App-to-App Account Linking (Starting From Your App)
• Launching the Alexa app from your app – iOS and Android
• Login with Amazon – Web and as a fallback for iOS and Android
This account linking flow enables users to link their Alexa user identity with their identity in another service by starting from your app or website. When you start the account linking flow from your app, your users can:
- Discover your Alexa skill through your app
- Initiate skill enablement and account linking from within your app
- Link their account without entering their account credentials in either your app or the Alexa app, when they're logged in to both of the apps on their mobile device
- Link their account from your app using Login with Amazon (LWA), when the Alexa app isn't installed on their mobile device
Your other options for implementing the account linking flow are the following:
- App-to-app starting from the Alexa app – Users link their account by starting from the Alexa app instead of your app. For details, see App-to-App Account Linking (Starting From the Alexa App).
- Alexa app only (browser flow) – Users accomplish account linking entirely within the Alexa app. This is the most common flow. For details, see Choosing an account linking flow.
If you have an app or website, we encourage you to implement one of the app-to-app account linking flows in addition to the Alexa app-only flow.
For the rest of this topic, the term app-to-app account linking refers specifically to app-to-app account linking that starts from your app.
For troubleshooting information, see Troubleshooting app-to-app account linking (starting from your app).
- Terminology
- User experience
- Which flow to implement
- How it works
- URLs and endpoints
- Key steps
- Errors
- Best practices
- Testing guidelines
- Frequently asked questions
- Related topics
Terminology
This topic uses the following terms:
- Service – The service that you provide. For example, you might have a web-based service, "Ride Hailer", that lets users order taxis.
- App – The app that your users use to interact with your service. Continuing the previous example, you might have a "Ride Hailer" app. This discussion assumes that you are the developer of the app.
- Skill – The Alexa skill that enables the user to interact with your service using Alexa. This discussion assumes that you are the developer of the skill.
- Alexa app – The Amazon Alexa app that users can download for their mobile device.
- Login with Amazon (LWA) – An authentication system that enables users to log in and grant access to their user profile data. In terms of app-to-app account linking, LWA is a fallback that you can implement to handle the case in which users don't have the Alexa app installed on their mobile device. For general information about LWA, see the Login with Amazon documentation.
- OAuth 2.0 – An authentication standard by which your service can allow Alexa, with the user's permission, to access information from the account that the user has set up with you. For the OAuth 2.0 standard, see OAuth 2.0.
- App Link – A deep link on Android that a user clicks to launch an app. For details about App Links, see the Android documentation.
- Universal Link – A deep link on iOS that a user clicks to launch an app. For details about Universal Links, see the iOS documentation.
User experience
During app-to-app account linking, the user goes through the following workflow:
- Your app gives the user the option to enable your skill and link their account with Alexa. If the user chooses to link their account, one of two things happens, depending on whether the Alexa app is installed on the mobile device.
- (Alexa app flow) If the Alexa app is installed on the device, the Alexa app launches and asks the user to acknowledge the account linking request. After acknowledging the request, the user is returned to your app.
- (LWA flow) If the Alexa app isn't installed on the device, an in-app browser window with LWA opens, and the user can enter their Amazon credentials or create an Amazon account. The user is then asked to give your skill permission to link the accounts. After acknowledging the request, the user is returned to your app.
After the account is linked and the user is using your skill, the skill uses the same workflow as Alexa-app only account linking. In any case, disabling the skill causes the accounts to unlink.
The following are example screenshots for app-to-app account linking. As mentioned previously, the flow depends on whether the user has the Alexa app installed.
Alexa app is installed
The following is an example of the Alexa app flow.
Alexa app isn't installed
The following is an example of the LWA flow.
Which flow to implement
The Alexa app flow is available for iOS and Android. As such, the flow that you implement depends on whether you are developing an iOS app, an Android app, or a website:
- iOS and Android apps – Implement the Alexa app flow as the primary flow, and the LWA flow as a fallback for when the Alexa app isn't installed.
- Websites – Implement the LWA flow.
