question

I was just told we were given access to the Amazon Music API however I'm running into the same issue. To provide more context this is how I'm generating the token:

Start the login process with this GET request

GET: https://www.amazon.com/ap/oa?client_id=XXX&scope=profile&response_type=code&redirect_uri=http://localhost:3000/amazon/redirect

This will redirect to the localhost:3000 redirect URI which properly creates a code for me to use within the next step.

POST: https://api.amazon.com/auth/o2/token

x-url-form-encoded is used in Postman with these key/values:

• code: code generated in the GET request above
• grant_type: authorization_code
• redirect_uri:http://localhost:3000/amazon/redirect
• client_id: amzn1.application-oa2-client.XXXXXX
• client_secret: amzn1.oa2-cs.v1.XXXX

This successfully goes through and generates an access_token, refresh_token, token_type, and expires_in.

I then tested this token by using the user profile endpoint:

GET: https://api.amazon.com/user/profile?access_token=XXXX

This works fine, returns my email, name, and user_id.

I then tried it with the track endpoint:

GET: https://api.music.amazon.dev/v1/tracks/B076YT2CBT

Added in these headers:

Authorization: Bearer accessTokenHere

x-api-key: amzn1.application-oa2-client.XXXXXX

The Authorization is the bearer token that was generated above, and the x-api-key is the client Id. When I try to use it for that track endpoint I get this error:

{
    "data": null,
    "errors": [
        {
            "code": "ACCESS_DENIED",
            "message": "Invalid signature, check token for expiry.",
            "status": 401
        }
    ]
}

What am I doing wrong here? Do I need to use another type of scope?

Ok I found my issue, for anyone else that encounters this. I overlooked this part in the documentation:

Calls to the Amazon Music Web API must always include two header parameters: Authorization and x-api-key. The value of Authorization should be the bearer token you received from the LWA service. And the value of x-api-key should be your LWA Security Profile ID. The Security Profile ID is not the same as the Client ID you used to acquire the LWA token. You will find it in the general tab of the Security Profile Management page in the LWA Console the ID looks like amzn1.application.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, which is different than the Client ID with is prefixed with amzn1.application-oa2-client.xxx

I was using the Client Id instead of the Security Profile Id after which the track endpoint pulled info just fine with everything else kept the same.

Also might be good to update this in the docs. I realized why I was confused and it's because this is shown in the endpoint documentation for "tracks":

curl --request GET '<base url>/v1/tracks/B076YT2CBT'
--header 'x-api-key: <your client ID>' \
--header 'Authorization: Bearer <your auth token>'

https://developer.amazon.com/docs/music/API_web_track.html#add-track-to-current-users-library

Should say "Security Profile Id" or at least "Profile Id" as to not confuse others.