Skip to main content
Amazon Ads · BYO Setup Guide

Set up your own
Login With Amazon app.

Create a Login With Amazon (LWA) security profile that VelaReach uses to connect your Amazon Advertising accounts — on your own credentials, your own rate limits, your own branded consent screen. Takes about 12 minutes of clicking, plus an Amazon Advertising API access review if you don’t already have one.

~12 min setup Hard Region-locked tokens
Read this before you start — Amazon tokens are region-locked. A token issued for North America (NA) will not work for Europe (EU) or Far East (FE), and vice versa. Amazon runs three independent advertising clouds and they don’t share identities. If you advertise across multiple regions you’ll need separate Amazon Ads accounts (one per region) and you’ll choose the region inside the VelaReach BYO wizard — otherwise you’ll only see one region’s data after connecting. Most single-country advertisers can ignore this and pick NA, EU, or FE based on where their Seller Central / Vendor Central account lives.
Use BYO if
  • · You already have Amazon Advertising API access approved on a developer account
  • · You run a brand-owned ad ops team and want isolated data flow
  • · You want your own Login With Amazon consent screen on the OAuth dialog
  • · You operate at high volume and want your own rate-limit pool
Stick with shared app if
  • · You don’t have an Amazon Developer account yet
  • · You haven’t been approved for Advertising API access
  • · You want to be connected in the next 60 seconds
  • · You only run Amazon ads in a single region and don’t need data isolation

Before you begin

1

Create a Login With Amazon security profile

Sign in to developer.amazon.com/loginwithamazon. Hover the Apps & Services menu and pick Login with Amazon. On the LWA console click Create a New Security Profile.

https://developer.amazon.com/loginwithamazon/console/site/lwa/overview.html
Login with Amazon · Security Profile Management
Create a new security profile
Each app that uses LWA needs a security profile. Use one per integration.
↑ This is the name your team will see on the LWA consent screen.
Save

Name it something recognisable — this string appears on the OAuth consent screen.

The Privacy Notice URL must return HTTP 200. You can point it at velareach.metaminds.store/privacy or your own privacy page — Amazon doesn’t crawl the contents, but the link must be reachable.
2

Add the VelaReach redirect URL to Web Settings

On the LWA dashboard you’ll now see your new VelaReach-Ads security profile. Click the gear icon → Web Settings. Scroll to Allowed Return URLs and paste this exact URL:

https://api.velareach.metaminds.store/api/v1/integrations/amazon/callback
https://developer.amazon.com/loginwithamazon/console/site/lwa/.../web-settings
VelaReach-Ads · Web Settings
↑ Optional but recommended.
↑ This is the exact URL Amazon will redirect to after consent.
Save

Amazon is unforgiving about trailing slashes — the URL must match character-for-character.

This is the most common point of failure. If OAuth later returns “redirect_uri is not in the whitelist”, come back and check the URL character-by-character. No trailing slash, no http, no extra spaces from copy-paste.
3

Copy your Client ID and Client Secret

Back on the LWA dashboard, click the gear icon next to VelaReach-Ads and choose Web Settings again. At the top of the page Amazon displays your Client ID and Client Secret. Click Show Secret to reveal the secret value.

https://developer.amazon.com/loginwithamazon/console/site/lwa/.../web-settings
VelaReach-Ads · Credentials
↑ Always starts with amzn1.application-oa2-client.
Show Secret ↑ Re-enter your password to reveal.

Treat the Client Secret like a password — never paste it in chat or email.

🔒
VelaReach encrypts your Client Secret with AES-256-GCM the instant you submit it. It is never written to logs, never displayed back in plaintext, and never shared between workspaces.
4

Confirm Advertising API access is approved

The LWA security profile is half the puzzle — the other half is having Amazon Advertising API access attached to your developer account. Visit advertising.amazon.com/API/docs and check whether your account shows an active API access approval.

If you see “Apply for access”, fill out the application form — you’ll be asked for a use case description, expected call volume, and the security profile you just created. Approval usually arrives within 1–2 weeks.

You can finish the rest of this guide while you wait for approval — but the live OAuth test in Step 7 will fail until Amazon emails you the approval confirmation.
5

Identify your Amazon Ads region

Open advertising.amazon.com in another tab, sign in, and look at the URL. Amazon will redirect you to one of three regional dashboards — this tells you which region your tokens need to be issued for.

