Token requests

The first time you request a token, you’ll need the following:

• Application’s security profile client_id
• Application’s security profile client_secret
• Application’s registered redirect_uri
• Application authorization code previously created
• The grant_type to use, which should be

To request a token:

1. Enter the client_id, client_secret, authorization_code, and grant_type as URL-encoded form data.
2. Make an HTTP request.
   The curl command to generate tokens from authorization_code is shown in the following example.
   
   Two tokens are returned, an access_token and a refresh_token.
   
   

Each subsequent call to get a new short-lived token must use a grant_type of refresh_token and include the refresh_token. Your application will request the following steps each time it begins a new session. This procedure uses the refresh_token combined with the existing secrets to issue a new short-lived access_token.

1. Enter the client_id, client_secret, redirect_uri, authorization_code, and grant_type as URL-encoded form data.

2. Make an HTTP request (using either curl or Reference Implementation application).
   Use the following curl command to generate access tokens using a refresh token:
   

   Two tokens are returned, an access_token and a refresh_token.
   

access_token: This short-lived token is included in HTTP requests to the API. Although short-lived, it’s sensitive, so don’t share it. New access_tokens can easily be generated.

refresh_token: This indefinite token is used by the client to request all subsequent tokens and is also sensitive. When combined with the client_id and client_secret for your application, you can use the refresh_token to create more access_tokens.

Note: The OAuth2 spec allows the refresh_token to change each time it’s used. While the Amazon implementation doesn’t always do so, you should assume that it could happen any time, and use a mutable secrets store for this value.