From a bulk email I received from Amazon. Note well, if you use the Amazon products API, you may need to change your code in the next few months to have it keep working.
In actually a fairly annoying way. Every request must be cryptographically signed: “Calculate an RFC 2104-compliant HMAC with the SHA256 hash algorithm using the string above… For more information about this step, see documentation and code samples for your programming language.”
I’m not even sure what that means? It’s a pain. (Although fortunately there seems to be an existing ruby gem to do it). Amazon is apparently trying to lock down access to their API much more, and is fine making it significantly harder to use in the process (they’re probably right that most of us will jump through the hoops). Also, it looks like registration for an API key may require a credit card, which makes things trickier for folks like us — I’m not putting my personal credit card number in a library account, to find a giant bill for services ten years after I leave my employer!
Through our Associates Program, we pay out hundreds of millions of dollars per year to websites that advertise our products. Effective immediately, we are renaming the Amazon Associates Web Service as the “Product Advertising API.” This new name more accurately reflects the purpose of the API, which is to enable developers to advertise products offered on the Amazon sites and thereby receive advertising fees from us.
In addition to the new name, signatures will be necessary to authenticate each call to the Product Advertising API. This requirement will be phased in starting May 11, 2009, and by August 15, 2009, all calls to the Product Advertising API must be authenticated or they will not be processed. For pointers on how you can easily authenticate requests to the Product Advertising API, please refer to the developer guide, available here.
Finally, the terms and conditions governing your use of the service have been migrated to a separate Product Advertising API License Agreement, available here.
Except for the requirement that all requests be authenticated, the terms are substantially the same. If you obtain content through a data feed, your access to that data feed and use of that content will also be subject to the Product Advertising API License Agreement. By using the Product Advertising API or data feed, or content obtained through them, you are agreeing to the terms and conditions of the Product Advertising API License Agreement, and all uses of the API, data feed, or content must comply with that agreement.
The API agreement makes it more clear that Amazon evaluates ‘applications’ to use the API, and that:
Unsuitable applications include those that:
(a) do not have as their principal purpose advertising and marketing the Amazon Site and driving sales of products and services on the Amazon Site;
Note that the old agreement made that same “principal purpose” requirement. Hopefully they don’t plan on taking it any more seriously than they did before.
Bibliographic Wilderness 
Hello,
I’m a french teacher having done a free app. for manage a school library ; I did that under FileMaker Pro and implemented the possibility for the users to get all datas for a book by typing or scanning only the EAN.
What a deception since that week to learn that we had to sign all requests ! The biggest problem for me is how “Calculate an RFC 2104-compliant HMAC with the SHA256 hash algorithm using the string above with our “dummy” Secret Access Key: 1234567890″
If somebody could help me I should be very happy !
Noël
Hi there all
I have been endlessly looking for information how to sign my amazon product advertising service requests in .net c# – why does amazon leave us all out in the cold??? when its them who get money from our webusers?
Does anyone have any advice for signing the requests or have sample code [pleae , not from amazon !!! as their explanations are very unclear]
Hopeless
pierre
ho please if anyone can help : please email me pierre.coetzee@gmail.com