UFOdriverr avatar image
UFOdriverr asked

App-to-App account linking and skill activation ("Invalid account linking credentials")

Ok i'm desperate....

So i do everything according to: App-to-App account linking documentation

And i cant enable skill. I tells me "message": "Invalid account linking credentials"

Here is what I do (all parameters{} replaced with actual values of course):
1) calling{AMAZON CLIENT ID}&scope=alexa::skills:account_linking&response_type=code&redirect_uri=

and receive "authCode" (LinkingAuthCode)

2) Exchange it for access token


and receive "access_token" (Linking access_token)

3) Call{LWA client ID}&scope=profile+alexa::ask:skills:readwrite&response_type=code&redirect_uri=

and receive "authCode" (ProfileAuthCode) (Or i cannot use LWA for this step? I mean when you do it from the beta email or activating skill by hand you do it using LWA so.....)

4) Trying to active skill

POST /v1/users/~current/skills/amzn1.ask.skill.87cb12ad-8afa-47d6-99d1-04286092a687/enablement HTTP/1.1
Authorization: Bearer {Linking access_token}
    "stage": "development",
    "accountLinkRequest": {
      "redirectUri": "",
      "authCode": {ProfileAuthCode},  (ALSO TRIED WITH {LinkingAuthCode}, still not working, same error.)
      "type": "AUTH_CODE"


    "message": "Invalid account linking credentials"
skillaccount linkingenablement
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

UFOdriverr avatar image
UFOdriverr answered

In order to use LWA as auth server, call it with scope: alexa::ask:skills:readwrite this scope.

P.S. Im sorry, BUT
Amazon documentation it's something.....
Is it really that hard to add there something like this:

"If you would like to use LWA as your authorization server then you have to get LWA auth code with alexa::ask:skills:readwrite scope"


10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

hi @UFOdriverr, I was having the same issue of "Invalid account linking credentials", changing the scope to "alexa::ask:skills:readwrite" gives the following error

Status: 403 Forbidden
    "message": "The authentication token is invalid or doesn't have access to make this request"
0 Likes 0 ·

Sorry, wasn't checking this forum =(
The code you get from step 3) needs to be unused.
Check if all your values are correct.
It should work.

0 Likes 0 ·
newuser-81707400-a5a9-4d0b-9c8d-285cbd6b95cf avatar image
newuser-81707400-a5a9-4d0b-9c8d-285cbd6b95cf answered

Hi Team,

did we get any soultion for this, 3rd step ProfileAuthCode working for me in final account linking, but why I need to login on LWA two times, I already looged in once to get aut code first time.

Please help.

How I can use same auth code for both case or even login 2nd time, how I can get auth code again for LWA.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hello there,

App to App account linking is designed to use with developers own authorization server (not LWA) either in their app or web app. This means if you have your own app you should have your own login mechanism where user has to login to get into your app. Once user logged in you have user auth code and access token with you.

After this now call for Alexa app using universal link and if this doesn't work (when user didn't installed Alexa app) then LWA will be called as fallback url.

Once user successfully launched Alexa app/ LWA url this will create amazon authorization code and redirects to your app/web app.

Now, using this amazon auth code and user auth code received in first step you are call skill activation API.

So overall, you only have to LWA login once if your Alexa app is not installed and you have you own login setup.

LWA login will be twice only when you used LWA login to login into your app and doesn't have Alexa app installed in your device.

Let me know if you have any further confusion in this feature.

1 Like 1 ·

Thanks a lot Anand for this response and sorry for lately asked, as I was out due to medical emergency.

Sorry to bother you again, but on this line where you said e.g. "Once user logged in you have user auth code and access token with you ". In my web application, we logged in with username and password only that we already stored in encrypted mode in oracle database. Now, in this case, even after successful login, how I am going to get "user auth code and access token", do I need to implement another API to get this in backend after user logged in like auth2.0 etc.. ?

This is the only point, I am getting stuck for further progress.

Please Help!


0 Likes 0 ·
Anand@Amazon avatar image Anand@Amazon ♦ newuser-81707400-a5a9-4d0b-9c8d-285cbd6b95cf ·

Hey Pankaj,

You have to make changes in your oracle auth server to decrypt user authorization code using which you can generate access token by calling oracle authorization token URL.

0 Likes 0 ·