No response from SP-API createRestrictedDataToken


I am developing a private application to migrate our connection from Amazon MWS to SP-API
I had to manually write the code to sign these requests… I followed the AWS example and was able to reproduce the exact signature shown in the example.

However, when I attempt a “real” request to create a restricted data token (in preparation for getOrders), i get absolutely no response from the web service. The connection times out after 60 seconds.
Prior to making this request, I make a call to get a LWA Access Token - I use this token in my request for the call above.
One other note… if I hit the URL for the RDT direclty (no signing or authorization), i receive an HTTP 403 (so I know I have the right endpoint)

ANY help would be greatly appreciated.

My request looks like this:
POST /tokens/2021-03-01/restrictedDataToken HTTP/1.1
User-Agent: TBF SP API
Content-Type: application/json
Content-Length: 116
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIFMXQAGLKKE2EJUA/20220715/us-east-1/sellingpartnerapi-na/aws4_request, SignedHeaders=content-type;host;user-agent;x-amz-access-token;x-amz-date, Signature=1e910057ebdc20bfb3aa2578627c702f24cbdf6af1378fa5a3c5dd75a7bbd8fb
x-amz-access-token: Atza|IwEBIDeaJCtJF-RuWpvK5QKOSi…moreTokenDataHere
x-amz-date: 20220715T153956Z

senddoc(): entered
recvresp(): entered

What am I doing wrong???


I would suggest that you use Postman to debug your issue. By ensuring that you are have the correct login information and being able to execute the calls via Postman you can then compare the information with the json request produced by your code and search for the issue.

This is a collection of Postman calls that I’ve created that uses the data in the Variables tab in order to execute different endpoints.


Thanks for this… I’m not proficient with Postman (although I’ve used it before) I was able to use GetAccessToken once I updated the variables. But the Restricted Data Token gives an error “The security token included in the request is invalid”
When I look at the code, it shows the this:
Do I need to update any other variables manually?
Also, the documentation does not mention headers:
“x-amz-Content-Sha256” and

POST /tokens/2021-03-01/restrictedDataToken HTTP/1.1
x-amz-access-token: {{accessToken}}
X-Amz-Content-Sha256: beaead3198f7da1e70d03ab969765e0821b24fc913697e929e726aeaebf0eba3
X-Amz-Security-Token: {{tempSessionToken}}
X-Amz-Date: 20220715T182035Z
Authorization: AWS4-HMAC-SHA256 Credential={{tempAccessKeyId}}/20220715/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-access-token;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=06ba13a9cc8cec49cb651143f2d0dd42e14f8b99e87ca7734b936a998c30c12b
Content-Type: application/json
Content-Length: 167

“restrictedResources”: [
“method”: “GET”,
“path”: “/orders/v0/orders”,
“dataElements”: [“buyerInfo”, “shippingAddress”]



Amazon updated the restricted data token format for get order, you need to provide the order number you are trying to retrieve. So replace “XXX-XXXX-XXXX” with your order number

    "restrictedResources": [
            "dataElements": [
            "method": "GET",
            "path": "/orders/v0/orders/XXX-XXXX-XXXX"


I’m trying to get a listing of orders, not just a single order. That is how my application works on MWS. It get’s a list of unfulfilled orders, requests the lines order by order.

But I still don’t understand the other two headers. Where do those values get populated?


The example I gave you was just so that you could test that you could create a restricted data token and I just happen to have the single order in my example. The issue you stated in this post is the creation of the actual restricted data token. Were you able to create one for the single order? “x-amz-Content-Sha256” and “x-amz-security-token” headers are auto generated by Amazon. Are you not using the SDK that Amazon provided?

  "restrictedResources": [
      "method": "GET",
      "path": "/orders/v0/orders",
      "dataElements": [


Unfortunately, I cannot use any of the Amazon SDKs - I am working in a different programming language on an IBM (non-PC) platform. I’ve had to create my own code to sign the requests (yes, I know).
I am able to get the (LWA) Access Token using my code and using your Postman collection.

When i try to get a Restricted Data Token in Postman, i get “The security token included in the request is invalid”. I’ve struggled with updating the Postman variables (working locally in scratchpad). So I’m not sure what the issue is. I’ve tried changing the “path” in the Body to include a real order from our site.
I run GetAccessToken, followed by Restricted Data Token in your collection.
The x-amzn-ErrorType is UnrecognizedClientException

If I run AssumeRole in your collection, i get “The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and Signing method.”

When I run my own code to request the RDT, the service doesn’t respond at all.

I think the difference here is that I’m building a PRIVATE application that is self-authorized.


Nope. I built the application as a private application that is self-authorized also. The order of the calls should be GetAccessToken, AssumeRole, Restricted Data Token, Orders. I’ve tested this myself. If you are getting an issue with the Restricted Data Token then I would troubleshoot that. If you aren’t using the Amazon SDK’s it’s critical you get the Postman to work as it will be your only way of identifying the issue since you will know how the raw request should look like compared to yours.


OK… So something different here. Working with your Postman collection again. I think I understand the process…

  1. I get my Access Token
  2. Then I run Assume Role
  3. Then Restricted Data Token

However, when I try to Assume Role, I get “Roles may not be assumed by root accounts”

So you’re saying that I need to do it in this order each time we make a request?
The error above appears to indicate I need an additional “role” defined for the IAM user?


Are you available for hire to help us get past the last hurdle in the MWS to SP-API conversion by chance?


OK. My issue was that I had the wrong Access Key ID and Secret key in Postman. I used a newly created pair for the IAM User.
I am now able to AssumeRole in Postman. However the Restricted Data Token says:
“The security token included in the request is invalid.”

I can see the security token in the Assume Role response (which is XML).

When I look at the Restricted Data Token HTTP POST, it appears the variables have not been populated from the Assume Role response:

I feel like the JavaScript on the Tests tab probably isn’t parsing the results into the temporary variables.



Ok… Now I have the variables working… I didn’t have an environment.

The Restricted Data Token is giving an “access to requested resource is denied”


Can you share what the body of your request token looks like? The request is very sensitive and will give that error if you have it not formatted properly


If you have specific questions I can do my best on trying to answer them if you’d like. However we currently only work for our internal application and do not provide a service for external hire.


I tried the default value from the collection, which contains [“buyerInfo”]
I also tried selecting a specific order in the path
Both gave the same error.
I’ve updated my app to access the “tax” information as well (support said that was required for “buyerInfo”??
Since changing that, my Developer Registration is now “under review” (keep in mind I have an active MWS under this developer).


  “restrictedResources”: [


      “method”: “GET”,

      “path”: “/orders/v0/orders”,

      “dataElements”: [“shippingAddress”]





In case anyone else comes across this…
Turns out if you have a Private app and you register the app using an IAM User ARN, you do not need to get temporary credentials from the STS (secure token service). You can only use those credentials if you register your app with an IAM Role ARN.
So basically, I skipped the assumeRole step (leave out the x-amz-security-token) and it worked.