Amazon DevPay
Developer Guide (API Version 2007-12-01)

Desktop Product Activation


Amazon DevPay is not accepting new seller accounts at this time. Please see AWS Marketplace for information on selling your applications on Amazon Web Services.

Your desktop product must go through a process of activation before each customer can use it. This process is part of the overall process desktop products follow to work with Amazon DevPay (for more information, see Overall Authentication Process).

Activation means the product contacts AWS with a key identifying the customer, and AWS replies with credentials the product must use when making Amazon Simple Storage Service requests for that customer. The credentials are valid only for your specific product and for the specific customer. The following sections describe how activation works.

The Activation Key

To purchase your product, the customer goes through a purchase process, which starts when the customer clicks the purchase URL (for an example of what the customer sees during the purchase process, see Appendix: The Customer Purchase Experience). At the end of this process, the customer's browser splits into two frames. The top frame contains a confirmation for the purchase. The bottom frame contains the redirect URL you provided during product registration.

Also displayed in the top frame of the browser is an activation key that contains information identifying the customer and the product. The key looks similar to this: ADMAY7DVLJTWHJ76MMBMQEXAMPLE.

Your desktop product needs the activation key in order to get credentials the product needs for that customer. The following table describes the typical flow for getting the key.

Process for Getting the Activation Key


The redirect URL displays a download link where the customer can download your product.


The customer downloads and installs the product.


During the installation, the product prompts the customer for the activation key, indicating that it was displayed in the top frame of the browser window. The product also indicates that if the activation key is no longer available (if the customer closed the browser, for example), the customer can get a new key at the activate URL.


The customer pastes the key from the browser into the form your product provides. Or if the key isn't available that way, the customer clicks the link to the activate URL, logs in with an Amazon login, gets a new activation key, and pastes it into the form.

Activation keys expire one hour after creation for security reasons.


To successfully activate your product, the activation key your desktop product provides to AWS must be associated with the product token. In other words, do not provide an activation key that a customer obtained when signing up for some other product that uses Amazon DevPay besides yours. Your product should not store activation keys.

The Request for Activation

Once the product has the activation key, it activates itself by requesting the License Service action ActivateDesktopProduct. The request must include the product token and the customer's activation key. The response includes the Secret Access Key, Access Key ID, and user token for the customer. The Secret Access Key and Access Key ID work only with AWS service calls associated with DevPay. They can't be used for regular AWS service calls.

No harm occurs if your product activates itself more than once. Each time the product activates itself, the License Service returns a new Secret Access Key, Access Key ID, and user token for the customer. There might be times when the product needs to reactivate itself (for more information, see Desktop Product Exceptions). You should design your product so that it can reactivate itself without requiring the customer to reinstall the product. In this reactivation case, the product should overwrite the old credentials with the new credentials received during reactivation.

You can also let a customer install your product on multiple desktops (for example, on a work computer and on a home computer). Each instance of your desktop product that the customer installs needs to activate separately and receive its own set of credentials to use when making Amazon S3 calls for the customer. Activating a second or third computer for a customer doesn't invalidate the credentials from the first computer's activation. The customer can use the same activation key for each computer, or different ones (the customer can get a new activation key at any time by going to the activate URL).

The requests to activate your desktop product do not require any special authentication (but they must be made over HTTPS). If you're creating both a desktop version and web version of your product, be aware that desktop products don't have to authenticate their requests for the License Service, but web products do (for more information about web product activation, see The Request for Activation).

Credential Storage

Your product should encrypt and store the Secret Access Key, Access Key ID, and user token on the customer's file system.


The Secret Access Key, Access Key ID, and user token that your product receives work only for a specific customer and a specific product. If your customer purchases more than one Amazon DevPay desktop product, there will be a separate set of credentials for each product. For example, if customer John Smith purchases DevPay Product A and DevPay Product B, there will be a set of credentials for John Smith associated with Product A, and another set associated with Product B. It doesn't matter if he bought both products from you or if one was sold by another vendor. You must design your products such that each product separates its credentials on John Smith's system from any other products' credentials.

Activation and Subscription Timing

When customers sign up for your product, they must provide a credit card. However, they're not officially subscribed until we confirm the credit card is valid (a process known as vetting). The following diagram and discussion describe the timing of when the customer is officially subscribed.

			Subscription timing

When customers sign up for the product, they are redirected to your URL and receive the activation key. At that point, we start the process of vetting the card. The customer is not yet officially subscribed to the product.

The credit card vetting process usually takes 2 minutes, but can take up to 15 minutes. During this time, your product can activate the customer and get the customer credentials. However, until the vetting succeeds, any calls your product makes to Amazon S3 on behalf of the customer return an error saying the customer isn't signed up for Amazon S3 (the error is NotSignedUp).

When the vetting succeeds, the customer is then officially subscribed to your product. Within a few seconds, Amazon S3 begins to accept your product's requests without returning the NotSignedUp error.

Your should design your product to activate the customer and get the customer's credentials immediately after the customer is redirected to your URL. We recommend immediate activation because activation keys have a limited lifetime (one hour).

Once your product has activated the customer, it should wait until the customer is officially subscribed before sending any requests to Amazon S3. The product can determine the subscription status by polling VerifyProductSubscriptionByTokens at a regular interval (e.g., 30 seconds). Until the customer is officially subscribed, the action returns false for the subscription status. For more information about the action, see VerifyProductSubscriptionByTokens.