Signing Amazon Product Advertising API requests with CFML

From 15th August 2009, all requests to Amazon’s Product Advertising API must be authenticated with a message authentication code.  This requires that a signature be generated using your secret key and appended to the request.  When Amazon get the request, they calculate the signature themselves, and if it matches the signature you sent they know that the message is from you, and that it hasn’t been tampered with en route. 

Amazon have been warning developers about that this change  since May, but I’ve been putting off doing anything about it, telling myself that there’s plenty of time before it needs to be done.  At least until my requests started failing with 400 Bad Request errors and “The request must contain the parameter Signature” messages…

The signature generation process is actually pretty straightforward, the trickiest part looked like being calculation of the HMAC signature, until I found a post on the Amazon Developer Forum showing how to use Java to produce the signature (looks like the original credit for the technique goes to Barney Boisvert).  Coupled with a chunk of code for manipulating the request URL, the amazonsig component was born.  This contains a function that takes an existing request, and returns it complete with a signature, allowing me to simply update my exiting code by replacing

<cfhttp url="#requrl#" method="GET" />

with

<cfhttp url="#amazonsig.signrequest(requrl, secretKey)#" method="GET" />

In the hope that it might be useful, or save someone else a few hours work, I’ve made it available via RIAForge – amazonsig.riaforge.org

3 Comments

  1. Tom says:

    Totally awesome! Thanks for posting this!!!

  2. Tim says:

    Thanks Tom, glad you found it useful.

  3. Thazleem says:

    Hi Tim,
    Thanks a lot for the post. Found it extremely useful.