a private key...is for your personal use only and you must maintain its secrecy and security.Others have written about how the PAA license agreement bars its usage on mobile devices. But in fact, it bars it from any client-side software on any device. Or at least from software you want to distribute. You can work around this by hosting a server to sign requests for your users, keeping your Private Key private. But anybody could use your service, pretending to be your client software if necessary. And you could wind up signing requests for half the Internet. The signing requirement benefits nobody. It impedes developers, turning them off from creating applications to serve users and send customers Amazon's way. Amazon should acknowledge its mistake with this policy and reverse it. Thanks to James Vasile for reading drafts of this.
Monday, October 12, 2009
The Secret About Amazon's API it Doesn't Want Distributed
Amazon's Product Advertising API (PAA) lets you search pretty much everything they offer. But on August 15 they started requiring that all requests to the API be signed with the developer's Private Key. Any client-side software using the PAA directly, including website scripts, Firefox extensions, and desktop applications, would have to distribute their Private Key to all their users to sign the requests. But as you would expect, the license agreement for the API states