[URGENT]: Amazon MWS Key Reset Notification - 14 Day Notice


#1

Hi just received the following email from amazon

Dear Amazon Developer,

You are receiving this message because you are a registered user of Amazon Marketplace Web Service (MWS).

This notice is to inform you that your application does not comply with the Amazon Acceptable Use Policy (AUP) and the Amazon Marketplace Developer Agreement because it is using the incorrect authorization model.

In order to comply with Amazon’s policies and maintain your access, we will reset your MWS credentials in 14 days to ensure that your MWS access is secure. After you receive your new credentials, you will need to update the configuration of your software as necessary.

As a reminder, never share your MWS credentials with a third-party application. Sharing your MWS credentials with third-party services is a violation of the Amazon AUP.

Acceptable Use Policy: http://docs.developer.amazonservices.com/en_US/dev_guide/DG_AcceptableUsePolicy.html
Amazon Marketplace Developer Agreement: https://sellercentral.amazon.com/mws/static/agreement?locale=en_US

The software i’m using was written by myself many years ago (around 8-9 years I think). Can I just use the new details issued in 14 days or will I have to make changes? If I need to make changes any pointers on what I need to do?


#2

This seems to be the case.

I think only your secret key will change. But Amazon announced that MWS is going away later this year, so it is my understanding everyone needs to change their programming to use the new SP-API.

I would suggest you read the referenced documents and see if you can determine why Amazon thinks your application is out of compliance.

Dynamic Enterprise Technologies Inc
Seattle Washington USA


#3

There are a series of whitepapers at
http://docs.developer.amazonservices.com/en_US/WP_LandingPage.html

The whitepaper “Developing Desktop Applications in Amazon MWS” describes the acceptable grant authorization model. You might also take a look at the user agent header you are using in your requests.


#4

Is the application only being used for your own Amazon Seller account, or, are you servicing other sellers? (When I provided my answer above I assumed you were using the software only for your own seller account.)

Dynamic Enterprise Technologies Inc
Seattle Washington USA


Amazon MWS Key Reset Notification - 14 Day Notice
#5

We received this message too.

We looked through the Amazon Acceptable Use Policy (AUP) and the Amazon Marketplace Developer Agreement documents, and do not think there are any issues there.

Any way to get in touch with Amazon MWS, except through Seller Support? (Have created a couple cases but we are getting canned responses).


#6

Same here. From the UK and received this exact same message yesterday.

We are doing everything correctly, however in seller central, when I click on Apps & Services > Develop Apps… There is a link near the top saying Your Developer Profile.

I’ve answered all these questions on this page approximately 2 years ago, mainly due to the need of PII data for shipping labels, however this page is only partially completed with Register button at the bottom of the page. Anyone else seeing this?

Could this be linked to not complying with the AUP?

I’m not sure what the incorrect authorization model is either!


#7

This is my understanding…

The authorization model is related to software you developed for other sellers, then other sellers authorize your software to access their seller account (the authorization).

Incorrect Authorization Model
If you develop software for other sellers, and if you require the sellers that use your software to apply for and use their own Developer ID and MWS credentials in the software you developed, this is an incorrect authorization model. Some developers used this in the past and Amazon has been cracking down on it.

Correct Authorization Model
If you develop software for other sellers, you should be providing those sellers your Developer ID, and those sellers should be authorizing your Developer ID under “Manage Your Apps” “Authorize new developer” and returning to you an “MWS Authorization Token”. You then call Amazon MWS with your own Developer ID and the seller’s MWS Authorization Token.

Using your own software with your own seller account
If you make Amazon MWS API calls with your own Developer ID accessing your own seller account, Amazon can’t tell if you are using software you developed or software someone else developed. For those who got this email, it seems Amazon thinks you are using someone else’s software to access your own seller account (aka “incorrect authorization model”).

Dynamic Enterprise Technologies Inc
Seattle Washington USA


Amazon MWS Key Reset Notification - 14 Day Notice
#8

Hello David,

Thank you for your response. I’ve been scouring the Internet for anything on this and I’ve seen your helpful comments on various threads.

As you may have guessed we are using our own software with our own seller account. We have no intention whatsoever of allowing other sellers to use our software. Other than emailing back to amazon informing them of this, do you have any suggestions of how to resolve it?

My knowledge is extremely limited here, but everything I’m reading and learning I’m passing on to the guys that are helping me. After reading your previous comment, would it be a work around to use our own software in the same way as another seller would use our software as you’ve described, or is that impossible?

I should add that my developer that I’ve been working with for over 10 years, resides in a different country to the business, however when ‘developing’ she is only using the files on the server and not running any of the files locally.


#9

Hi David,

Thanks for your help on this.

Is there an official way to use our own Developer ID to access our account, without confusing Amazon to think we are using someone else’s software to access our own account?

The workaround Crusader mentioned seem interesting too. I wonder if that will work too.


#10

In order to do this you would need to (a) get another developer ID under another seller account (not a minor undertaking) (b) get approved for providing services to other sellers © authorize your new developer ID under your current seller account. I do not recommend doing this at this time.

I experimented with authorizing my own Developer ID under my own seller account, but that does not seem to have any effect.

The email you got from Amazon says “your application does not comply”, but then it says “In order to comply with Amazon’s policies and maintain your access, we will reset your MWS credentials…”. If you are using your own software with your own seller account, it sounds to me like you will be OK after this reset and you just need to make the credential change as soon as your current credentials stop working. I recommend you only do this for now and then just see what happens after that.

