Documentation

Overview

BoxGuard integrates directly with Amazon’s Selling Partner API to detect Buy Box changes as they happen. A hybrid push/pull design delivers notifications reliably, avoiding scraping and polling delays.

Data flows

1. Amazon SP-API pushes ANY_OFFER_CHANGED events to EventBridge within 1–5 seconds.
2. EventBridge rules route events to SQS queues for buffering and at-least-once delivery.
3. Go workers pull messages from SQS, validate HMAC signatures, and immediately call the Product Pricing API:
   • getCompetitivePricing retrieves the authoritative Buy Box winner and price;
   • getItemOffers fetches detailed offer listings when tie-breakers or additional context are required;
4. Notifications serve only as hints; all state changes are confirmed by API responses.
5. Confirmed changes are stored in the database and dispatched via webhooks to your chosen channels. A scheduled polling fallback ensures no updates are missed.

Data protection controls

BoxGuard aligns with Amazon's Website Guidelines and Data Protection Policy. LWA OAuth tokens are scoped to required SP-API roles and stored in-memory only—never persisted or logged in plaintext. Client credentials are securely managed via AWS Secrets Manager with regular rotation. All communications use TLS encryption with sensitive data masked in logs. Access follows least-privilege principles with comprehensive audit logging.

SP API roles

BoxGuard requires the Pricing role to access getCompetitivePricing for authoritative Buy Box data and competitive pricing information and getItemOffers for detailed offer listings. All requested roles are non-restricted and publicly available to approved SP-API developers.