Amazon Echo Account Linking - how to identify echo device when generating and saving token?

Question

I have a pre-existing web app with user accounts. I want to extend functionality with Amazon's echo.

When the user enables the skill in their Echo/Alexa dashboard, it will redirect them to the login page of my app with Authorization URL https://foo.com/auth.

I checked the incoming request that comes from Authorization URL https://foo.com/auth and there is no client id, user id, or user email on the request. It doesn't do me any good to generate a token and send it back to Amazon if I can't save that token on my webserver along with some kind of echo client device id.

From Account linking implicit granting

3 The user logs in using their normal credentials for your site.

4 Your service authenticates the user and then generates an access token that uniquely identifies the user in your system.

When amazon redirects users to my app to enter login credentials, how do I link their token I give back to them to their echo device for future requests?

Answer 1

You don't do that when the user enter his credentials, but after the linking is completed.

When the user launches your skill, you can identify him with the context.System.user.userId, the access token will be in context.System.user.accessToken and the device in context.System.device. deviceId. The same accessToken can be used for multiple devices, and the userId will change if the user disables and re-enables your skill.

More info here: Request and Response JSON Reference