Alexa Account Linking via OAuth

We can personalize Alexa Skills by accessing our own APIs or the APIs of third parties from within our Alexa Skill. This allows us to have the customer’s data available in our Skill. For example, if we create a music Skill and can access the user’s Spotify playlists and preferred music, the user will feel at home — like the Skill is personally created for him/her.

Let’s work with our Alexa Skill that needs access to Spotify playlists. The Alexa Skill has the role of an API client accessing the Spotify API. Spotify is the API provider; it provides the playlist data via API and protects the API with OAuth. The OAuth framework (Hardt 2012) is a standardized, commonly used protocol for delegating access rights on the web and in web applications. It is well-invested time, to learn more about the OAuth protocol.

When an API is protected with OAuth, this means that a valid OAuth access token is required to access the API. In our example, this means that the Alexa Skill needs a valid OAuth access token from Spotify if it wants to access the playlist API. How does it get such a token?

According to the OAuth protocol, the end-user, i.e., Alexa user, has to authenticate with Spotify first, then the client, i.e., Alexa Skill, has to authenticate with Spotify and if all checks are positive, Spotify may hand out the OAuth access token. This OAuth…