How to Set Up Amazon Ads MCP: A Step-by-Step Guide
amazonadsmcp.comHow to set up Amazon Ads MCP: request Amazon Ads API access, create a Login with Amazon profile, connect your AI client, and validate safely.
Updated June 15, 2026 · The Amazon Ads MCP editorial team
Setting up Amazon Ads MCP comes down to two things: getting access to your Amazon Ads data, and connecting that to an MCP-capable AI client. How much work the first part takes depends entirely on which route you pick.
Two ways to connect
Managed server
A third-party provider runs the server and holds your tokens.
- Handled for you Amazon Ads API access and token refresh
- You do Authorize your account once, then connect
- You do Start using it in minutes
Official or self-hosted
You connect Amazon's server, or run your own.
- You do Register for Amazon Ads API access
- You do Hold and secure the credentials
- You do Set up and maintain the connection
Before going further, it helps to know there are three kinds of Amazon Ads MCP server, because the word “managed” trips people up:
- Managed servers are run by third-party software providers, such as Adbrew MCP, Intentwise MCP, or Hector MCP. The provider already holds Amazon Ads API access, so you just sign in, authorize your account, and start in minutes. These usually add guardrails and logging on top.
- Amazon’s official server is Amazon’s own first-party MCP server. It is capable, but you bring your own Amazon Ads API credentials and connect it yourself.
- Self-hosted servers are open-source projects you run on your own machine or cloud. Maximum control, but you handle the credentials, hosting, and upkeep.
The managed route is easiest because the provider takes care of the API access described below. The official and self-hosted routes need your own Amazon Ads API access, which is what the rest of this guide walks through.
What you need first
- An Amazon Ads account with active campaigns. Amazon will not approve API access for an account with no ad spend.
- An MCP-capable AI client, such as Claude or ChatGPT.
- For the official or self-hosted route, Amazon Ads API access, set up below.
Getting Amazon Ads API access
This is the part most guides gloss over. Here is the whole path, start to finish.
- 1 Request Amazon Ads API access Apply through the onboarding portal and wait for review.
- 2 Create a Login with Amazon security profile This gives you the Client ID and Client Secret.
- 3 Link the security profile to your API application Done in the Ads console, not the developer portal.
- 4 Run the OAuth flow Authorize once to get a long-lived refresh token.
- 5 Select your profile Choose the account and marketplace to manage.
Request access and wait for approval
- Go to the Amazon Developer portal.
- Sign in using the exact email address tied to your main Seller or Vendor account. Using a different login is a common cause of access headaches later.
- Complete the standard developer registration if you have not done so before.
- Open the Amazon Ads API onboarding guide and click Request Access.
- Fill out the application form: enter your company name, choose “I want to manage my own advertising” as the use case, and select the markets you advertise in.
- Submit the form and wait. Approval typically takes one to three business days.
If you are rejected, the usual reason is an account with no active ad spend. Make sure campaigns are running, then reapply with a clear description of what you plan to do.
Create a Login with Amazon security profile
The Amazon Ads API authenticates through Login with Amazon (LWA). In the LWA console:
- Create a new security profile and give it a name and description.
- Copy your Client ID, which begins with
amzn1.application-oa2-client. - Copy your Client Secret, which begins with
amzn1.oa2-cs.v1.Keep both somewhere secure. - Add an allowed return URL (the redirect URI). It has to match exactly what your server
expects, or authorization will fail later. For a locally hosted server it is usually a
localhost callback such as
http://localhost:8000/auth/callback; for a hosted server it is your domain’s callback URL.
Link the profile to your API application
This is the step people miss.
- Open your Amazon Ads console, not the developer portal.
- Find the API or LWA settings.
- Link the security profile you just created to your approved Ads API application.
If you skip this, authorization will appear to succeed in the browser, but your client will report that it is not authenticated.
After approval, what you actually have
Once the above is done, you hold five OAuth credentials rather than a single API key:
| Credential | What it is |
|---|---|
| Client ID | Identifies your application |
| Client Secret | The application’s secret |
| Refresh token | Long-lived token used to mint access tokens (from the OAuth flow) |
| Access token | Short-lived token sent on each API call |
| Profile ID | The advertiser account and marketplace to act on |
The Amazon Ads API supports only the authorization-code flow with refresh tokens. There is no static key, which is exactly why managed servers, which hold and rotate these for you, remove so much of this work.
