hostgator coupon July 2014 hostgator coupon 2014 June Hostgator coupon June 2014 Dreamhost promo code 2014 our business news > first class business
Joseph Smarr » Using Netflix’s New API: A step-by-step guide

Main menu:

Add to Google

Subscribe via e-mail:

insurance types cosmetics today fitness animals automobile reviews business money buy jewellery finance loans home helps> insurance companies in market finance news medical product money us technology in finance time roof repairing places where cook recipes business ideas business pay buy insurance car price in compamy marketing company guide cosmetics product diet info healthy live samples of business plan home decoration tech news auto insurance home improvement online business tips personal loans product reviews security types top business list top company list home tricks weight loss help what kind of business should i start business letter format business case template general business business type it security what is a good business to start health loss business me magazine news

business ideas

Site search


October 2008
« Sep   Nov »


Using Netflix’s New API: A step-by-step guide

Netflix announces an APIAs a longtime avid Netflix fan, I was excited to see that they finally released an official API today. As an avid fan of the Open Web, I was even more excited to see that this API gives users full access to their ratings, reviews, and queue, and it does so using a familiar REST interface, with output available in XML, JSON, and ATOM. It even uses OAuth to grant access to protected user data, meaning you can pick up an existing OAuth library and dive in (well, almost, see below). Netflix has done a great job here, and deserves a lot of kudos!

Naturally, I couldn’t wait to get my hands on the API and try it out for real. After a bit of tinkering, I’ve now got it working so it gives me my own list of ratings, reviews, and recently returned movies, including as an ATOM feed that can be embedded as-is into a feed reader or aggregator. It was pretty straightforward, but I noticed a couple of non-standard things and gotchas along the way, so I thought it would be useful to share my findings. Hopefully this will help you get started with Netflix’s API even faster than I did!

So here’s how to get started with the Netflix API and end up with an ATOM feed of your recently returned movies:

  1. Sign up for mashery (which hosts Netflix’s API) at (you have to fill out some basic profile info and respond to an email round-trip)
  2. Register for an application key at (you say a bit about what your app does and it gives you a key and secret). When you submit the registration, it will give you a result like this:
    Netflix API: k5mds6sfn594x4drvtw96n37   Shared Secret: srKNVRubKX

    The first string is your OAuth Consumer Key and the second one is your OAuth Consumer Secret. I’ve changed the secret above so you don’t add weird movies to my account, but this gives you an idea of what it looks like. :)

  3. Get an OAuth request token. If you’re not ready to start writing code, you can use an OAuth test client like It’s not the most user-friendly UI, but it will get the job done. Use HMAC-SHA1 as your signature method, and use as the endpoint. Put your newly issued consumer key and secret in the spaces below, and click the “request_token” button. If it works, you’ll get a page with output like this:

    Your OAuth library should parse this for you, but if you’re playing along in the test client, you’ll have to pull out the OAuth Request Token (in this case, bpn8ycnma7hzuwec5dmt8f2j) and OAuth Request Secret (DArhPYzsUCtt). Note it also tells you the application_name you registered (in this case, JosephSmarrTestApp), which you’ll need for the next step (this is not a standard part of OAuth, and not sure why they require you to pass it along). They also give you a login_url, which is also non-standard, and doesn’t actually work, since you need to append additional parameters to it.

  4. Ask the user to authorize your request token. Here the OAuth test client will fail you because Netflix requires you to append additional query parameters to the login URL, and the test client isn’t smart about merging query parameters on the endpoint URL with the OAuth parameters it adds. The base login URL is and as usual you have to append your Request Token as oauth_token=bpn8ycnma7hzuwec5dmt8f2j and provide an optional callback URL to redirect to the user to upon success. But it also makes you append your OAuth Consumer Key and application name, so the final URL you need to redirect your user to looks like this:

    This is not standard behavior, and it will probably cause unnecessary friction for developers, but now you know. BTW if you’re getting HTTP 400 errors on this step, try curl-ing the URL on the command line, and it will provide a descriptive error message that may not show up in your web browser. For instance, if you leave out the application name, e.g.

    curl ‘′

    You’ll get the following XML response (I’ve replaced the angle brackets with [] because wordpress keeps eating my escaped tags, grr):

      [message]application_name is missing[/message]

    If your login URL is successfully constructed, it will take the user to an authorization page that looks like this:
    Netflix OAuth authorization page

    If the user approves, they’ll be redirected back to your oauth_callback URL (if supplied), and your request token has now been authorized.

