Resources for Developers Using Amazon's Product Advertising API
· Home  
· Search  
· Browse Nodes  
· Data Feed?  
· FAQs  
· One-Second Rule  
· PHP Examples  
· Tips for Associates  
· Tools  
· Understanding A2S  

Create a custom Amazon Associate Store in minutes with

Disappointed by and the Associates program?

Please consider

Shareasale manages affiliate programs for thousands of merchants. The site makes it easier to apply to programs and create links. And simple-to-use datafeeds are offered by most merchants.

REST Authentication for PHP4

Amazon has announced that, starting in August of 2009, A2S (now renamed "Product Advertising API") queries will require authentication. This will require you to change any code which accesses the web services. The following PHP code should help. While most examples of how to do authentication require PHP version 5 or later, the code below works with PHP version 4.3 or higher.

The code requires a library called which you can download from

The getRequest method is designed to make it easy to convert your exisiting PHP code to create authenticated queries. It takes four arguments.

The first argument is your AWS Secret Key ID. To find your secret key, visit Create an account if you don't have one or log in. Click "Your Account" and select "Access Identifiers." Scroll down and click the "+" show button to see your ID.

The second argument is the URL of the request. This is the URL you have been using to make queries to the web services.

The third argument is optional. It is your AWS Access Key ID. You do not need to supply this argument (or you can set the argument to "") if the URL you pass into the second argument contains your AWS Access Key ID. The URL you were using might specify an old "Subscription ID" which worked with older versions of the web services, but will not work with authentication. If you set the third argument to your AWS Access Key ID then it will replace the ID used in the request.

The fourth argument is optional. It is the date of the version of the web services to use. If not specified, it defaults to 2009-03-01.

The function returns a new version of the request URL with the proper signature added.

Usage Example:

// existing code
$URL = ""
. "&AWSAccessKeyId=youraccesskeyid&AssociateTag=yourtag"
. "&Operation=BrowseNodeLookup&BrowseNodeId=1084128"
. "&ResponseGroup=Request,BrowseNodeInfo";
// new code
$secretKey = "YourSecretKey";
$accessKey = "Your AWS Access Key ID";
$URL = getRequest($secretKey, $URL, $accessKey, "2009-03-01");
// existing code

Source Code:



if (!function_exists('hmac'))
   function hmac($key, $data, $hashfunc='sha256') 
     if (strlen($key) > $blocksize) $key=pack('H*', $hashfunc($key));
     $key=str_pad($key, $blocksize, chr(0x00));
     $ipad=str_repeat(chr(0x36), $blocksize);
     $opad=str_repeat(chr(0x5c), $blocksize);
     $hmac = pack('H*', $hashfunc(($key^$opad) . pack('H*', $hashfunc(($key^$ipad) . $data))));
     return $hmac;

function getRequest($secretKey, $request, $accessKeyID="", $version="2009-03-01")
   // Get host and url
   $url = parse_url($request);

   // Get Parameters of request
   $request = $url['query'];
   $parameters = array();
   parse_str($request, $parameters);
   $parameters["Timestamp"] = gmdate("Y-m-d\TH:i:s\Z"); 
   $parameters["Version"] = $version;
   if ($accessKeyID != '') $parameters["AWSAccessKeyId"] = $accessKeyID;

   // Sort paramters
   // re-build the request 
   $request = array(); 
    foreach ($parameters as $parameter=>$value) 
      $parameter = str_replace("_", ".", $parameter); 
      $parameter = str_replace("%7E", "~", rawurlencode($parameter)); 
      $value = str_replace("%7E", "~", rawurlencode($value)); 
      $request[] = $parameter . "=" . $value; 
   $request = implode("&", $request);

   $signatureString = "GET" . chr(10) . $url['host'] . chr(10) . $url['path'] . chr(10) . $request;
   $signature = urlencode(base64_encode(hmac($secretKey, $signatureString)));   
   $request = "http://" . $url[host] . $url['path'] . "?" . $request . "&Signature=" . $signature; 

   return $request;


Copyright © 2020 by Roger Smith