How it works
App-to-app account linking works by using OAuth 2.0. The following figure shows what goes on behind the scenes when the user starts account linking from your app on their mobile device. (Click image to enlarge.)
The steps are as follows. For details about the URLs mentioned, see URLs and endpoints.
- The user installs your app on their mobile device, and logs in to your app.
- Your app presents the user with the option to enable your skill and link their account with Alexa, with a mention of the benefit (for example, "You can now order a car through Ride Hailer by voice with Alexa"). The user acknowledges the linking request.
- What happens next depends on whether the Alexa app is installed on the user's device.
- If the Alexa app is installed:
- Your app launches the Alexa app using the Alexa app URL with the authorization request parameters described later.
- The Alexa app launches and asks the user if they want to link Alexa with your service.
- The user acknowledges the linking request.
- The Alexa app sends the user back to your app using your redirect URLs, and sends the user's Amazon authorization code as a part of that redirect.
- If the Alexa app isn't installed:
- Your app launches LWA using the LWA fallback URL in an in-app browser tab (not a native browser app) with the authorization request parameters described later.
- LWA launches and asks the user to log in to their Amazon account.
- LWA asks the user if they want to link Alexa with your service. The user acknowledges the linking request.
- LWA sends the user back to your app using your redirect URLs, and sends the user's Amazon authorization code as a part of that redirect.
- If the Alexa app is installed:
- Your backend server calls the LWA authorization service URL and exchanges the Amazon authorization code it retrieved in the previous step for an Amazon access token.
- Your backend server calls your authorization server to get the user's authorization code (for their account in your service).
- Your backend server calls the Alexa Skill Enablement API with the user's Amazon access token and the user's authorization code for your service, to enable the skill and link the account.
- Alexa goes to your app's access token URL to exchange the user's authorization code for your service for an access token for your service, thereby completing account linking.
URLs and endpoints
This section describes the URLs and endpoints that relate to app-to-app account linking. A description of the parameters follows.
Name | Where it's used | Details |
---|---|---|
Alexa app URL |
Your app uses this Universal Link (iOS) or App Link (Android) to send the user to the Alexa app to acknowledge the linking request. For parameter descriptions, see Parameters for the Alexa app URL and the LWA fallback URL. For general information about Universal Linking, see Allowing Apps and Websites to Link to Your Content in Apple's documentation. You can store the Alexa app URL and the LWA fallback URL in the back end, and retrieve them with a GET request. You can also store the URLs locally to avoid an extra network call; this might require a new build if you modify the skill security profile in the future. |
Format: |
LWA fallback URL |
A link that sends the user to LWA to enter their Amazon credentials. It works for iOS, Android, and websites. Your app uses this if the user doesn't have the Alexa app installed on their device. For parameter descriptions, see Parameters for the Alexa app URL and the LWA fallback URL. See the previous note for the Alexa app URL about storing the URLs. |
Format: |
Your app's redirect URLs |
The Alexa app (or LWA, if the Alexa app isn't installed) uses this Universal Link or App Link to send the user back to your app after they acknowledge the linking request in the Alexa app or LWA. The parameters returned with the redirect provide your app with the user's Amazon authorization code, which is valid for 5 minutes. |
You specify one or more of these using the Alexa developer console, the ASK CLI, or SMAPI. See the required syntax in the URI specification. |
Authorization URL |
The URL of your authorization server. The authorization server must accept the user's credentials, authenticate the user, and generate an authorization code that the Alexa app can later pass to your authorization server to retrieve an access token that uniquely identifies the user with your service. |
This link is only used for regular (not app-to-app) account linking. You specify this using the developer console, the ASK CLI, or SMAPI. |
Access token URL |
Your token server, which Alexa uses to exchange the user's authorization code (for your service) for an access token, to complete account linking. |
You specify this using the developer console, the ASK CLI, or SMAPI. |
LWA authorization service |
Your backend server uses this to exchange the user's Amazon authorization code for an Amazon access token. This enables your app to call the Alexa service to enable the skill and link the account for the user. |
Host: |