  5. Exchange your authorized request token for an access token. You can use the OAuth test client again for this, and it’s basically just like getting the request token, except the endpoint is and you need to fill out both your consumer token and secret as well as your request token and secret. Then click the access_token button, and you should get a page with output like this:

    (Once again I’ve altered my secret to protect the innocent.) In addition to providing an OAuth Access Token and OAuth Access Secret (via the oauth_token and oauth_token_secret parameters, respectively), you are also given the user_id for the authorized user, which you need to use when constructing the full URL for REST API calls. This is non-standard for OAuth, and you may need to modify your OAuth library to return this additional parameter, but that’s where you get it. (It would be nice if you could use an implicit userID in API URLs like @me, and it could be interpreted as “the user that granted this access token”, so you could skip this step of having to extract and use an explicit userID; that’s how Portable Contacts and OpenSocial get around this problem. Feature request, anyone?)

  6. Use your access token to fetch the user’s list of protected feeds. Having now successfully gone through the OAuth dance, you’re now ready to make your first protected API call! You can browse the list of available API calls at and in each case, the URL starts out as and you append the path, substituting the user_id value you got back with your access token wherever the path calls for userID. So for instance, to get the list of protected ATOM feeds for the user, the REST URL is, or in this case

    Here’s where the OAuth test client is a bit confusing: you need put that feeds URL as the endpoint, fill out the consumer key and secret as normal, and fill out your *access* token and secret under the “request token / secret” fields, then click the “access_token” button to submit the OAuth-signed API request. If it works, you’ll get an XML response with a bunch of links to different protected feeds available for this user. Here’s an example of the response, showing just a couple of the returned links, and again with angle brackets replaced with square brackets to appease my lame wordpress editor:

    Each link contains an href attribute pointing to the actual feed URL, as well as a rel attribute describing the type of data available for that link, and a human-readable title attribute. In our case, we want the “Titles Returned Recently” feed, which is available at–&oauth_consumer_key=k5mds6sfn594x4drvtw96n37&output=atom (note the XML escapes &s in URLs as XML entities, so you have to un-escape them to get the actual URL). As you can see, this feed URL looks like a normal API request, including my userID on the path, but with an extra feed_token parameter, which is different for each available user feed. This way, the ATOM feed can be fetched without having to do any OAuth signing, so you can drop it in your feed reader or aggregator of choice and it should just work. And giving access to one feed won’t let anyone access your other feeds, since they’re each protected with their own feed_token values.

  7. Fetch the feed of recently returned movies. Now you can just fetch the feed URL you found in the previous step (in my case,–&oauth_consumer_key=k5mds6sfn594x4drvtw96n37&output=atom), and you’ll get nicely formatted “blog posts” back for each movie the user recently returned. Here’s a sample of how the formatted ATOM entries look:
    Netflix rental returns as a feed
    Of course, if you want to format the results differently, you can make a REST API call for the same data, e.g. OAuth-sign it like you did in step 6, and you’ll get all the meta-data for each movie returned as XML, including various sizes of movie poster image.
  8. Profit! Now you’ve got a way to let your users provide access to their netflix data, which you can use in a variety of ways to enhance your site. If this is the first time you’ve used OAuth, it might have seemed a little complex, but the good news is it’s the same process for all other OAuth-protected APIs you may want to use in the future.

I hope you found this helpful. If anything is confusing, or if I made any mistakes in my write-up, please leave a comment so I can make it better. Otherwise, let me know when you’ve got your Netflix integration up and running!


    Excellent – i need to do this with a service for a customer so was nice to see this detail on oAuth + REST.

  • Paul

    Great post Joseph.

    I have no doubt we can reconcile the non-standard elements that NetFlix has used with proper reach out and I look forward to working with you to do just that. :-)

    Btw, on the MySpace Dev Platform, we actually have a great NetFlix app developed by a very talented engineer that everyone should check out:

    I love their support for multiple response formats as well as their use of RESTful URIs. You and I probably have a disagreement on the usefullness of XRDS (we can't keep up with every API, RESTful APIs should be discoverable on their own).

    We can't argue on the fact that this is a positive development. I congratulate NetFlix and look forward to talking with their engineers! Great job guys! Thank you for forwarding the industry. :-).

  • hereinthehive

    That's a great help Joseph! I'm starting to work with a load of oAuth systems and RESTful APIs, so it's great to have something like this to explain it clearly ;)

  • Ken Kennedy

    Thanks alot, Joseph! This is really well laid-out. Very helpful!

  • Trevor

    This is great for getting user data! I am stuck though when it comes to just querying the movie titles in the catalog. Can you show an example for getting back titles from the catalog?

  • Chris

    I just started playing with the NetFlix API myself, Thanks for the great write up.

