2025 Growth Unified Hits Major Growth Milestones with 6.5x usage & 4.5x revenue growth
Unified.to
All articles

How to Get Your Amazon Ads API Key

May 29, 2026

There is no single "Amazon Ads API key." Amazon Advertising uses Login with Amazon (LWA) OAuth 2.0, which produces five distinct credentials — none of which is a static key you can paste into a config file and call done. The setup spans two separate Amazon portals, requires application review for production access, and trips up most developers on the same handful of issues.

This guide walks through the exact 2026 process: creating your LWA Security Profile, applying for Advertising API access, linking the two, and avoiding the auth errors that consume entire days when you don't know what to look for.

Key takeaways

  • Amazon issues five credentials, not one: Client ID, Client Secret, Access Token, Refresh Token, and Profile ID (plus a separate Security Profile ID identifier). Each has a specific role and lifecycle.
  • The setup spans two portals: developer.amazon.com for the LWA Security Profile, and the Amazon Ads Partner Network Console for the Advertising API application. The two are linked via the approval email.
  • There is no sandbox environment for the Advertising API. Production approval is the only access tier. Plan accordingly.
  • Approval takes 2–3 business days for Direct Advertisers, several weeks for Tool Providers and agencies. Standard SaaS integrations apply as Tool Providers.
  • A single Security Profile works across all regions (NA / EU / FE), but API calls must hit region-specific endpoints, and /v2/profiles only returns profiles from the region you query.

Before you start

You'll need:

  • An Amazon Ads Manager account at advertising.amazon.com (not Seller Central, not Service Provider Network)
  • A valid privacy policy URL to provide during Security Profile creation
  • An OAuth-capable backend — Amazon does not support implicit grant or client-credential flows for the Advertising API; only authorization-code flow with refresh tokens
  • Active advertising campaign history if you're applying as a Direct Advertiser — Amazon's review process expects evidence of legitimate advertising activity before granting API access

If you're building integrations as a B2B SaaS company, you'll apply as a Tool Provider/Agency, not a Direct Advertiser. The approval is longer and more thorough, and your application should clearly describe what you're building and how end-customer data is handled.

Step-by-step: creating Amazon Ads API credentials in 2026

1. Create your LWA Security Profile

Go to developer.amazon.com and sign in with your Amazon account. From the top navigation, select Login with Amazon, then click Create a New Security Profile.

Fill in:

  • Security Profile Name — your application name
  • Security Profile Description — a short description of what the application does
  • Consent Privacy Notice URL — your privacy policy URL

Save the profile. You'll see it appear in the Security Profiles table.

2. Retrieve your Client ID and Client Secret

From the Login with Amazon page, find your newly created Security Profile in the table. Click Show Client ID and Client Secret. These are your two foundational credentials:

  • Client ID (format: amzn1.application-oa2-client.xxx) — sent in the Amazon-Advertising-API-ClientId header on every API call
  • Client Secret — used only during token exchange at the /auth/o2/token endpoint; never sent in API request headers

Under Manage, click Web Settings and add your Allowed Return URLs — the OAuth redirect URIs where Amazon will send authorization codes after a user authenticates.

Note your Security Profile ID (format: amzn1.application.xxx) from the General tab. This is distinct from your Client ID and is required when linking the profile to your Advertising API access in step 5.

3. Apply for Advertising API access

Log in to the Amazon Ads Partner Network Console using the same email address as your Security Profile. This is a different portal from the Developer Console — the most common cause of "my application has been pending forever" is using two different Amazon accounts across the two portals.

From the left menu, select API Applications, then click Request API Access.

Choose your access type:

  • Direct Advertiser — you're managing your own advertising campaigns through the API
  • Tool Provider / Agency — you're building software that manages advertising for other advertisers (this is the path for B2B SaaS integrations)

Check Advertising — Manage advertising campaigns and creative, and receive advertising reporting metrics. Complete the business-justification form. Submit.

4. Wait for approval

Direct Advertiser applications are typically approved in 2–3 business days. Tool Provider applications can take several weeks and are reviewed against Amazon's API access policies — including whether your business model is compatible with the API terms (more on that below).

5. Link your Security Profile to your Advertising API access

When your approval email arrives, click the link inside. You'll be prompted to select an LWA Security Profile. Choose the one you created in step 1. Click Link application.

This step is what connects the two portals. Without it, your Security Profile exists but has no Advertising API permissions.

6. Run the OAuth authorization flow

For each end customer whose Amazon Advertising account you'll access, run the standard OAuth 2.0 authorization-code flow against the regional endpoint matching their marketplace:

  • NA: https://www.amazon.com/ap/oa
  • EU: https://eu.account.amazon.com/ap/oa
  • FE: https://apac.account.amazon.com/ap/oa

Request the profile and advertising::campaign_management scopes. Exchange the resulting authorization code for an access token and refresh token at the matching regional token endpoint. Then call /v2/profiles on the same regional API endpoint to retrieve the Profile IDs for that customer's authorized accounts.