Alexa Skill Enablement API endpoint |
Your backend server calls this to enable the skill for the user. For details about the Alexa Skill Enablement API, see Alexa Skill Enablement API. |
Format: |
Parameters for the Alexa app URL and the LWA fallback URL
Field | Description |
---|---|
Client ID |
The Alexa client ID that the Alexa developer console provides when you enable app-to-app account linking in the developer console. |
Client secret |
The Alexa client secret that the developer console provides when you enable app-to-app account linking in the developer console. |
Redirect URL |
The Universal Link or App Link that you specify when you enable app-to-app account linking in the developer console. The Alexa app and LWA redirect the user back to this URL after they acknowledge the account linking request. |
Scope |
Your app must set this to |
Skill ID |
The unique identifier of your skill. You can find this in the developer console. |
Stage |
The skill stage, which depends on whether your skill is published. Until your skill is published, set |
response type |
The response type must be |
state |
An opaque value that your app uses to maintain state between the current request and the response. For the Alexa app URL, the state value is required. Alexa includes this state as-is in the response when it redirects the user back to your app using your redirect URLs. You must validate the incoming requests using state to prevent cross-site request forgery. Make sure that the state that you generate doesn't contain You can generate the state using secure random number generator, and save it to your user session for validation. Alternatively, you can generate the state from your backend server and using a key to encrypt and decrypt it. |
Key steps
This section describes key steps, and provides code examples for an iOS app (10.0 or higher) and an Android app by using the following libraries and languages:
- iOS app – Swift 4, Alamofire and SwiftyJSON
- Android app – Kotlin
- Backend server – Node.js v11.12.0, Lodash 4.1.77, and axios 0.18.0
The following figure provides an overview of the steps. Descriptions of the steps, including code examples, follow.
Step 1: Display an account linking option in your app
Your app needs to have a screen from which a user can initiate skill enablement and account linking. This page should show what the user can do by linking their account with Alexa, such as ordering a car by voice.
Step 2: Enable Universal Links (iOS) or App Links (Android) for your app
To allow the Alexa app to redirect the user to your app, you must enable Universal Links for your iOS app or App Links for your Android app.
Step 3: Configure the skill to use app-to-app account linking
You configure your skill by using the developer console, the Alexa Skills Kit Command Line Interface (ASK CLI), or the Alexa Skill Management API (SMAPI). During this configuration, you specify things like your app's redirect URLs, access token URL, and so on.
Step 4: Get the user's Amazon authorization code
Your app needs to get the user's Amazon authorization code so that it can later exchange it for an Amazon access token. The Amazon access token will enable the app to enable the skill and complete account linking. The Amazon authorization code is valid for 5 minutes.
iOS examples
Android examples
State generation and validation
Step 5: Exchange the Amazon authorization code for an Amazon access token
After your app receives the user's Amazon authorization code, you need to use it to get the Amazon access token. You need the access token to call the Alexa service to enable the skill and complete account linking.
Step 6: Enable the skill and complete account linking
Now that your app has the user's Amazon access token, your backend server can call the Alexa Skill Enablement API to enable the skill and complete account linking.
Step 7: Display the account linking status in your app
Let the user know the account linking status by displaying it in your app, such as in the screenshots in User experience and Errors.
Step 8: Use the access token in the skill
After a user successfully enables your skill and links Alexa with your service, requests sent to your skill include the user's access token. Your skill code needs to get the access token from the request, validate it, and use it to retrieve the necessary user information from your resource server.
Errors
This section describes possible errors that can occur when account linking or skill enablement fails. When an error occurs, your app should show the appropriate error message to the user. The following image shows one example; this section lists others as well.
Error descriptions
This section describes error scenarios that can occur when a user tries to initiate app-to-app account linking. Your app must inform the user that account linking failed, and provide the appropriate error message to the user. This section provides error messages and gives possible causes of the errors. For the best user experience, we encourage you to use the error messages we provide here.
