logged into your Amazon Advertising account.

Build the Authorization URL

The base URL depends on your region:

Region	Base URL
North America	https://www.amazon.com/ap/oa
Europe	https://eu.account.amazon.com/ap/oa
Far East	https://apac.account.amazon.com/ap/oa

URL Parameters

Construct your URL like this:

https://<YOUR_REGION_AUTH_URL>?client_id=<YOUR_CLIENT_ID>&scope=advertising::campaign_management&response_type=code&redirect_uri=<YOUR_REDIRECT_URI>

Example (North America):

https://www.amazon.com/ap/oa?client_id=amzn1.application-oa2-client.c73aae635e0644239fd1860292f93785&scope=advertising::campaign_management&response_type=code&redirect_uri=https://amazon.com

Get Your Authorization Code

1. Paste the full URL into your browser and hit Enter
2. Log in to your Amazon Advertising account if prompted
3. Authorize the application
4. After authorizing, your browser redirects to the redirect_uri
5. Look at the URL in the address bar—it will contain a code= parameter
6. Copy the long string after code= — this is your Authorization Code

Example redirect URL:

https://www.amazon.com/?code=ANcSWcmvBFyiQYyBzRYm&scope=advertising%3A%3Acampaign_management

⚠️ The Authorization Code expires quickly. Proceed to Step 6 immediately.

Step 6: Exchange the Authorization Code for a Refresh Token

The Authorization Code expires quickly. You need to exchange it for a long-lived Refresh Token using a command-line call.

Using cURL

Open your terminal and execute:

curl -X POST \
    --data "grant_type=authorization_code&code=YOUR_AUTH_CODE&redirect_uri=https://amazon.com&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET" \
    https://api.amazon.com/auth/o2/token

Full example with actual values:

curl -X POST \
    --data "grant_type=authorization_code&code=ANcSWcmvBFyiQYyBzRYm&redirect_uri=https://amazon.com&client_id=amzn1.application-oa2-client.c73aae635e0644239fd1860292f93785&client_secret=amzn1.oa2-cs.v1.321e860063b33e346f59453efde2413c2476a13da379702cea972d662708d1cb" \
    https://api.amazon.com/auth/o2/token

Token URLs by Region

Region	Token URL
North America	https://api.amazon.com/auth/o2/token
Europe	https://api.amazon.co.uk/auth/o2/token
Far East	https://api.amazon.co.jp/auth/o2/token

Successful Response

A successful response returns JSON like this:

{
  "access_token": "Atza|...",
  "refresh_token": "Atzr|...",
  "token_type": "bearer",
  "expires_in": 3600
}

Actual example:

{
  "access_token": "Atza|gQA9em0EAwEBABQj9uAdTdZB-IG9WyGVNATFrakZopVz0u3C5YWMjvKxeN7FU8cVkNrSN0eGiwSCYJ1hqTAO14mCMc0JZ82Hi2G73oqcFgAkL0l-RCHUc6ssNGneLkg576cOoD1EbCdGMbKZ2tuMCgRAzV4FW48ws95nYGz78CZ5tOW3DcaUKxnFZu4XuUA3nLXQY-chP0RV9XtxxEfQEKooanh5zBc8stlcQ4a-9WLIE7bQQDUISBW9iAXDCgg3ClYa1YxeEsDPA04f262gzhShseCzD5S5WQs3Rh2Jo3c30Yy5hEfREJBTMaOpWSLsw48HSxIsopZAsilwi50c6wqJikDnWIN7E3Fqbc4xLXteLWi049WKI5XVzjFCoGdqUFnz1wIbwJMjvirs2j4YN9-bI4Bme1IqQCVLXr2U1DAhYacl8Idvxij1JJhAlFXp15Hp8XQXOFay_3W7XUhX_CyiNxPqgkLsqv9pAcng9BM9uXPn9bPNECqCr-KQSXKe31w1wOSKOoNMwGKFx4NTuCr15TzPEc2KD0RAjM16Wc_qTx63hqKV4ot_dcbDrYfwD3R1-fHS01xSPYMuJhYyZ2b9w1H5H8ABFD07V2DPOp-mNcWpEFFsllarWw",
  "refresh_token": "Atzr|IwEBINgQ8X-bxIwNZkkxlIl92EQ3CyMVhEmN8JLXzCjkuwEzZ7xikE06aFTZpb9JfUYDUwD5t_LDpq3szLRFmW5rV7OBL2sGmbS9MWKQc6IKonaQdANRdJKthSSyZ7bIQ5tQ6e8oCwE3q5YfIlgMseNrOQrGJBe-hf_BPP2koCdjrwf3ytJttbLuYeFeBt9hXCAvPRGBC44APQZJrlXX55BIpdMdXSgi9oZG4tbZxULmt74PCyGbMSXvgK7_89aMKS9pNygsPY8PW_TpKh20ZV2rZ89HJ4kbePv_ssZtcpwD6y3M6yx6pq9i_k-nX4m6jhTrlRO6vzvi44ZUpoHdHvaDZhHHPSyDqLkYVWKGHhMN-iY5Ravq0XlyI0zaD6vi-bPIjrsa0UjC1Y3OgWLXx2b2EvTNarvN69blubEW9kuq3qpV8ot1uXOOyWPZEApzHgDu5_uAzUO_OdO8-WpR5diBzS4Jo3fM-iUR0qqiFecxSEmRO7ulNa-_SL51rFcP8QmMIFC8XnftAMtRaLT81JsiOJxaH8HbhSGoM49aAm3Xa4Pmow",
  "token_type": "bearer",
  "expires_in": 3600
}

