Obtain a standard SP-API access token via LWA as usual, then call the Tokens API `createRestrictedDataToken` endpoint, specifying the `restrictedResources` array with the path and dataElements (e.g., `buyerInfo`, `shippingAddress`) you need.
Use the returned `restrictedDataToken` (RDT) in place of the regular access token in the `x-amz-access-token` header for any API calls that return PII.
Call the Orders API `getOrders` endpoint to retrieve a list of orders; then call `getOrder` with a specific `orderId` using the RDT to get buyer PII fields like `BuyerEmail` and `ShippingAddress`.
RDTs are short-lived (one hour); for batch processing many orders, request a single RDT scoped to the orders resource path and reuse it for all calls within its validity window.
Store buyer PII only as long as necessary to fulfill the order and in accordance with Amazon's data protection policies and your Data Protection Policy agreement.
Log all RDT creation events for audit purposes without logging the token value or the PII it grants access to.
Known gotchas
Calling PII-returning endpoints with a regular access token (without an RDT) returns the fields as empty or masked — no error is thrown, which can cause silent data gaps if RDT usage is accidentally omitted.
RDTs are path-specific — an RDT created for `/orders/v0/orders` does not grant access to `/orders/v0/orders/{orderId}/buyerInfo`; you must specify each required path explicitly.
Amazon audits PII access; applications that access buyer data without a legitimate fulfillment reason or that store PII beyond policy limits risk suspension.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp