Amazon Ad Server will be sunset in Q4 2024, please visit this page (AAS offboarding information) for offboarding support resources and sunset FAQs. Details shared on that page represent the most up to date information in the Help Center, if you find disparate information in other resources please default to the information in the AAS offboarding information page accordingly.

Please note that on October 1, 2024, the ability to create new campaigns, placements, and tag managers will be disabled.



To ensure that all client and end-user data is kept private and secure, all API interactions require authentication of the client or application.

Any API request is validated with a unique set of credentials relevant to the application that handles the communication. Currently, Amazon Ad Server (AAS) supports a single, simple authentication method based on a manual pre-generated API username and password.

The API credentials are assigned to a specific API user, maintain a defined set of permissions, and uphold a defined request quota. For more information, see Quotas and Limitations on API Requests.


Important: You cannot exceed 10 simultaneous, active, API sessions with the same user credentials.

Authentication Flow

The current authentication flow is as follows:

  1. Client is generated with a specific API username, password, and API key.

  2. Application that starts engaging the API uses the username, password, and API key to generate a AAS session token.

    • For the sandbox environment, the login URL is the following:
    • For the production environment, the login URL is:

JavaScript Flow Example

  1. Authenticate with API assigned user and password, and API key. Then, call a specific API method:

    var settings = {
        "url": "",
        "method": "POST",
        "timeout": 0,
        "headers": {
            "Content-Type": "application/json",
            "api-key": "api key token",
            "": ""
        "data": "{username:\"Username\", password: \"Password\"}",
    $.ajax(settings).done(function(response) {
  2. Implement the method adding the generated session token/sessionId and the API key in the "Authorization" header:

    function call_method_x(sessionId) {
            url: "",
            type: "GET",
            contentType: 'application/json',
            data: 'from=0&max=25',
            headers: {
                'Access-Control-Allow-Origin': '*',
                'Content-Type': 'application/x-www-form-urlencoded',
                'Authorization': sessionId
                'api-key': key,
     success: function (data) {

Credentials and Tokens

It is important to remember that the API credentials and generated token grant access to make requests and get access to the application data. Consider these values as sensitive as passwords; do not expose or share these values with non-trusted parties.

HTTPS Protocol

Authentication and all other requests are only secure if SSL is used. Therefore, all requests must use the HTTPS protocol.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request