✅ The refresh_token value is your final credential piece. Save this securely along with your client_id and client_secret. Unlike the access_token, the refresh token does not expire and will allow your Python script to generate new access tokens whenever needed.

Step 7: Obtain Your Profile ID

The Amazon Ads API requires you to specify which advertising "profile" you are acting on. A profile is linked to your specific seller or vendor account.

Once you have your refresh_token, client_id, and client_secret, make your first real API call to list your profiles:

curl -H "Amazon-Advertising-API-ClientId: amzn1.application-oa2-client.c73aae635e0644239fd1860292f93785" \
    -H "Authorization: Bearer Atza|YOUR_ACCESS_TOKEN" \
    https://advertising-api.amazon.com/v2/profiles

Full example:

curl -H "Amazon-Advertising-API-ClientId: amzn1.application-oa2-client.c73aae635e0644239fd1860292f93785" \
    -H "Authorization: Bearer Atza|gQA9em0EAwEBABQj9uAdTdZB-IG9WyGVNATFrakZopVz0u3C5YWMjvKxeN7FU8cVkNrSN0eGiwSCYJ1hqTAO14mCMc0JZ82Hi2G73oqcFgAkL0l-RCHUc6ssNGneLkg576cOoD1EbCdGMbKZ2tuMCgRAzV4FW48ws95nYGz78CZ5tOW3DcaUKxnFZu4XuUA3nLXQY-chP0RV9XtxxEfQEKooanh5zBc8stlcQ4a-9WLIE7bQQDUISBW9iAXDCgg3ClYa1YxeEsDPA04f262gzhShseCzD5S5WQs3Rh2Jo3c30Yy5hEfREJBTMaOpWSLsw48HSxIsopZAsilwi50c6wqJikDnWIN7E3Fqbc4xLXteLWi049WKI5XVzjFCoGdqUFnz1wIbwJMjvirs2j4YN9-bI4Bme1IqQCVLXr2U1DAhYacl8Idvxij1JJhAlFXp15Hp8XQXOFay_3W7XUhX_CyiNxPqgkLsqv9pAcng9BM9uXPn9bPNECqCr-KQSXKe31w1wOSKOoNMwGKFx4NTuCr15TzPEc2KD0RAjM16Wc_qTx63hqKV4ot_dcbDrYfwD3R1-fHS01xSPYMuJhYyZ2b9w1H5H8ABFD07V2DPOp-mNcWpEFFsllarWw" \
    https://advertising-api.amazon.com/v2/profiles

Profile Response

This call returns a list of your profiles. Note the profileId for the account you want to manage:

[
  {
    "profileId": 2502259796317581,
    "countryCode": "US",
    "currencyCode": "USD",
    "dailyBudget": 9.99999999E8,
    "timezone": "America/Los_Angeles",
    "accountInfo": {
      "marketplaceStringId": "ATVPDKIKX0DER",
      "id": "A1ZU3V2ZXZ5QHR",
      "type": "seller",
      "name": "Soundfreaq Store",
      "validPaymentMethod": true
    }
  }
]