The gotcha: Amazon's auth has several failure modes

Amazon Advertising's setup is more error-prone than most ad APIs. The patterns that cause real production outages:

SPN account confusion. Developers attempt to authorize through Seller Central → Service Provider Network credentials. SPN accounts don't have Advertising API permissions. The OAuth flow must be initiated against advertising.amazon.com directly, using an Ads Manager account. This is the single most common reason new integrations fail.

Regional endpoint mismatches. A token obtained from api.amazon.com (NA) won't work against an EU marketplace's API endpoint. The access token itself is valid across regions, but you must request it from the regional token endpoint matching the marketplace you're querying. Mixing them produces 401 Unauthorized errors that look like credential problems.

Profile propagation delays. When an advertiser links a new advertising profile to their Ads Manager account, Amazon's systems can take up to an hour to propagate. API calls immediately after linking will fail until propagation completes.

Missing the scope header. After retrieving Profile IDs from /v2/profiles, every subsequent campaign management or reporting call requires the Amazon-Advertising-API-Scope: {profile_id} header. Forgetting it produces 403 Forbidden errors that look like permission problems but are actually a missing header.

View-only permissions. The /v2/profiles endpoint returns 403 for view-only users unless you append ?accessLevel=view. This is undocumented in most integration guides.

Don't confuse the Advertising API with the Product Advertising API. These are different systems. The Product Advertising API (used by Amazon Associates affiliates) was deprecated April 30, 2026, and replaced with the Creators API. The Advertising API (used for Sponsored Products, Sponsored Brands, and Sponsored Display) is separate, continues using LWA OAuth, and is what this guide covers.

Security and credential handling

Refresh tokens may rotate. Amazon can issue a new refresh token in the response when you exchange an old one for a new access token. Always persist the latest refresh token from each response. Older refresh tokens may become invalid.

Store credentials in a secret manager. Client Secret and refresh tokens are long-lived sensitive credentials. Use AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or equivalent. Don't commit them to repositories or environment files.

Refresh proactively. Access tokens expire after one hour. Refresh at the 55-minute mark to avoid in-flight request failures, with exponential backoff retry logic on refresh errors.

Log refresh outcomes. Track every refresh attempt with timestamp, success or failure, and error codes. Repeated 400 or 401 errors during refresh usually mean a revoked or expired refresh token requiring re-authorization, not a transient network issue.

Is there an API-key alternative?

No. Amazon Advertising's API does not support API keys, basic authentication, or service-account credentials. OAuth 2.0 with refresh tokens is the only path. Every architecture decision in your integration — token storage, refresh scheduling, regional endpoint handling, error recovery — flows from that constraint.

Frequently asked questions

Why are there five credentials instead of one? OAuth 2.0 separates application identity (Client ID + Secret), user authorization (Access Token + Refresh Token), and account scope (Profile ID). Each credential has a distinct lifecycle: Client ID never expires, Client Secret is rotated on demand, Access Tokens last one hour, Refresh Tokens are long-lived but can rotate on each refresh, Profile IDs are stable per advertising account.

Why don't my API calls work right after linking a profile? Profile propagation can take up to an hour. If you're seeing 403 errors on a freshly linked profile, wait and retry.

Why does /v2/profiles return an empty array even after successful OAuth? Two possibilities. Either the advertising account has no campaigns yet (profile metadata only returns once at least one campaign exists), or you're querying the wrong regional endpoint for that customer's marketplace.

My company runs a comparison shopping site. Can we use the Advertising API? Probably not. Amazon explicitly prohibits Advertising API access for comparison shopping engines, demand-side platforms, marketplaces, and competitive ad networks. Review the API access policies before applying as a Tool Provider — these business-model conflicts are the most common reason applications are rejected.

How does this compare to Google Ads or Meta Ads auth? All three are OAuth 2.0 with refresh tokens, but Amazon adds the two-portal split (Security Profile + Partner Network application linked by approval email), the absence of a sandbox tier, and the Profile ID header requirement on every call. Plan extra time for first-time setup compared to Google or Meta.

Where Unified fits

Unified.to provides a single API across Amazon Advertising, Google Ads, Meta Ads, LinkedIn Ads, TikTok Ads, Microsoft Advertising, and 9 other advertising integrations — covering campaigns, ad groups, ads, creatives, targeting, and reporting through a normalized data model.

For Amazon Advertising specifically, Unified handles the LWA OAuth flow, the two-portal credential structure, regional endpoint routing, token refresh and rotation, and the Profile ID scoping behind a single authorization step. Real Amazon objects map to Unified's normalized models: ads_organization, ads_campaign, ads_group, ads_ad, ads_creative, ads_report, ads_target, and ads_promoted — with full CRUD on the campaign hierarchy and reporting endpoints. Vendor-specific endpoints that aren't in the normalized model are available through pass-through access.

If you're evaluating whether to build Amazon Advertising integration directly or use a unified API, the question to ask is whether the ongoing maintenance cost — OAuth flow updates, regional changes, profile propagation handling, error recovery — is something your team should own or something to abstract away.

Start your 30-day free trial

Book a demo

All articles