Amazon DevPay
Getting Started Guide (API Version 2007-12-01)

Desktop Products

This section describes how desktop products meet the DevPay requirements to ensure the correct customer is billed for use of the product. For additional requirements applicable to Amazon S3 products that use DevPay, see Ways to Use DevPay.

Following are the main differences between an Amazon DevPay desktop product and a regular desktop product:

  • The DevPay desktop product must have the DevPay product token embedded in it so it can provide the product token each time it makes a request to AWS (you obtain the product token when you register the product with DevPay; for more information, see Product Registration). The product token is a long encoded string prefixed with the literal string {ProductToken}.

  • The DevPay desktop product must call the License Service to activate itself and obtain a set of credentials for the specific customer using the product. The product must store those credentials securely on the customer's system and use them when making a request to Amazon S3 on behalf of that customer. The credentials include a user token (a long encoded string prefixed with the literal string {UserToken}), a Secret Access Key, and an Access Key ID. The product includes the user token in the Amazon S3 request and signs the request using the customer's Secret Access Key (instead of your own).

  • The DevPay desktop product must include two additional headers in the REST Amazon S3 request (one for the product token and one for the user token).


The aforementioned customer credentials are specific to your product. If John Smith signs up to use both your DevPay product and another DevPay product, he will have a similar but separate set of credentials for each product stored on his system. Each DevPay product must be able to keep its customer credentials separate from those of another DevPay product installed on the customer's system.

The preceding items are required to make your product handle customer authentication correctly for DevPay. The overall process of customer authentication for a desktop product is described in the diagram and corresponding steps that follow.

Overall process for desktop products

Overall Authentication Process for Desktop Products

The customer signs up for the product by clicking the purchase URL AWS provided you during product registration, and as part of the process, the customer:

  • Logs in with an login (or creates a new login; this a regular login and not an AWS developer account)

  • Signs up to use your product

  • Obtains an activation key required by your product

The customer downloads and installs your product.

As part of the installation, or immediately after, the product goes through an activation process:

  1. Your product obtains the activation key from the customer.

  2. Your product sends a request to the License Service to activate itself and obtain a Secret Access Key, Access Key ID, and user token for the customer. Your request includes the product token for your product and the customer's activation key.

  3. Your product appropriately stores the credentials it has received so the customer can use the product seamlessly in the future.

Later, when the customer uses the product, the product makes an Amazon S3 request on behalf of the customer. In the process, the product retrieves and uses the Secret Access Key, Access Key ID, user token, and the product token for the product.