  • nilashis

    I go through your tutorial from step 1 to first half of step 3 to request token with the consumer key and secret i just received from netflix.
    On clicking “request_toke” button at “”, I get a page with the error message “Invalid Signature.”

  • Arun Nagarajan

    Good article. This was helpful for us.

    If you are interested in a mobile version of the Netflix API, vote up @…. We are having a little contest to determine which internally configured we want to release and support to the public.

    We built the app for an internal contest using the Netflix API and are hoping we can release it publicly given enough interest. We would support BlackBerry and Windows Mobile to start off with iPhone and Android support to follow.


    OK – I have read through it again and tried out a few of the things mentioned.

    My only irritation in the excellent efforts Netflix have done are around the anomalies you can see in the API workflow.

    i'm sure they have some good reasons for diverting from the “standard” process and perhaps some view to these may be useful.

    In addition it may suggest some extension points are needed that could be added to oAuth so that rather than hacking these things we could simply add some optional extensions (which are generic such as “dynamic parameter” rather than “userid”) and can be plugged into any oAuth library.

    The fact this can even be done is excellent but in using it it would be nice to just have a graphical pipeline for every site that shows where they may have used some of the optional filters during the oAuth process.

  • flixo

    I was in the same boat. I ended up finding this through a resource site though:

  • Rich Knox

    I'm seeing this behavior as well. Anyone have a solution?

  • kyle

    I'm also running into problems at this point… I've done everything as explained, but when I try to request a token I get an invalid signature as a response… anybody know what's going on? I have both keys from netflix and am registered.

  • Filmjamr

    great post ,
    I am also trying to use the API but am having issues with API at the OAuth level only .
    it returns “invalid signature”
    Can anyone share some code that gets back a request sucessfully and read it ??
    i cant even get the user ID because initial OAuth is failing .

    here is my C# code that is using OAath class posted on

    string str1 = “”;
    string str = “”;
    string consumerKey = “,my key”;
    string consumerSecret = “My secret key”;
    Uri uri = new Uri(“”);

    OAuthBase oAuth = new OAuthBase();
    string nonce = oAuth.GenerateNonce();
    string timeStamp = oAuth.GenerateTimeStamp();
    string sig = oAuth.GenerateSignature(uri,
    consumerKey, consumerSecret,
    string.Empty, string.Empty,
    “GET”, timeStamp, nonce,
    OAuthBase.SignatureTypes.HMACSHA1, out str, out str);

    sig = HttpUtility.UrlEncode(sig);
    string strsig = “HMAC-SHA1″;
    string strver = “1.0″;
    StringBuilder sb = new StringBuilder(“GET&”);
    sb.AppendFormat(“?oauth_consumer_key={0}&”, consumerKey);
    sb.AppendFormat(“oauth_nonce={0}&”, nonce);
    sb.AppendFormat(“oauth_timestamp={0}&”, timeStamp);
    sb.AppendFormat(“oauth_signature_method={0}&”, strsig);
    sb.AppendFormat(“oauth_version={0}&”, strver);
    sb.AppendFormat(“oauth_signature={0}”, sig);

  • pawan

    HI Joseph,
    Great Post budy but where ever i have seen in the forums the main thing about request token is missing.what if i want to get this request token link generate form my code what i have to do. because i have done all the trials i got but still flixo is doing without generating request token.

    any help
    best regards

  • pawan

    hi joseph u there. i m unable to get the userid after getting the access token what i have to do ? i have used Shatterd Arm liberary to use the netflix API but unable to get the userid beacuse i dont know how to pass the Access token now .you have any idea .Any help


  • Ryan Kennedy

    I can't believe they actually link to this post, which points out how broken their implementation is, and they still haven't fixed it. The requirement to pass application_name and oauth_consumer_key in the authorization URL is just awful. If you don't code to the spec, you can't expect general OAuth tools to help you out.

    What's more, unless you stumble upon this blog post or happen to read their Authentication Overview (which I skipped because I already knew how OAuth works) you'll never understand the cryptic “application_name is missing” error message which gets returned as XML to the end user. To begin with, that error doesn't tell me anything. I'm using OAuth, I have no idea what application_name is. To top it off, their end user facing page is spitting back XML! You can send XML to applications, not to users.

    Amateur hour, I tell you.

  • ad exchange

    This site is a great advertising tool.

  • denisejohnson

    I want to unsubscribe to JosephSmarrTestApp

  • djohnsonkc

    Make sure that there are no leading or trailing spaces in your app key or secret. This fixed the problem for me!

