- Brandon Checketts
- On June 14, 2015
There has recently been a bit of discussion about a new “Auth Token” requirement for the Marketplace Web Services (MWS) API that third-party merchants like Seller Labs uses to communicate with Amazon Sellers’ accounts. The MWS API is how our system learns about the orders that have been placed for an Amazon Seller’s account, and is simply a well-defined way for our systems to communicate with Amazon’s systems.
Nearly two years ago, in May 2013, we made the MWS team at Amazon aware of what we considered a serious security problem. We were given access to properly secure our own applications, but believe that many third-party applications have still been vulnerable to a possible avenue of attack.
Thus we were thrilled last August when the announcement was made that the MWS authentication process would finally fix this serious vulnerability. The change introduced a new “Authentication Token”–or “Auth Token” for short–that is in addition to two other pieces of information that must be shared between a seller’s Amazon account and the third-party (i.e. Seller Labs) in order to access the API. The announcement originally indicated a deadline of March 31, 2015 for all third party applications to support this new requirement.
In addition to the documented API, the MWS team at Amazon also produced some programming libraries for accessing the API in various programming languages that took longer to be updated. These libraries were published around January 2015, and we began implementing the changes on Seller Labs’s side as soon as we found them available. The majority of our implementation was completed in January. The MWS API provided a way for us to generate these “Auth Tokens” for accounts which we already could access. So the change was seamless to all users.
In practice, the MWS documentation stated this new security measure would be required on March 31, 2015. They didn’t do much to ensure third-party solution providers actually knew about the required changes. Unfortunately, they have pushed back the required changes date significantly. The documentation now states the changes will be required on June 30, 2015.
As far as we can tell, many third-party providers have been slow to make the required changes. The MWS team may make the new changes required for a day so that solution providers’ systems break and are forced to investigate and eventually notice the new requirement.
With all of the changes going on, Amazon sellers may see some discussion about the new Auth Token requirement. Seller Labs’s customers can rely on our products to fully support this change that we have been hoping to see for the last couple of years.