There are three points in the app-to-app account linking flow where your app might receive an error from Alexa:
- Obtaining the Amazon authorization code
- Exchanging the Amazon authorization code for an Amazon access token
- Calling the Alexa Skill Enablement API
Errors when obtaining the Amazon authorization code
If an error occurs when your app tries to get the Amazon authorization code, the redirect_uri
that the Alexa app uses to redirect the user back to your app will include an error query parameter, as described by the OAuth 2.0 specification. The Alexa app and the LWA fallback both follow the OAuth 2.0 specification, so they both return the same error codes to your app. For details about why the request to get the Amazon authorization code failed, you can check the error_description
query parameter and the OAuth 2.0 specification description for that error code.
Error code | Message to show to user | Possible causes |
---|---|---|
invalid_request |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
Request is missing |
unauthorized_client |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
The provided |
access_denied |
None. (The user shouldn't see an error message because they were the one who denied the access.) |
The user rejected the request to link their account |
unsupported_response_type |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
Parameter |
invalid_scope |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
Invalid |
server_error |
Sorry, Alexa encountered an unexpected error while trying to link your account. Please try again. |
Unexpected server error |
temporarily_unavailable |
Sorry, Alexa encountered a momentary error while trying to link your account. Please try again later. |
Temporary server error |
Errors when exchanging the Amazon authorization code for an Amazon access token
If an error occurs exchanging the Amazon authorization code for the Amazon access token, the Amazon token server will respond with a 400 Bad Request status code and the body's JSON response will include an error parameter, as described by the OAuth 2.0 specification. For details about why the request to obtain the Amazon access token failed, you can check the error_description
parameter of the JSON response and the OAuth 2.0 specification description for that error code.
Error code | Message to show to user | Possible causes |
---|---|---|
invalid_request |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
Missing |
invalid_client |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
Invalid |
invalid_grant |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
The request's |
unauthorized_client |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
The provided |
unsupported_grant_type |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
The request's |
Errors when calling the Alexa Skill Enablement API
If an error occurs when your app calls the Alexa Skill Enablement API to enable and link the user's account, the API will respond with a status code that says why the request failed. Otherwise, the API will respond with a HTTP 2XX
status code. For details about why the skill activation request failed, you can check the message
parameter of the JSON response.
HTTPS status code | Message to show to user | Possible causes |
---|---|---|
400 Bad Request |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
|
403 Forbidden |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
|
404 Not Found |
We are experiencing a problem connecting with Alexa to link your account. Please try again later. |
|
500 Server Error |
Sorry, Alexa encountered an unexpected error while trying to link your account. Please try again. |
|
Best practices
When you implement app-to-app account linking, keep the following best practices in mind:
Discoverability of app-to-app account linking
To make app-to-app account linking easy to access from your app, follow these best practices:
Keep the number of clicks low
Keep the number of clicks required to initiate the account-linking flow as low as possible. The user shouldn't need more than three clicks to get from your app's home screen to the account linking flow. Starting from the home screen on your app, the following are some common flows.
Example flow 1
The user:
- Clicks your app's burger menu.
- Clicks Link with Alexa.
- Clicks Allow to initiate the account linking flow from your app.
- Gives their account-linking consent inside the Alexa app.
- Gets redirected to your app.
Example flow 2
The user:
- Clicks your app's burger menu.
- Clicks Third-Party Integrations. (or similar wording)
- Clicks Link with Alexa.
- Clicks Allow to initiate the account linking flow from your app.
- Gives their account-linking consent inside the Alexa app.
- Gets redirected to your app.
Surface the Alexa integration
Make the user aware of the Alexa integration the first time they use your app. For example, at the end of your application set-up experience, implement an additional screen, with an Alexa logo, that directs users toward your app-to-app account linking flow.
If the user clicks the Alexa logo, they are redirected into the app-to-app account linking flow. If the user wants to skip the linking process, you can take them to a screen in the menu structure of your app where they can find the linking flow later.
Review your voice assistant settings
If your app has settings related to voice assistants, make sure that account-linking initiation is accessible from that area.
Usability
To help make app-to-app account linking easy to use, follow these best practices:
- Display the correct account linking status.
- Provide clear messaging.
- Get all required information before redirecting the user.
