Auccount Linking allows our Skill to authenticate using the Alexa App and equipping our Skill with authentication facing our backend server.
Your service must support OAuth 2.0 to allow Alexa to authenticate users.
Authorization Endpoint
Token Endpoint
{ "access_token": "TOKEN_DEL_USUARIO", "refresh_token": "TOKEN_PARA_REFRESCAR", "token_type": "Bearer", "expires_in": 3600 }
2. Configure Account Linking in Alexa Developer Console
- Open your skill in the Alexa console and select Account Linking.
- Enable the option to allow users to create or connect a profile.
- Select Authorization Code Grant.
- Configure the fields:
- Authorization URI: your authorization endpoint
- Access Token URI: your token endpoint
- Client ID: your OAuth app client ID
- Client Secret: your OAuth app client secret
- Scopes: permissions your skill needs, for example
read_profile
- Configure the Redirect URLs provided by Alexa and ensure they are allowed on your OAuth server.
- Saving changes and publishing your skill for testing.
3. User Flow
- The user says: “Alexa, connect my [skill name] account”.
- Alexa opens the app and displays a secure login form.
- The user enters their email and password on your OAuth server.
- Your server validates the data and returns an Authorization Code to Alexa.
- Alexa exchanges the code at the Token Endpoint and receives an Access Token.
- Your skill can use this token to make API calls on behalf of the user.
4. Using the Access Token in your Skill
In your Lambda or backend, you get the token like:
const accessToken = handlerInput.requestEnvelope.context.System.user.accessToken;
Luego puedes usarlo para llamar a tu API:
const response = await fetch('https://tuapi.com/data', { headers: { 'Authorization': `Bearer ${accessToken}` } });
5. Recommendations
- Don’t ask for email and password directly by voice.
- Use the refresh token to get new access tokens automatically.
- Keep your app’s secret safe and never expose it in your skill’s code.
