MWS developer MWSAuthToken


If you have a developer ID that is approved to access other sellers MWS, I heard you only need their “MWS Auth Token” and their seller ID (after they approve you via 3rd party app).

But this can’t be correct. Even on scratch pad even if you put a “MWS Auth Token”, it STILL says:
<Message>Parameter AWSAccessKeyId cannot be empty.</Message>

Any ideas?
Thank you.


Try using your developer id with the sellers auth token and seller id.


Scratchpad (
only have these fields:

  • List item
  • SellerId
  • MWSAuthToken
  • AWSAccessKeyId
  • Secret Key

It doesn’t have a field for developer id :confused:


Try using your developer id as the AWSAccessKeyId.


You use your keys but with their Merchant Token/Seller ID and the Auth. Token they give you.

This is explained in the doc.'s

    When your web application is ready, provide sellers with your Developer ID, which they can use to authorize you for developer access to their selling accounts. A seller authorizes you as a developer from the User Permissions page in Seller Central. For more information, see I am a developer and I want to develop Amazon MWS applications for sellers. What should I do?.

    The seller provides you with the MWS Auth Token associated with your developer account and their Seller ID. You can then make Amazon MWS requests on their behalf, using the seller’s identifiers and your developer credentials.


It kinda makes you wonder how this developer was able to understand/implement all the requirements to get into the appstore in the first place. (OP’s thread that inadvertently describes this has been deleted)


You need 4 data items in the “Authentication” part of Amazon MWS Scratchpad:

SellerID: The sellers Merchant Key

MWSAuthToken: The auth token given to the seller after they add your developer ID to their seller account

Secret Key:

The above two data items are found in your seller account under Settings, User Permissions, Amazon MWS Developer Access Keys, Visit Developer Credentials, My Developer Information (you will see your developer ID here), then under “MWS Credentials” click “View” to see your AWS Access Key ID, then click on “Client Secret” in order to see your Secret Key.

In summary, the first two data items are from the seller and the second two data items come from your Developer Credentials (not your Developer ID, but under your Developer ID)

David Nelson
Dynamic Enterprise Technologies Inc
Seattle Washington USA


It is easy to explain. Many companies have this problem. Securing the computing environment and understanding the API calls are two different issues. Securing the computing environment primary falls into the area of network security. The programming the API primarily falls in the area of software development. These are two different skill sets in many organizations.

David Nelson
Dynamic Enterprise Technologies Inc
Seattle Washington USA


This kind on nonsensical thinking only explains why there is so much security theater, and so little actual computer security.

For there to be any real security, there must be a large overlap between environment security and programming. Much like the overlap between being able to follow simple forum rules, and the ability to understand and truly implement complex rules and guidelines intended to protect data.

Not to mention that all of these things require the ability to read and understand relatively simple documentation.


I have to agree with @Autonomoose here.

If you are developing apps for others you sure as heck need to understand the data and have read and comprehend the guides. Minor questions are to be expected. But how to make a call as a developer? Not so much in my mind.

I’m all for helping and even teaching. Done it plenty myself. But based on the deleted thread I also come to wonder about the level of knowledge here.


dude seriously just give it a rest


You are correct. The problem is in many colleges there is a degree program for “Network Security” and a different degree program for “Computer Programming” or “Software Development”. As a result, in many companies, to cover all the bases you mentioned, it takes more than one person to be involved. If a company doesn’t have both skills sets internally, they may need to get outside help. Amazon realizes this and that is why the developer FAQ #8 allows companies to hire outside help.

Typically the problem is the developer applies for the Developer ID and doesn’t involve the network security skill set, so they get rejected for a Developer ID and they then need to bring in the network security skill set to complete the process. But it very well could happen the other way around.

There is an effort in the industry to get these two groups of people working together better. If you search for “DevOps Definition” you will find that effort.

But even within the “Software Development” area, there are many specialties. For example, a database developer may have little experience making web service calls, so while being a skilled developer in a certain area, they may need assistance in another area, like figuring out the correct parameters to send to successfully complete an Amazon web service call. :slight_smile:

David Nelson
Dynamic Enterprise Technologies Inc
Seattle Washington USA


There are many areas of specialty in software development. Web services is just one of many skill areas. Not every developer knows every area of software development. .

It is not unusual for a developer to ask about an API call. There are many API questions on this forum. In my understanding, the primary purpose of the this forum “Marketplace Web Services” is to discuss the web services API. :slight_smile:

David Nelson
Dynamic Enterprise Technologies Inc
Seattle Washington USA


However we are talking about the most basic call around which everything else revolves. And then not even the changing components of the call but the primaries.

I don’t have concerns about the question itself. It just worries me that at this stage they have apparently been cleared for PII yet don’t comprehend the basic call attributes.

Nothing against them personally. Something just seems very odd here to me. That’s all.


Once you know how the four authentication parameters work, of course it is easy. I have been a developer all of my adult life, but it took me some time to get the authentication parameters to work the first time I tried.

Example 1 is that the Scratchpad labels the first auth parameter as “Seller ID”, but there is no data item with label “Seller ID” in a seller’s account. It took me some time to figure out “Seller ID” is actually “Merchant Token” in the seller user interface.

Example 2 is that when you are first starting out, the second auth parameter is labeled MWSAuthToken but when you are making calls for your own seller account, you need to use your own AWSAccessKey for the MWSAuthToken parameter.

You don’t need to worry. When someone is creating a new application, they have to get approved as a developer first, then they start working with the API second (regardless of PII status). It makes total sense for someone to ask questions about the API after getting approved as a developer.

In addition, it is be totally understandable for someone to post a questions about the auth parameters after getting approved and trying to get the auth to work for the first time (for another seller’s account in this case).

Please stop being critical of developers asking reasonable questions in this forum.

David Nelson
Dynamic Enterprise Technologies Inc
Seattle Washington USA


Before we get too deep in the IT lectures, are you now denying that OP is your client, or that you coached them through their security assessment?

OP is clearly not some silo’d multi-national, who is carefully vetting big shot consultants. You jump on any thread about PII or the security assessment and ask people to PM you, almost since the very beginning of your two years here on the forum. You post your company name in your signature as an advertisement. I haven’t seen any advanced coding questions answered for others by either you or OP, which is the actual purpose of this sub-forum.

Despite their nastiness, I feel sorry for the (recently renamed) OP. They will take the brunt of the punishment if/when it goes pear shaped, along with any other seller that happens to trust that particular software from the appstore.

I sincerely hope I am wrong, and that this isn’t the beginning of an epic cautionary tale. (that would likely end up with even more restrictions and hoops to jump for the rest of us)


I think the most fun would be to leave the answer up to your imagination! :slight_smile:

Who is OP?

You are wrong.

David Nelson
Dynamic Enterprise Technologies Inc
Seattle Washington USA


Dude seriously u watched too many movies… probably too many “end of the world” movies.
you’re acting so righteous as if the faith of mankind is depending on this subject…
seriously CHILL it’s just embarrassing how dramatic you’re sounding and paranoid you’re sounding.


Different day, different answers.