Connecting your AI client and running OAuth
With access in place, point your client at the server. Most MCP clients need only the server URL. A remote-server config block looks like this:
{
"mcpServers": {
"amazon-ads": {
"type": "streamable-http",
"url": "https://your-amazon-ads-mcp-server.example/mcp"
}
}
}After the client reconnects, you complete the OAuth flow to turn your approved access into a working session. With most servers you do this in conversation: ask the assistant to start the OAuth flow, open the URL it returns, approve access, then confirm the status. That step is what produces your refresh token and logs the server into your account.
Finally, select a profile. A profile is one account in one marketplace, so your US and Canada stores are separate profiles. List your profiles, then set the active one before running any reporting or campaign tools.
Client-specific walkthroughs with the exact prompts:
Validate before you trust it
- Run a read-only report and confirm the figures match the Amazon Ads console.
- Make one tiny write, such as a small budget change, and confirm any guardrails behave.
- Check the action log so you can see exactly what the AI did.
Common setup problems
- API access rejected. Almost always no active ad spend. Run campaigns and reapply with a detailed use case.
- “Invalid redirect URI.” The allowed return URL in your LWA profile does not match what the server expects. Make them identical.
- Browser shows success, but the client says not authenticated. Your LWA security profile is not linked to your Ads API application. Link it in the Ads console and retry.
Go broader
Once you trust read accuracy and write behavior, expand into real workflows. For ideas, see Amazon Ads MCP use cases. To understand what happens behind each call, read how Amazon Ads MCP works.
Related reading
- New here? Start with What is Amazon Ads MCP?
- The first-party option: the official Amazon Ads MCP Server
Sources
- Amazon Ads, “Onboarding overview” (requesting API access, review). advertising.amazon.com
- Amazon Ads, “Assign API access to a Login with Amazon application” (linking the security profile). advertising.amazon.com
- Amazon Ads, “Amazon Ads API authorization overview” (Login with Amazon, authorization-code flow). advertising.amazon.com
Frequently asked questions
How long does Amazon Ads API approval take?+
Typically one to three business days. The most common reason for rejection is an account with no active ad spend, so make sure campaigns are running before you apply, and reapply with detailed notes on your intended use if you are turned down.
What do I do after my Amazon Ads API access is approved?+
Create a Login with Amazon security profile to get your Client ID and Client Secret, set an allowed return URL, then link that security profile to your Amazon Ads API application in the Ads console. After that you run an OAuth flow to mint a refresh token and select the profile (account and marketplace) you want to manage.
Do I always need Amazon Ads API credentials?+
Only for the official or self-hosted route. A managed server holds and rotates the credentials for you, so you authorize your account once and connect. That is why managed is the fastest path.
What credentials does the Amazon Ads API use?+
Five OAuth values rather than a single key: Client ID, Client Secret, a long-lived refresh token, a short-lived access token, and a profile ID. The API supports only the authorization-code flow with refresh tokens.
Keep reading
- Ultimate GuideWhat Is an MCP Server? The Ultimate GuideA plain-English and technical guide to MCP servers: what they are, how they work, why the AI industry adopted them so fast, and the security risks.
- ComparisonMCP vs API: Differences and When to Use EachA data-backed comparison of MCP and traditional APIs: how they relate, where they differ, the costs of MCP, and a clear rule for choosing.
- GuideWhat Is Amazon Ads MCP? A Complete GuideAmazon Ads MCP lets AI assistants manage Amazon advertising through the Model Context Protocol. What it is, how it works, and what you can do.
- GuideThe Official Amazon Ads MCP Server (Open Beta), ExplainedAmazon's official Amazon Ads MCP Server reached open beta on February 2, 2026. What it does, what it supports, and how to connect to it.
- TechnicalHow Amazon Ads MCP Works: Under the HoodHow an Amazon Ads MCP server works under the hood: OAuth and tokens, profiles and regions, tool definitions, the async report cycle, and limits.
- How-toHow to Connect the Amazon Ads MCP Server to ClaudeConnect Amazon's official Amazon Ads MCP Server to Claude Desktop and Claude Code: the config, the OAuth flow, profiles, and troubleshooting.