  • venkata


    I am trying to develop an appilication which will contact google using OAuth.

    but i am getting this error message


    I have registered with google and got consumer key and secret also. and the domain is status is Active.

    well my code is able to get the request token from twitter but fails with google. any idea ?

    please help me.

    kind regards,

  • jordan314

    Hi Joseph,
    Thanks for this guide. I'm stuck on the “access token” step. Here is my PHP code:
    $test_consumer = new OAuthConsumer($netflix_api_key, $netflix_api_secret, NULL);
    $hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
    First request token:
    try {
    $req_req = OAuthRequest::from_consumer_and_token($test_consumer, NULL, 'GET', '');
    $req_req->sign_request($hmac_method, $test_consumer, 1);
    }catch(Exception $e)
    die(“Error: Could not create oauth request with netflix. Message: ” . $e->getMessage());
    I curl req req and store the response oauth_token, oauth_token_secret, application_name, and login_url into a “authvars” Array, and then store oauth_token and oauth_token_secret into a cookie: (I'm using codeigniter):
    $this->session->set_userdata('requestsecret', $authvars['oauth_token_secret']);
    $this->session->set_userdata('requestkey', $authvars['oauth_token']);
    Then I redirect the user to login, which works fine.
    When they come back, then I make the access_token call:
    try {
    $req_token = new OAuthConsumer($this->session->userdata('requestkey'), $this->session->userdata('requestsecret'), NULL);
    $acc_req = OAuthRequest::from_consumer_and_token($test_consumer, $req_token, “GET”, “”);
    $acc_req->sign_request($hmac_method, $test_consumer, $req_token);
    }catch(Exception $e)
    die(“Error: Could not create authorized request with netflix. Message: ” . $e->getMessage());

    But I still get invalid signature. Here is my access_token request, with the strings modified:

    When I try netflix's authorization walkthrough it works, but their signature is different than mine. How can I fix my signature?


  • Rkroeger

    Hi Joseph, I am trying to download the catalog/index in order to populate our database mappings. I am not successful. Can you please provide example of how this has been done? I am using .NET and the standard HttpWebRequest/WebResponse objects on a method=”Get”. This works for downloading other files over http.

  • Sabariraj


    ‘m unable to get to work.

    (some values changed)

    But when I use curl to fetch the results using a GET, I get “Missing Required Consumer Key” and “invalid or Expired token”
    what i have to do please help me

  • Sabariraj

    Fault Name: ServiceOperationIdentificationFailure
    Error Type: Default
    Description: Service Operation Identification Failure
    Service: NetflixTokenService
    Endpoint: NetflixTokenService_client
    Operation (Client):

  • Anonymous

    hi joshep i am trying to get access token this error occured.
    Fault Name: ServiceOperationIdentificationFailure
    Error Type: Default
    Description: Service Operation Identification Failure
    Service: NetflixTokenService
    Endpoint: NetflixTokenService_client
    Operation (Client):

    how can i solve it

  • Bird7310


  • Sergey Sergeev

    When I try netflix’s authorization walkthrough it works, but their signature is different than mine. How can I fix my signature?

  • Xiang Zuo


  • Mrtahir560

    might have seemed a little complex, but the good news is it’s the same
    process for all other OAuth-protected APIs you may want to use in the
    future. top10wallpaper4u

  • al

    Its 3 years ago post and I’m looking for another resource. It seem url provided is not work. But at least I got general overview on how to start code with php to access netflix api.

  • laxminarayana challagonda

    hi i am new to android when i am making the non-authenticated request through program i am getting 
    following result{-join|&|term}

    if i execute the same url in the browser i am getting{-join|&|term}

    …..and my simple code isHttpClient client=new DefaultHttpClient(); String urlstring=””; Log.i(“..urlstring…”,””+urlstring); HttpGet get=new HttpGet(urlstring); HttpResponse response=client.execute(get); // HttpResponse response=client.execute(post); String resp; int respcode = response.getStatusLine().getStatusCode();    Log.i(“…….response code……”,””+respcode); if(respcode==200){    HttpEntity entity=response.getEntity(); resp=EntityUtils.toString(entity); Log.i(“…Response From String is ….”,””+resp);any thing wrong with my URl and Requestand url is”

    Urgent Help Please..

  • laxminarayana challagonda

    finally i solved it by loss of few hairs the thing is only we need to append one more parameter to url is country=us 

  • marc
  • ck

    please choose it Calvin Klein Underwear

  • annawilson1993

    This is such A great Page At any time for every mood I really Enjoyed it you can find more 

    hot arab | sexy arab

  • annawilson1993

    This is such A great Page At any time for every mood I really Enjoyed it you can find more 

    hot arab | sexy arab

  • Jo

    Netflix cancelled their API program? Why??? Guess they dont want the business?