Dynamic Enterprise Technologies Inc
Seattle Washington USA


#11

Hi David,

Thanks for your response.

OK, I’ll take your advice here and wait for the reset of credentials.

We are way too reliant on the API, I can’t afford for this to go wrong and lose access. In fact, this has made me think today about whether we need a backup plan, such as a cheap software package running alongside our current setup, that can at least download our orders and create the shipping labels etc.

@jeywalk @TwoRedSevensUSA
If you hear anything back from Amazon will you please come back to the thread? I’ll keep a look out :slight_smile:


#12

If you send me a private message and request a recommendation, I would be happy to provide one.

Dynamic Enterprise Technologies Inc
Seattle Washington USA


#13

Will definitely update here if I hear back from Amazon.

My concern is once our credentials are reset, we may encounter this issue again. And perhaps the second time around, it wouldn’t be a simple reset.

If only Amazon could provide some clarity on this…


#14

That isn’t exactly correct. Amazon can tell what software you are using to make the request if you include a user agent header in the request as per their recommendations.
https://docs.developer.amazonservices.com/en_UK/dev_guide/DG_UserAgentHeader.html

  • A User-Agent header is used to identify your application, its version number, and programming language. Amazon recommends as a best practice to include a User-Agent header with every request that you submit to Amazon MWS.

#15

The User-Agent header is an optional string of data used “to more effectively diagnose and fix problems”. This header can be set to anything the developer wants it to be (within the given format). It does not validate the software in use or the ownership of the software. Two developers/companies of totally different software could put the exact same string in the User-Agent header.

Amazon’s complaint is “your application does not comply…because it is using the incorrect authorization model”. To my knowledge, the User-Agent header has nothing to do with the authorization model. Therefore, I assume setting User-Agent header to any certain value is not going to fix the problem with the authorization model.

Dynamic Enterprise Technologies Inc
Seattle Washington USA


#16

Setting user agent header correctly might not fix this for OP and the others posting here, but given the request mechanism it is a pretty obvious first thing to check. Setting it correctly also won’t hurt anything and is a best practice. Newer client libraries all send it, the value is set at initialization.

I shouldn’t need to belabor this point, enforcing the “write your own” part of the authorization model requires somehow associating requests with the application that made them. In the new SP-API this is not a problem since each application gets its own set of access/signing keys. MWS doesn’t have this feature, so if not for the user agent header what other methods could be used?

It is also hard to avoid this line from the user agent docs I mentioned above, since it is the first thing on the page.

The MWS API is over 13 years old now, the relatively new authorization model is only a little over 3 years old. Yes, the MWS header can easily be set by a developer to almost anything. Perhaps not so easily (but certainly not impossible) by someone running software developed by someone else.

I also agree that the user agent header is not verified or validated like it is in the newer API, and it is very possible for two devs to set the header to the same value. This doesn’t seem very relevant, the idea that a false positive or two would deter Amazon from using this as an enforcement measure is laughable to anyone with experience on this platform.

I would like to point out that not everyone got these warnings. Judging strictly by the forum postings, only a very small percentage of MWS users are involved. In general, advising people to ignore warnings from Amazon seems a little reckless.

This! Unfortunately Amazon believes that hiding basic info like this makes it harder to bypass their rules, when it mostly just makes it harder to follow them.

Hopefully MWS support will reply to your case in a reasonable amount of time and we can get more information. (this isn’t sarcasm, it could happen)


#17

Agreed, however, it is not relevant to the topic under discussion here, which is the authorization model. Best practice would be for you to start a separate thread to discuss the fine points of User-Agent header.

I would be happy to answer your questions about the User-Agent header on a separate thread.

No one advised people to ignore Amazon warnings. Someone asked what the warning meant, and I simply explained the warning as I understood it. If you read the email from Amazon carefully you will find it says Amazon’s concerns will be handled as a result of the credential reset. So, I explained that and I advised them to follow the instructions in the email and to stay in compliance (that is, to simply change their credentials when the time comes). The email does not request they to do anything else (except it reminds them of the rules, which I encouraged them to read).

I’ve missed your insults of my posts over the last number of months. It’s great to have you back at it again! :slight_smile:

Dynamic Enterprise Technologies Inc
Seattle Washington USA


#18

This statement universally applies to all of Amazon policy changes.
Very well said.


#19

@davidonelson - you seem like a smart person, and you have been around the forums over 3 years. I’m sure by now you understand that it is hard to help people with technical issues - especially when there is often little information given, in an environment characterized by dramatic (and often undocumented) change. In most cases it requires very careful reading to avoid muddying the water.

You are pulling my comments out of context, and misrepresenting their intent. I am sorry if you consider these personal attacks, and if you read them carefully you will note that they were intended as critiques of the ideas presented in your posts, not you personally.

That said, when you pretend to be an authority you are opening yourself up to legitimate ad-homonym attacks. I would suggest that your own constant self-promotion on the forums is contributing to your sensitivity and overall combativeness with me. If you would truly like to avoid my negative comments you should try to make your posts more based on actual hands-on MWS API coding and design experience, and avoid basing your comments solely on your understanding/re-interpretations of the limited docs available.

The fact that you cannot seem to grasp the connection between my posts and the OP’s issue demonstrates this perfectly.


#20

Did anyone’s MWS credentials get reset after 14 days? @TwoRedSevensUSA @Crusader