  • · URL contains advertising.amazon.com with US/CA/MX/BR locale → NA (North America)
  • · URL contains advertising.amazon.co.uk / .de / .fr / .it / .esEU
  • · URL contains advertising.amazon.co.jp / .com.au / .inFE (Far East)

Note your region down — you’ll select it in the next step. If you advertise in multiple regions, you’ll need to repeat the BYO connection once per region using the appropriate Amazon Ads account.

6

Paste credentials into VelaReach

Back in VelaReach: SettingsIntegrations → click the Amazon Ads card → ManageAdvanced tab → Set up BYO app. The wizard opens. On the credentials step:

  • · Pick the region you noted in Step 5 from the Region dropdown (NA / EU / FE)
  • · Paste the Client ID from Step 3 (starts with amzn1.application-oa2-client.)
  • · Paste the Client Secret from Step 3

Click Test & save. VelaReach makes a live call to Amazon’s regional advertising endpoint with your credentials and runs validation checks inline.

7

Verify the live test passes, then reconnect

You should see green check marks next to:

  • · Credentials format — Client ID and secret look well-formed
  • · Redirect URL whitelisted — matches your LWA Web Settings
  • · Security profile is Live — not in draft state
  • · Region endpoint reachable — Amazon’s regional API responded

Click Reconnect now → to run the OAuth flow through your new security profile. The Login With Amazon consent screen will display your security profile name (VelaReach-Ads) rather than VelaReach’s shared one. After consent, VelaReach exchanges the code for a refresh token and your Amazon Ads account picker will reappear with all available accounts in the selected region.

Amazon access tokens last 1 hour. VelaReach uses your refresh token to mint new access tokens automatically — you won’t need to reconnect again unless you rotate the secret in LWA.

After reconnecting, what changes?

✓ Preserved
  • · All historical Sponsored Products / Brands / Display data
  • · Your account picker selection (which Amazon Ads accounts are tracked)
  • · ACoS / TACoS / ROAS targets and pacing rules
  • · Scheduled reports and Slack notifications
  • · Every keyword harvest list, negative tag, and saved view
✦ Changed
  • · OAuth refresh token revoked and re-minted via your LWA profile
  • · Card shows violet BYO app pill plus region badge
  • · Consent screen on future reconnects displays your security profile name
  • · Audit log records who switched and when
  • · API calls count against your regional rate limit pool

Troubleshooting

“An error occurred — unknown client id”
Your security profile is still in Draft state. Newly created LWA profiles need to be saved at least once with all required fields populated (name, description, privacy URL) before Amazon will accept the Client ID. Open the profile in the LWA console, confirm every field is filled, click Save, then re-run Test in VelaReach. If you still see the error, the Client ID may be from a deleted profile — copy it again from Web Settings.
“redirect_uri is not in the whitelist”
LWA is unusually picky about trailing slashes and protocol. The URL must be exactly https://api.velareach.metaminds.store/api/v1/integrations/amazon/callback — no trailing slash, no http, no extra path segments. Open Web Settings on your LWA profile, delete what’s there, and paste again using the Copy button in Step 2. Save, then re-run OAuth from VelaReach.
“No accounts found” even though I have campaigns running
You almost certainly picked the wrong region. Tokens issued under NA can’t see EU or FE accounts — Amazon runs three independent advertising clouds. Re-check the URL on advertising.amazon.com (Step 5) to confirm your region, then in VelaReach click Remove BYO, re-add the BYO app, and pick the correct region from the dropdown before re-testing. If you advertise in more than one region you’ll need to connect each region under a separate Amazon Ads account.
“Advertising API access not granted for this account”
Your developer account has a security profile but Amazon hasn’t finished reviewing your Advertising API application yet. Visit advertising.amazon.com/API/docs, sign in, and check the application status. Approvals typically arrive in 1–2 weeks after submission. While you wait you can finish the BYO setup — the OAuth test will start passing automatically the moment Amazon flips the access flag.
I want to revert to the shared VelaReach app
In the BYO wizard (or the Advanced tab of the Manage drawer), click Remove BYO. VelaReach wipes the encrypted credentials, flips back to the shared app, and revokes your security profile’s active refresh token. Historical spend, ACoS, and reporting data stay untouched. Click Reconnect once more to mint fresh tokens via the shared app — this time region is auto-detected.
💬
Stuck? Email us — we’ll hop on a 15-min screen share.
Amazon BYO is one of the trickier setups because of the region split — we don’t expect every customer to nail it the first try. Email support@velareach.com with your workspace name, the region you’re trying to connect, and the exact error and we’ll pair with you.