Creators API v3.x error 'invalid_client' on WordPress: the fix in 60 seconds

If your Amazon product widgets stopped pulling data this week with a token error like invalid_client or invalid_scope, you are not alone. Amazon rolled out v3.x Creators API credentials in spring 2026 and the wire format changed. Plugins that worked on v2.x started failing the moment marketers pasted in fresh v3.1 keys. The product is not broken; the version routing is.

This guide walks the nine error codes Amazon's token endpoint returns, what each one means, and which field to change to clear it. Lead with the fix, explain the why second.

How the nine OAuth error codes map to a quick fix

The Creators API token endpoint returns errors in a standard OAuth 2.0 shape: a short error code and a longer error_description string. Recent versions of PaapiPlugin surface both in a 17-field Test Connection diagnostic so you can see which step of the OAuth handshake failed. Each section below leads with the literal error string so you can match what you see on screen and jump to the fix.

Error: invalid_client

What it means. Amazon could not authenticate your Client ID and Client Secret pair against the endpoint your plugin contacted.

How to fix it:

1. Open your plugin's OAuth settings page in WordPress admin.
2. Look at your Client Secret. If it starts with amzn1.oa2-cs.v1. and your Client ID starts with amzn1.application-oa2-client., you have v3.x credentials.
3. Find the credential version field (PaapiPlugin labels this psfa_oauth_credential_version). Set it to 3.1 (or whichever v3.x version Amazon issued you).
4. Save settings and click Test Connection.

Why this happens. The single most common error after Amazon issued v3.x credentials in spring 2026. v2.x and v3.x use different token endpoints, body formats, and scopes. Sending v3.x secrets over the v2.x wire format produces an instant invalid_client: same error word, completely different cause.

Error: invalid_scope

What it means. The OAuth scope your plugin requested is not valid for the credential version it sent.

How to fix it:

1. Confirm which credential version you are using (check the prefix on your Client Secret).
2. For v3.x credentials, the scope must be exactly creatorsapi::default. PaapiPlugin sets this automatically when the credential version field is a 3.x value.
3. For v2.x credentials, do not send the v3.x scope. The legacy Cognito endpoint rejects creatorsapi::default.
4. If your plugin lets you override the scope manually, clear any custom value.
5. Save and re-run Test Connection.

Why this happens. The v3.x rollout introduced the named scope creatorsapi::default that does not exist on the v2.x token path. Plugins that hardcoded one scope value for both versions started rejecting half their users overnight.

Error: invalid_grant

What it means. The grant (the credentials or refresh token you offered) is expired, revoked, or was never valid.

How to fix it:

1. Log into your Amazon Associates account and confirm your application is in good standing.
2. If you regenerated your Client Secret recently, the old one no longer works. Paste the most recent Client Secret into your plugin settings.
3. Clear any cached access token from your plugin's OAuth panel so it requests a fresh one.
4. Save and click Test Connection.

Why this happens. invalid_grant usually surfaces after a credential rotation: you generated new keys but replaced only one in the settings page. It also surfaces if Amazon revoked your application; in that case the fix is in the Associates portal.

Error: unauthorized_client

What it means. The credentials authenticate, but the application is not authorized for the resource your plugin asked for.

How to fix it:

1. Confirm in the Associates portal that the application is approved for Creators API access (not just OAuth in general).
2. Confirm the app is approved for the marketplace your plugin is targeting (US, UK, DE, JP). Approval for one marketplace is not approval for the others.
3. If you applied within the last 24 hours, give approval a few hours to propagate before testing again.
4. Re-run Test Connection.

Why this happens. Amazon issues OAuth credentials for many products. Being approved for one does not mean the same Client ID has Creators API rights.

Error: unsupported_grant_type

What it means. Your plugin sent a grant_type value the endpoint does not accept.

How to fix it:

1. Configure your plugin for the Client Credentials grant. The Creators API uses grant_type=client_credentials.
2. If your plugin exposes the grant type as a setting, set it to client_credentials.
3. If you route through a proxy, make sure the grant_type field is not stripped or rewritten in transit.
4. Save and re-run Test Connection.

Why this happens. The Creators API only supports the Client Credentials grant. Authorization Code, Refresh Token, and Password grants are all rejected. This error mostly surfaces when a developer copies an OAuth example from a different service.

Error: invalid_request

What it means. The HTTP request to the token endpoint was malformed: a required field was missing, a field had an unexpected value, or the body was sent in a format the endpoint did not expect.

How to fix it:

1. Check that the credential version field is set. A blank value sometimes routes the request through neither v2.x nor v3.x cleanly.
2. Check that Client ID and Client Secret are both filled in. Trailing whitespace counts; copy them again from the Associates portal.
3. For v3.x, send a JSON body with Content-Type: application/json. For v2.x, send form-urlencoded with Content-Type: application/x-www-form-urlencoded.
4. Save and re-run Test Connection.

