I need help with, " The request has an invalid parameter : scope, And also, "x-amzn-errortype': 'OA2InvalidScopeException.."


Hello there,

I'm VERY new to the AWS platform, so please be patient as I'm still testing the waters and in my learning curve. I've looked everywhere for a solution without any success. I read the documents to some extent.

I'm developing an app that integrates with the Amazon Selling Partner API (SP-API) and encountering API authorization issues, specifically when fetching keywords and catalog items. The request returns a "403 Forbidden" error indicating unauthorized access as well as the following errors in my VS Code terminal when testing locally: "error_description: 'The request has an invalid parameter: scope', error: 'invalid_scope'," and "x-amzn-errortype': 'OA2InvalidScopeException."

I created an IAM policy and have also set the following environment variables in my application: client id, client secret, AWS access key id, AWS secret key id.

I have successfully fetched the OAuth2 access token using the appropriate OAuth2 token endpoint. I then tried making requests to the SP-API endpoint for catalog items and received the following errors: "Unauthorized" and "Access to requested resource is denied."

I've attached a few screenshots since I'm not allowed to specific URL

I appreciate your patience and support.

Thank you kindly.

Enter image description here Enter image description here Enter image description here Enter image description here

2 Answers


Could please update the scope to sellingpartnerapi::catalog and try again?

const tokenResponse = await axios.post('https://<api>/auth/o2/token', {
    grant_type: 'client_credentials',
    client_id: process.env.CLIENT_ID,
    client_secret: process.env.CLIENT_SECRET,
    scope: 'sellingpartnerapi::catalog'  // Correct scope for catalog access

console.log('Access Token:', accessToken);

const response = await axios.get(`https://<url>/products/v0/catalogs/categories/${categoryId}/keywords`, {
    headers: {
        'Authorization': `Bearer ${accessToken}`,
        'Content-Type': 'application/json'
    params: {
        marketplace_id: process.env.MARKETPLACE_ID

IAM policy

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:execute-api:*:*:*"
            "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YOUR_SPAPI_ROLE_NAME"

I would be happy to assist you further!

profile picture
answered a month ago

Hi Sivaraman, Thanks for your response. I did try that scope and a host of others but they all throw the same error. So far I've tried the following scopes and encountered the same error.

  1. sellingpartnerapi:GetCatalogItems
  2. sellingpartnerapi:ListCatalogItems
  3. sellingpartnerapi:SearchCatalogItems
  4. sellingpartnerapi:ListMarketplaceParticipations
  5. sellingpartnerapi:GetMarketplaceParticipations**
  6. sellingpartnerapi::catalog
  7. sellingpartnerapi::catalog_data

Could there be an issue with the way my app is registered? Are there specific configurations or roles that must be set during app registration for these scopes to work?

Am I using the correct endpoint for the Selling Partner API based on my region? My current endpoint is https://sellingpartnerapi-na. Amzn url. Is there any other configuration needed for this endpoint?

Are there specific IAM policies or roles that need to be configured to allow access to these scopes? Here is the IAM policy I'm stalled at this moment. I spent the last hour reading AWS API documentation and troubleshooting but with no success so far.

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions