API Onboarding

The Content API Suite enables you to automate content management workflows and receive real-time visibility into your content’s status on Prime Video. This suite includes:

• Avails API – Submit, update, retrieve, and delete content rights (avails) programmatically across all business lines and territories
• Offer Status API – Check if your titles are live on the Prime Video storefront and understand what’s blocking titles from going live
• Asset Status API – Monitor asset delivery status and receive instant feedback on content readiness

When you onboard to the Content API Suite, you’ll receive access to the APIs you request during the onboarding process. All APIs within this suite use MTLS (Mutual Transport Layer Security) certificate-based authentication with API keys.

Include the following information:

• Your organization name
• Business alias (if known)
• Confirmation of which partners you are delivering on behalf of (if applicable)
• Use case description
• Environment access needed (Sandbox, Production, or both)

You will need a separate CSR for the Sandbox environment if you plan on testing there prior to production. If you would like both you can include both in your request and just make sure the filenames of the CSRs include the words Sandbox and/or Production so we know which is which.

1. The first command will generate your private key file with a file extension of “key”.
   
2. The second command will generate your Your Certificate Signing Request (CSR) with a file extension of “csr”. You will need to pass in the path to the client.key you just created. The recommended naming convention for the output file is <Partner Name>_<Prod or Sandbox>_client.csr.

1. Test in the sandbox environment first
2. Verify authentication works with a simple API call
3. Test submitting a new update
4. Test receiving data successfully
5. Implement error handling and monitoring
6. Validate your payload schemas against the documentation

Contact your Preferred Fulfillment Vendor and provide explicit permission for them to view your avails. Once authorized, they can handle onboarding on your behalf to access APIs.

Yes—you can onboard directly using the standard onboarding steps for the Content API Suite without involving your Preferred Fulfillment Vendor.

The onboarding timeline varies depending on your technical readiness and the complexity of your integration. Typically, the process includes credential provisioning, technical documentation review, integration development, and testing. We recommend allowing adequate time for your development team to build and test the integration before going live.

Currently, API access is only available to managed Prime Video partners. However, we are actively working on expanding API access to non-managed partners in the future.

If you’ve received your API credentials but need guidance on implementation, reach out to your Prime Video contact or via Contact Us to discuss your individual needs and circumstances. We can provide tailored guidance on:

• How to authenticate using your credentials
• Which API endpoints are most relevant to your workflow
• Best practices for integration and testing
• Technical documentation and code samples

If you lose your private key, you will need to generate a new CSR and private key pair and submit the new CSR to your Prime Video contact. We cannot recover lost private keys, as they are never shared with Prime Video for security reasons.

The Analytics API Suite enables you to integrate multiple end points for Prime Video performance data directly into your own systems and gain deeper insights into content performance. This suite includes:

• Performance Dataset– Access event-level data for granular analysis and integration with your internal datasets
• Reporting – Retrieve static CSV files with content performance and earnings data on a recurring basis
• Financial Statement– Access actualized earnings statements reflecting your financial dashboard data in Slate
• Subscription Event Log - Access event-level subscription data for customer journey tracking

All API end points within this suite use OAuth 2.0 authentication and provide read-only access to performance data. Unlike other Slate reports, Analytics API datasets are append-only (each file contains new data) and are built explicitly for partner engineers to consume granular data and perform analytics.

To get the authorization code, you’ll create a specific URL to use in your web browser. To complete this step, you’ll need the following:

• The application’s security profile client_id
• The application’s registered redirect_url
• Response type from the authorizer—this should be code
• Scope to authorize: videocentral::reports:read

The first time you request a token, you’ll need the following:

• Application’s security profile client_id
• Application’s security profile client_secret
• Application’s registered redirect_uri
• Application authorization code previously created
• The grant_type to use

You will receive:

• access_token: This short-lived token (expires in 1 hour) is used to authenticate your API requests to the Performance APIs
• refresh_token: This long-lived token is used to generate new access tokens without requiring user re-authorization—store this securely as it provides ongoing access to your application

Your refresh token may change with each use according to OAuth 2.0 specifications, so ensure your integration updates the stored refresh token value after each refresh request.

1. Verify authentication: Confirm that your access token successfully authenticates API requests by making a simple test call to the accounts endpoint
2. Test data retrieval: Validate that you can successfully retrieve performance data and that the response format matches your expectations
3. Implement error handling: Build robust error handling for common scenarios including expired tokens, rate limiting, and network issues
4. Validate token refresh logic: Test your refresh token implementation to ensure your application can automatically obtain new access tokens without manual intervention
5. Confirm token expiration handling: Verify that your integration properly detects when access tokens expire (after 1 hour) and automatically refreshes them before making subsequent API calls

To revoke API access for a specific user account (useful when testing with different accounts or when team members change roles), please see instructions on the user permission page.

If your application credentials have been compromised (for example, if they were accidentally committed to a public code repository):

1. Go to the Login with Amazon Console
2. Find your security profile and click Manage, then select Security Profile
3. Click Delete Security Profile and type “delete” in the confirmation box to proceed

Important: Deleting your security profile immediately invalidates all existing access tokens and refresh tokens for all users, and prevents any future use of those credentials. You will need to create a new security profile and repeat the entire onboarding process if you need to restore API access.

Deleting your security profile immediately invalidates all existing access tokens and refresh tokens for all users. This action cannot be undone, and you will need to create a new security profile and repeat the entire onboarding process to restore API access.

Store your Client Secret and Refresh Token in your organization’s secure secrets management system. Never hardcode these values in your application code or configuration files. These credentials provide access to your Performance API integration and should be treated with the same security standards as passwords or API keys.

No. Never commit credentials to code repositories, share them via email, or include them in documentation or support tickets. If credentials are accidentally exposed in a public repository, immediately delete your security profile and create new credentials following the onboarding process.

Access tokens expire after 1 hour. Implement automatic token refresh logic in your application to ensure uninterrupted API access. Your application should detect when tokens are about to expire or have expired, then use your refresh token to obtain a new access token before making subsequent API calls.

Refresh tokens may change with each use according to OAuth 2.0 specifications. Always update your stored refresh token value after each refresh request. Store refresh tokens in a mutable secrets store that allows you to update the value programmatically when it changes.

Implement logging and monitoring to track your API usage patterns, including request volumes, error rates, and authentication attempts. Set up alerts for unusual activity that might indicate compromised credentials, such as requests from unexpected IP addresses, unusual request patterns, or repeated authentication failures.