I’m trying to determine what is both “safe” and “recommended practice” regarding utilizing my MWS access keys (and in particular my secret key) inside an application developed by a third party. The documentation and FAQs I have read on the subject are quite confusing and at times contradictory. For example:
The [Registering to Use Amazon MWS|http://docs.developer.amazonservices.com/en_US/dev_guide/DG_Registering.html] page includes the following text:
“Note: Your Secret Key is a secret that only you and Amazon should know. It is important to keep it confidential to protect your account. Never include it in your requests to Amazon MWS, never embed it in a desktop application, and never e-mail it to anyone. Do not share it outside your organization, even if an inquiry appears to come from Amazon MWS or anyone else at Amazon. No one who legitimately represents Amazon will ever ask you for your Secret Key.”
However, on the same page in the paragraphs immediately above that section:
“If you are developing an Amazon MWS desktop application, do not embed your credentials in the application. Rather, have the users of your application register as a developer by selecting the I want to access my own Amazon seller account with MWS option when signing up for Amazon MWS. Users of your desktop application should use their own developer credentials when submitting requests to Amazon MWS.”
And then it goes on to say:
“The Access Key ID is associated with your Amazon MWS registration. You include it in all Amazon MWS requests to identify yourself as the sender of the request. The Access Key ID is not a secret. To provide proof that you truly are the sender of the request, you must also include a digital signature. For all requests except those generated using the Amazon MWS client libraries, you calculate the signature using your Secret Key. Amazon uses the Access Key ID in the request to look up your Secret Key and then calculates a digital signature with the key. If the signature Amazon calculates matches the signature you sent, the request is considered authentic. Otherwise, the request fails authentication and is not processed.”
Finally, the [main FAQ says|https://developer.amazonservices.com/gp/mws/faq.html/186-5238319-6093805#sellerUsingDesktopApp] :
Q: I am an Amazon seller and I want to use a desktop application to access my Amazon seller account. What should I do?
4. On the MWS registration page, click the button for I want to access my own Amazon seller account with MWS.
5. Click the Next button.
6. Accept the Amazon MWS License Agreement and click the Next button.
7. Copy your account identifiers (Seller ID, Marketplace ID, Developer Account Identifier, AWS Access Key ID, and Secret Key). It is also a good practice to print this page and save it in a safe place.
8. Follow the instructions given to you by your application developer to enter your account identifiers into the application.
Which also implies that all account identifiers, including the secret key, need to be copied into the application in order for it to function.
So which is it? Is the secret key truly secret and should never be pasted into code that I didn’t write myself or not? Or is this simply a case where +ideally+ the secret key is never shared, but due to limitations in the MWS API it’s necessary to use the secret key in order for third-party non-web applications to function?
Thanks in advance!