Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SaaS Fulfillment URL Audit Fails with "Invalid Token" - Test Account Works Fine

0

We're experiencing an issue with our AWS Marketplace SaaS Contract product audit. The automated fulfillment URL test fails with InvalidTokenException, but our allowlisted test account registrations work perfectly.

The Problem During the Marketplace audit, our fulfillment URL receives POST requests with x-amzn-marketplace-token. When we call ResolveCustomer, AWS returns InvalidTokenException - not ExpiredTokenException.

Subscriptions from our allowlisted test account (created per AWS Marketplace testing requirements) complete successfully using the exact same code path.

What We've Verified Test account tokens resolve successfully (~3.5s latency) Endpoint accepts POST with application/x-www-form-urlencoded Token parsed from x-amzn-marketplace-token field AWS SDK v3 configured for us-east-1 IAM permissions include aws-marketplace:ResolveCustomer Product code matches Single ResolveCustomer call per request (no double-consumption) Audit Observations Multiple audit tokens (4 different tokens over 2 hours) all failed in under 100ms. This is too fast for token expiry. The error is InvalidTokenException, not ExpiredTokenException.

const token = req.body['x-amzn-marketplace-token']; const customer = await meteringClient.send( new ResolveCustomerCommand({ RegistrationToken: token }) ); // Success: create account, get entitlements, redirect to onboarding // Failure: redirect to error page

Questions Does the Marketplace audit use real subscription tokens or synthetic test tokens? Has anyone experienced audit failures while their allowlisted test account works? Could the audit system be consuming the token before our endpoint receives it? We've added comprehensive logging and confirmed no WAF blocking. Any insights appreciated.

Topics
AWS MarketplaceSaaS on AWS
Tags
AWS MarketplaceSaaS on AWS
Language
English
asked 5 months ago81 views
2 Answers
1

Hi Jeremy,

I've seen this issue occur when a browser plugin or extension interferes with the AWS Marketplace integration.

To troubleshoot:

  1. Test via CLI: Use the AWS CLI to make the ResolveCustomer call with the token to isolate whether this is a browser-specific issue
  2. Verify account access: Ensure you're making the ResolveCustomer call from the seller account, or have assumed the appropriate cross-account access role
  3. Check subscription status: Confirm the token corresponds to an active subscription

For additional context on the ResolveCustomer API, see the AWS Marketplace Metering Service documentation.

AWS
answered 4 months ago
0

Based on your description, there are several potential causes for the InvalidTokenException during the AWS Marketplace audit while your test account works fine.

The key difference between your test account success and the audit failure appears to be related to token validity. Here are some insights:

  1. Token Validity: The InvalidTokenException (as opposed to ExpiredTokenException) suggests the token itself is invalid rather than expired. This could indicate the audit is using synthetic test tokens that aren't actually valid for ResolveCustomer API calls.

  2. Response Time Difference: The quick failure time (under 100ms) compared to successful test account resolutions (~3.5s) suggests the tokens are being rejected immediately by the AWS Marketplace Metering Service rather than being processed.

  3. Fulfillment URL Requirements: Ensure your fulfillment URL starts with "https://" and is properly formatted. The URL must be publicly accessible and should follow the format: https://your-saas-app.com/fulfillment.

  4. Token Processing: Your code appears to be correctly extracting the token from the POST request and using it with the ResolveCustomer API. The issue is likely not in your token handling logic.

  5. Test vs. Audit Environment: The audit system may be using a different mechanism for token generation than what's used for actual customer subscriptions. While your test account uses real subscription tokens, the audit might use synthetic tokens for validation purposes.

Recommendations:

  • Test your fulfillment endpoint with a variety of token scenarios
  • Ensure your endpoint responds appropriately even when receiving invalid tokens
  • Add more detailed error handling to distinguish between different token validation failures
  • Consider implementing a fallback mechanism for audit scenarios

You might want to contact AWS Marketplace support directly about this issue, as they can provide specific insights about how the audit system tests fulfillment URLs and what might be causing the discrepancy between test accounts and audit validation.
Sources
Troubleshooting SaaS products - AWS Marketplace
Code examples for SaaS product integration - AWS Marketplace
ResolveCustomer - AWS Marketplace
Work with SaaS products using the AWS Marketplace APIs - AWS Marketplace

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content