Display the correct account linking status
To display the correct button on your app (Link versus Unlink), you can check for skill enablement and account linking status for a given user by making a Get account linking and skill status request to the Alexa Skill Enablement API. However, this gives you a successful response only for users who linked their account using app-to-app account linking. Therefore, we recommend that you also subscribe to the Skill Disabled Event to get notified when a user disables your skill and thereby unlinks their account. You can't rely on the Alexa token pair being present in your backend to determine if a user has linked their account.
AcceptGrant
directive.Provide clear messaging
Consider the entire app-to-app account linking experience, and provide clear messaging to the user for all user flows. Gracefully handle cases in which the user cancels the account linking experience mid-flow, times out, and so on. Provide clear information about what went wrong.
Get all required information before redirecting the user
Before redirecting the user to the Alexa app or LWA to link their account, ask the user for any other information you require for account linking (additional details, consent, a PIN, and so on).
If the user's request includes a financial transaction or involves personal information, ask the user to answer a previously defined security question before fulfilling their request.
Follow brand usage guidelines
When designing your app's user interface, follow the Alexa Brand Guidelines for Amazon Developers. This helps make it clear to users, at a glance, that they are being asked to link their account to use your service with Alexa.
Unlinking
The following best practices relate to unlinking linked users and notifying unlinked users.
Implement unlinking within your app
You must give your users an option to unlink their account from within your app. To do so, you need to persist the Amazon access and refresh token pair that your app received during the app-to-app account linking flow for future unlinking requests within your app. You can disable the skill and unlink the account for the user by making a Disable skill and unlink account request to the Alexa Skill Enablement API.
AcceptGrant
directive.For previously linked users who didn't use app-to-app account linking, use the Unlink button to send the user to your skill's page with a Disable skill option within the Alexa app. The link on your skill's page in the Alexa app will look similar to the following examples:
- Android:
https://alexa.amazon.com/spa/index.html#skills/dp/{skillAsin}
- iOS:
https://alexa.amazon.com/spa/index.html#skills/dp/{skillAsin}
- Fallback (if the Alexa app is not installed): Redirect your users to
https://www.amazon.com/dp/{skillAsin}
To find the Amazon Standard Identification Number (ASIN) for your skill, browse to your skill in the Alexa Skills Store. The ASIN is the 10-digit alphanumeric ID in the URL. For example, in the URL www.amazon.com/gp/product/A1A1A1A1A1
, the ASIN is A1A1A1A1A1
.
Notify unlinked users
Inform unlinked users about your account linking feature. There are a number of options for communicating with your user base, including push notifications, "what's new" pop-up screens after updating the app to a new version, release notes in app stores, blog posts, or emails.
Back-end code
To help ensure that app-to-app linking works smoothly, follow these best practices:
Assemble the URLs in the backend
In your code to Get the user's Amazon authorization code, we highly recommend that you assemble the Alexa app URL and LWA fallback URL in your back-end server, and then pass the assembled URLs to your app. This enables you to quickly change parameters (such as the stage) without rebuilding your app.
Ensure that your redirect URI works
On some occasions, LWA doesn't trigger Universal Links and App Links when it sends back the LWA auth_code
in Step 4. To avoid losing the user's intent to link their account, we recommend that you ensure that your redirect_uri
is able to fulfill the account linking request if it's opened inside the same web view as the LWA authorization page. To achieve this functionality, send the auth_code
that your web page receives in the redirect_uri
from Step 4 to your backend server to perform Step 5 and Step 6. Finally, display a success page (Step 7) directly on your web page.
Testing guidelines
In addition to making sure that your skill meets the certification requirements that apply to all skills, we recommend that you test the following aspects:
- When the Alexa app is installed, you are able to complete account linking when it is initiated from your app using the Alexa app flow. On Android, if you see a Use a different app selector when opening the Alexa app URL, it means that your version of the Alexa app has invalid App Links. To fix this, delete and re-install the Alexa app.
- When the Alexa app isn't installed, you are able to complete account linking when it is initiated from your app or website using the LWA flow. If your implementation doesn't support the LWA flow, your app or website provides a graceful error message to the user.
- When account linking fails, your app or website provides a graceful error message to the user.
