question

Hi Kush, Could you tell us how you're making the call to exchange the access_token for profile info? The access token needs to be set as a request header, and not as a query parameter, so we'd like to be clear as to what format you're using.

[On behalf of: Kush Fanikiso] Thanks for the response. This is the code I am using to test which is very similar to the sample php code. I have the button on a secure testing site and I set the return url to the origin url so I can pull out the access token manually. And then I have the following php code: aud != 'MY-CLIENT-ID') { // the access token does not belong to us header('HTTP/1.1 404 Not Found'); echo 'Page not found'; exit; } // exchange the access token for user profile $c = curl_init(' https://api.amazon.com/user/profile'); curl_setopt($c, CURLOPT_HTTPHEADER, array('Authorization: bearer ' . $access_token)); curl_setopt($c, CURLOPT_RETURNTRANSFER, true); $r = curl_exec($c); curl_close($c); $d = json_decode($r); echo $d->error; echo $d->error_description; echo sprintf('%s %s %s', $d->name, $d->email, $d->user_id); ?> It gets past checking that the client id belongs to me but the last part: exchanging the access token for the profile info is the one that is currently not working. Warm regards -Kush

Kush, There are several possible causes of this. 1. You could be missing permissions to the 'profile' scope. If you followed the sample code in step 3 "Add the SDK for JavaScript" in the Getting Started for Web guide, then this should be already be taken care of. 2. The access token expires after 1 hour, so if your access token is hardcoded for testing purposes, it may have expired. 3. Your access token is URL-encoded in the call header. Notice in the sample code that when calling the 'https://api.amazon.com/auth/o2/tokeninfo' endpoint, the access token needs to be URL-encoded. However, when placing the access token in the call header to get the user profile, it should not be URL-encoded. Looking at your code, it seems possible to me that your access token is URL-encoded at that point, which could be why your first call succeeds but your second call fails. If you try these suggestions and the issue is still not resolved, kindly send your client ID, as well as the approximate date and time of your last attempt, to lwa-support@amazon.com so that we may investigate further.

[On behalf of: Kush Fanikiso] Hi, The 3rd one was it! Now it works, thank you. I needed to url decode the manually stripped access token. regards -Kush

#3 for me as well, Thanks! ( Had to urldecode() because the system had already sanitized the data) -- Will