I am authenticating the user using Login with Amazon with the Authorization Code Grant. This is the scope that I am using:
profile alexa::ask:skills:read alexa::ask:models:read
After retrieving the authorization code, I use it to obtain an access bearer token. I use the bearer token to retrieve the user profile, which works fine. I use the same bearer access token to retrieve the user's vendor IDs and that call fails with the message:
"Token is invalid/expired"
I tried calling the API with a brand new access token retrieved using the refresh token and I got the same error.
If I configure the user's vendor ID statically (I get it from the user's account) and invoke the REST API to retrieve the user's skills, the call fails with the same error message.
I'd like to also mention that I set the Authorization header using the following format:
"Authorization": "Bearer " + $access_token
In other words, I am prefixing the access token with "Bearer ". Can someone please confirm that this is the correct way to set the header for this particular API ? That is what I have been using in other API invocations, including the one for retrieving the user profile, which work fine. The ASK Management API seem to indicate that the authorization header is set with the value of the access token (w/o mentioning the "Bearer" qualification). If I remove the "Bearer" prefix, then the error message that I get is:
"User has not consented to this operation".
This is odd given that the scope does include the proper claims, I think.
I don't know which one of these two error messages is the correct one - it depends on the format of the Authorization header.
I would really appreciate any help. This issue is currently stopping us from releasing a very nice support for Alexa.