Operational Security for SP-API & Advertising API Applications
February 2026
Amazon integrations routinely handle inventory positions, payouts, bids, customer data elements, and third-party SaaS tenancy. Threat models are boring until a leaked refresh token, over-scoped IAM key, or unauthenticated webhook undermines merchant trust—or triggers account suspensions downstream. This checklist distills habits we reinforce on client engagements; it complements Amazon’s documented security expectations but stays implementation-agnostic.
Secrets & credentials
- Centralize OAuth client secrets and RSA keys outside source control—use KMS/Vault equivalents with rotation rehearsal.
- Never log bearer tokens or LWA payloads; sanitize structured logs automated by CI reviewers.
- Provision separate developer apps per environment to avoid accidental production rotations during sandbox testing.
Infrastructure segmentation
Isolate worker fleets that poll reports from dashboards serving human users—different roles, subnets, and autoscaling policies reduce blast radius. Enforce egress controls on jobs that shouldn’t browse the Internet; outbound allow-lists simplify incident response narratives.
Tenancy in agency & SaaS setups
Multi-merchant platforms need row-level tenancy keys on every datastore query, deterministic cache segregation, and background job labels that refuse cross-merchant fan-out bugs. Administrative impersonation flows should require short-lived OTP or SSO-backed approvals—not shared superuser passwords.
Webhooks, notifications & callbacks
Verify notification signatures and reject replays lacking monotonic timestamps. Maintain allow-listed callback URLs with TLS enforcement; treat local tunnel endpoints as ephemeral sandboxes never promoted to staging without review.
Vendors & human access
Map which contractors can touch production vs. QA. Disable dormant accounts aggressively; annotate access reviews quarterly for PCI-adjacent clients even when PCI scope is narrow—habit lowers surprise audits later.
Operational drills
Quarterly exercises beat policy PDFs: rotate a sandbox secret, revoke a stray IAM key intentionally, replay a malformed notification payload through your gateway, restore encrypted backups onto a disposable stack. If these drills feel painful, that’s telemetry—prioritize automation before attackers provide the rehearsal.
Security is iterative. Pair this checklist with automated dependency scanning and Amazon’s rotating compliance guidance for your Selling Partner pathway. Need an external sanity check before launch or marketplace audit? Talk to Coretech3 via {{ config('company.email') }}.