Why this happens. Most invalid_request reports trace back to a wire-format mismatch between credential version and Content-Type. v3.x wants JSON; v2.x wants form-encoded. Sending the wrong body shape produces this error rather than invalid_client, because the endpoint cannot get far enough to even check who you are.

Error: expired_token

What it means. The access token your plugin cached has expired and the API rejected the call that used it.

How to fix it:

1. Open your plugin's OAuth panel and look for a "Clear cached token" button. Click it.
2. If your plugin does not expose a clear button, save the OAuth settings again. Most plugins flush the cached token on save.
3. Click Test Connection. The plugin requests a fresh access token and uses it on the next product call.
4. If the error keeps coming back within minutes of issuing a token, your server clock is likely drifting. Have your host check NTP sync.

Why this happens. Creators API access tokens are short-lived (typically about an hour) and the plugin is responsible for refreshing them. If expired_token shows in the diagnostic, either the auto-refresh path failed silently or your hosting environment is not letting the plugin keep the cached token between requests.

Error: server_error

What it means. Amazon's token endpoint hit an internal error. The fault is on Amazon's side, not yours.

How to fix it:

1. Wait two to five minutes and click Test Connection again.
2. If it persists more than fifteen minutes, check Amazon's developer status pages for an active incident.
3. Confirm your hosting provider has not been rate-limited at the network level.
4. Open a support ticket only if you can show repeated failures across at least an hour with timestamps.

Why this happens. Token services occasionally degrade under load or during a deploy. Usually transient. Do not change settings; just retry.

Error: temporarily_unavailable

What it means. The token endpoint is intentionally rejecting requests right now (maintenance, overload, or a backoff signal). Try again later.

How to fix it:

1. Wait at least five minutes before retrying. Repeated retries during a backoff window can extend it.
2. If your plugin caches product data (PaapiPlugin uses a 30-minute search cache and 1-hour product cache), your live pages are probably still serving cached results.
3. If the message persists more than thirty minutes, check Amazon's status page and your Associates inbox for a maintenance notice.
4. Re-run Test Connection once the window clears.

Why this happens. Like server_error, this is on Amazon, but it carries an implicit "back off" signal. Plugins with sane retry logic respect the backoff. Leave the settings alone and check again in a few minutes.

How to use the Test Connection diagnostic

PaapiPlugin v2.15.2 ships a 17-field Test Connection diagnostic that walks every step of the OAuth flow and tells you which step failed. Instead of a generic "could not authenticate" toast, you get a structured report you can read top to bottom or paste into a support ticket.

The diagnostic surfaces the resolved credential version, the resolved token endpoint URL, the HTTP status code, the literal error code, the error_description text, the marketplace targeted, and the resolved scope, among others. Read it top down and the mismatched field is usually obvious in under thirty seconds.

v2.x vs v3.x credential format: why both still work

Amazon supports both credential versions on the same product line and they use completely different wire formats. PA-API v5 retired on May 15, 2026, and the Creators API is now the only path to live product data. Within the Creators API, v2.x and v3.x credentials behave differently. PaapiPlugin routes by the major digit of the credential version field, so both versions stay live on the same code path.

Same product, same response shape, same data fields. Only the front door changed. PaapiPlugin reads the major digit of psfa_oauth_credential_version at request time and picks the right endpoint, body format, auth header, scope, and Bearer suffix. v3.4 and later default to the North America LwA endpoint as a forward-compatible fallback. Both versions remain supported, so there is no rush to rotate older credentials that are still valid.

What to do when nothing in the diagnostic looks wrong

If the credential version, endpoint URL, and scope are all right and you are still seeing an error, three things to try:

1. Regenerate your Client Secret. In the Associates portal, rotate the secret on the application. Paste the new value into your plugin and save.
2. Verify the Associates account is in good standing. Log into Amazon Associates and look for policy notices, sales-threshold gates, or marketplace approval issues.
3. Confirm your hosting environment can reach Amazon. Some shared hosts block outbound HTTPS to api.amazon.com. Ask your host to confirm outbound HTTPS is permitted to the LwA token domains.

Why a plugin matters more than ever

The Creators API gives WordPress affiliates the same product data they had on PA-API v5: live pricing, Prime badges, deal flags, ratings, images. The difference is the authentication layer, and it is the one thing your visitors should never have to know about. A plugin that handles both v2.x and v3.x wire formats invisibly means you spend zero time fighting OAuth and all your time embedding live search widgets so visitors discover related items without leaving your site.

Static affiliate links earn on the one product you remembered to link. Live search earns on whatever your visitor decides to buy after they find your site.

Note on refunds: PaapiPlugin Premium is backed by a 100% Money Back Guarantee. If during the next 7 days you experience an issue that makes the plugin unusable and we are unable to resolve it, we'll happily consider offering a full refund of your money. See the Terms and Conditions for details.