Services

APISigning now works with Amazon's Simple Email Service (SES)

The APISigning service will now work with Amazon's SES Service. See the SES Usage Page for more information

All requests to Amazon's Product Advertising API must now be signed

As of August 17th, 2009, Amazon now requires that all requests to their Product Advertising API be signed. The signature process verifies that requests made using your Access Key were actually requested by you.

To sign the request, your programming software needs to construct the request as it normally does. It then adds a timestamp, and then calculates a unique 'signature' (or 'hash') based on the request and your Amazon secret key. Since the request contains a timestamp, each hash value is unique and it must be calculated for every request.

The new request containing the signature is then sent to Amazon where they also calculate the signature for your request. If the signature that you sent matches the signature that they calculated, then your request goes through normally. If everything wasn't done exactly correct, you will receive a response like this:

<Code>SignatureDoesNotMatch</Code> <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>

The signature must be calculated exactly correct or else it won't match what the Amazon service is expecting and your request will be denied.

Implementation

Any website or service that uses the Amazon Product Advertising API will need to be modified to include the proper signature. The exact method for doing so will depend on how your software was written. Commercial applications should receive updates from the application provider. Many open-source applications have also released updates. Websites that were custom programmed will need a programer to implement these changes. Some individuals and groups have released code samples for creating the required signatures, but making them work usually requires a bit of tweaking and manipulation to get it working just right.

Of particular concern are applications written entirely in JavaScript where the entire source code is viewable by anybody. These applications have no way to keep their Amazon Secret key a secret.

Some programming languages don't contain functions for calculting the necessary crypt graphic hashes. For example, Excel macros and applications written in some less popular languages often don't have some required functions

Services that we provide

APISigning.com is a service provided by RoundSphere, LLC to address the implementation of these required changes. We provide two services:

API Signing Service - We provide a service where our servers will calculate the signatures on your behalf. This provides a very simple drop-in replacement that can be configured in minutes. It is perfect for applications imlemented entirely in JavaScript where you can't expose your Secret Key in your code. It also works great for situations where your programming language or environment doesn't have functions for computing the required SHA1 hash. It is also useful if you need to make the switch in a hurry or don't have the resources to have a programmer make the changes to your site right now.

Custom Programming - We can modify the source code for your website or application so that it will properly sign the Amazon API Requests. Our team of programmers has years of experience working with all types of websites and can quickly make the changes necessary to get your website or application working.