{"id":"ecb982cc-f6e5-49ec-ade5-d87b3984a5d7","task":"Configure an Amazon SP-API Restricted Data Token (RDT) to access PII fields in order reports and decrypt buyer address data","domain":"docs.aws.amazon.com","steps":["Identify the restricted resources you need: for order PII these are buyerInfo and shippingAddress on the getOrder and getOrders operations, or the GET_ORDER_REPORT_DATA_INVOICING report type","POST to /tokens/2021-03-01/restrictedDataToken with a restrictedResources array listing the method (GET), path pattern, and dataElements (buyerInfo, shippingAddress) you need access to","Use the returned restrictedDataToken (RDT) as the x-amz-access-token header in place of the standard LWA access token when calling the restricted operation; the RDT has a short TTL (one hour)","Parse the order response — with a valid RDT, fields like buyerEmail, buyerName, and shippingAddress will be populated; without an RDT these fields are absent or masked","Store or log PII only as required and in compliance with Amazon's data protection policy; avoid writing buyer PII to unencrypted logs or long-term storage"],"gotchas":["An RDT is scoped to the exact path pattern specified at creation time; an RDT created for /orders/v0/orders/{orderId} does not grant access to /orders/v0/orders/{orderId}/buyerInfo as a separate path — declare each restricted resource explicitly","RDTs cannot be refreshed like LWA tokens; they must be re-requested when they expire; build expiry tracking into your token management layer","Attempting to use a standard LWA access token on a PII endpoint returns a 403 with a specific error code — this is intentional and requires re-requesting an RDT, not retrying the same token"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/ecb982cc-f6e5-49ec-ade5-d87b3984a5d7"}