What is LWA Credential Rotation?
by Mayur Patel
Credential rotation involves regularly updating your client secrets to enhance security. To maintain uninterrupted access and enhance security for your application’s integration with Amazon’s Selling Partner API (SP-API), it's crucial to regularly rotate your Login With Amazon (LWA) credentials (client secrets).
By routinely rotating your Login With Amazon (LWA) credentials, you minimise the risk of unauthorised access if your application's credentials are exposed or compromised. This practice limits the time during which compromised credentials can be used.
Note: Rotating credentials does not impact end users. End users do not need to re-authorise applications.
Why Rotate LWA Client Secrets for SP-API?
Your application's LWA credentials function similarly to a username and password. Even with careful management, there's always a risk that your credentials could be exposed or compromised. Regular and timely rotation of your LWA client secret strengthens your application's security by limiting the lifespan of those credentials.
If you fail to rotate your app's LWA client secret by the designated deadline, your ability to make API calls will be lost. This could disrupt critical business functions and negatively affect any customers who have authorised your application.
How to Rotate LWA Credentials Programmatically
To rotate your LWA credentials programmatically, refer to Rotate your application's client secret.
How to Rotate LWA Credentials in the Developer Console
Follow these steps to rotate LWA credentials (client secrets).
Sign In
Sign in to your developer account on Seller Central, Vendor Central, or Developer Central, and navigate to the Developer Console page that lists all your applications.
Locate Credentials
Find the expiration alert from the LWA credentials column and select View.
Store Credentials (Optional)
For ease of reference, you can securely store your existing LWA credentials in an encrypted form.
Rotate Credentials
Choose Rotate secret, read the warning, then choose Rotate secret again.
Verify Update
View the updated target rotation date on the LWA credentials page.
Repeat Steps 2 through 6 for every application showing an expiration alert.
Important: After generating a new LWA credential (client secret), you must update the credentials for all applications that interact with Amazon APIs. The old credentials will expire seven days after the new ones are generated.
Need to Generate New Refresh Tokens During Rotation
Refresh tokens are linked to the LWA client identifier. When you rotate the LWA credentials, a new client secret is generated. You should use the new client secret along with the existing client identifier and refresh token to obtain new access tokens. There is no need to recreate the refresh tokens.
Troubleshooting Credential Rotation
If your application is blocked due to not rotating LWA credentials by the deadline, initiating the credential rotation will automatically unblock your application. However, you must begin using the new client secret before the old one expires. The expiration time of the old secret varies depending on authorisations and security concerns; in some cases, it will expire immediately after rotation, while in others, it may last up to seven days.
Final Tips
Regular rotation of your Login With Amazon (LWA) credentials is a vital practice to ensure the security and continuity of your application’s integration with Amazon’s Selling Partner API (SP-API). By adhering to the credential rotation guidelines and updating your credentials before the deadline, you protect your application from potential security risks and avoid service disruptions.
Always remember to follow the outlined steps for rotating credentials programmatically and via the Developer Console, and keep track of any expiration alerts to maintain seamless API access.
Stay Informed with the Best Practices
Keep up with our blog for useful tips.