- After you complete account linking, you should be able to unlink the account using your app. You should also see the correct button (Link versus Unlink) depending upon the status of your account linking.
Also be sure to beta test your skill. When you enable beta testing, don't forget to add beta testers.
Note that, until your skill is published, you must set the stage
value to development
when you use the Alexa app URL and the Alexa Skill Enablement API. When your skill is published, use live
.
Frequently asked questions
The following are frequently asked questions about the app-to-app account linking flow that starts from your app.
- Q: How do I know if the Alexa app isn't installed on the user's mobile device?
-
For an example of how to determine this in iOS, see Example: Open the URLs in Step 4: Get the user's Amazon authorization code.
- Q: I own more than one skill. Can I link accounts for all of them at once?
-
To protect user trust, app-to-app account linking requires user consent for a specific skill. If you want to link a user's account for more than one Alexa skill, you must take the user through the linking flow more than once.
- Q: How do I check if the skill is already enabled and the account is already linked?
-
You make a Get account linking and skill status request to the Alexa Skill Enablement API. When you call this API, you must use one of the following access tokens:
- The token that you received when you set up app-to-app account linking for the customer.
- (Smart home skills only) The token that you received from the
AcceptGrant
directive after mutual authentication.
- Q: What if the skill is already enabled and the account is already linked?
-
When you make an Enable skill and account link request to the Alexa Skill Enablement API, the user's account is relinked and you receive a
HTTP 201 Created
response. - Q: How can I get notified when account linking is complete?
-
You can subscribe to the Account Linked event.
- Q: What if a user wants to link Alexa with a different user account than the account that they are currently logged in with in your app?
-
If a user wants to link Alexa with a different account, they should first log in to your app with the other account and then initiate account linking from within your app. Your app can choose to provide an option to switch accounts within the account-linking flow.
- Q: What if a user isn't an existing Alexa user and they don't have the Alexa app installed?
-
If a user has an Amazon account but isn't an Alexa user, they can simply sign in to the LWA page with their Amazon credentials and then acknowledge the linking request. If a user doesn't have an Amazon account, they can create a new Amazon account on the LWA screen and complete account linking for the skill. The user, however, will need an Alexa-enabled device or Alexa app in order to use Alexa features.
- Q: How does a user revoke account linking?
-
Disabling the skill unlinks the user's account. As with any skill, a user can say, "Alexa, disable {skill name}" or disable the skill from the skill's detail page. You can disable the skill and unlink the account for the user by making a Disable skill and unlink account request to the Alexa Skill Enablement API.
- Q: What happens when a user disables my skill? Am I notified?
-
To get notified when a user disables your skill, you can subscribe to skill disabled events. When the skill is disabled, you should revoke your access token and delete the Amazon access token for the user. Alexa also deletes the access token that your service provided, and revokes the Amazon access token.
- Q: What if my skill requires permissions? Can I get these during app-to-app account linking?
-
Permissions (such as device address and user profile information) are currently not part of this account linking flow. When the user invokes the skill with an intent that needs permissions, you'll need to prompt users, through a permissions card, for the respective permissions during runtime.
However, when a user links their account through the other app-to-app account linking flow, App-to-App Account Linking (Starting From the Alexa App), they are prompted to grant permissions. You can grant the required permissions by using that flow.
- Q: How do I know if the Alexa app isn't installed on a mobile device?
-
For an example of how to determine whether the Alexa app is installed on an iOS or Android device, see Example: Open the URLs in Step 4: Get the user's Amazon authorization code.
- Q: How do I retrieve a user's authorization code for their account in my service?
-
You are required to generate the user's authorization code by using your authorization server. In the traditional account linking flow, this authorization code is generated in the step in which a user logs in to your service and provides consent to link with Alexa. In app-to-app account linking (starting from your app), the user is already logged in, so you need to programmatically generate a new authorization code for the user from your OAuth provider. The user must not be required to log in and provide consent again.
Related topics
- App-to-App Account Linking (Starting From the Alexa App)
- Alexa Skill Enablement API
- Add Account Linking to Your Alexa Skill
Last updated: Sep 10, 2024