Authentication overview

Czech Television (Česká televize) employs a structured authentication framework to secure access to its public and partner APIs. This framework ensures that only authorized applications and users can interact with its digital services, including content metadata, scheduling information, and platform integrations. The primary goal is to protect sensitive data, prevent unauthorized access to content streams, and maintain the integrity of its digital infrastructure.

The authentication process typically involves verifying the identity of the requesting application or user before granting access to specific API resources. This is achieved through the use of credentials, such as API keys or OAuth 2.0 tokens, which serve as proof of identity and authorization. Adherence to these authentication protocols is mandatory for all integrations with Czech Television APIs, providing a necessary layer of security for both developers and end-users.

Developers are encouraged to review the specific API documentation for each service they intend to integrate, as authentication requirements may vary slightly depending on the sensitivity and nature of the data being accessed. For instance, read-only access to program schedules might only require an API key, while accessing user-specific preferences or initiating transactional operations would necessitate the more robust OAuth 2.0 flow.

Supported authentication methods

Czech Television APIs support two main authentication methods designed to cater to different integration needs and security requirements:

  1. API Key Authentication: This method involves generating a unique alphanumeric string (API key) that developers include in their API requests. API keys are suitable for public data access and applications where the end-user's identity is not directly relevant to the API interaction. They provide a simple and direct way to identify the calling application.
  2. OAuth 2.0: An industry-standard protocol for authorization, OAuth 2.0 allows third-party applications to obtain limited access to an HTTP service, either on behalf of a resource owner (e.g., an end-user) or by allowing the application to obtain access on its own behalf. This method is used when applications need to access user-specific data or perform actions requiring user consent. OAuth 2.0 provides a token-based authentication mechanism, enhancing security through short-lived access tokens and refresh tokens. For a comprehensive understanding of the OAuth 2.0 flow, developers can refer to the official OAuth 2.0 specification details.

The choice between API keys and OAuth 2.0 depends on the specific use case and the level of access required. The following table provides a comparison to help developers select the appropriate method:

Method When to Use Security Level
API Key Accessing public data (e.g., program schedules, general content metadata) where user identity is not required. Simple server-to-server integrations. Moderate (relies on key secrecy, suitable for read-only public data)
OAuth 2.0 Accessing user-specific data (e.g., watch history, personalized recommendations), performing actions on behalf of a user, or when high security and granular permissions are required. High (token-based, scope-restricted, user consent required)

For integrations that require accessing user data or performing authenticated actions, Czech Television specifically recommends the use of OAuth 2.0 utilizing standard flows such as Authorization Code Grant for web applications or Proof Key for Code Exchange (PKCE) for mobile/single-page applications. This provides better protection against various attack vectors compared to simpler flows.

Getting your credentials

To begin integrating with Czech Television APIs, developers must obtain the necessary authentication credentials. The process for acquiring these credentials varies based on the chosen authentication method:

For API Keys:

  1. Developer Portal Registration: Register an account on the Czech Television Developer Portal. This typically involves providing basic contact information and agreeing to the terms of service.
  2. Application Registration: Once registered, create a new application within the portal. During this step, you will often specify the intended use of the API and provide a brief description of your application.
  3. API Key Generation: Upon successful application registration, the Developer Portal will generate a unique API key for your application. This key should be treated as sensitive information.
  4. Activation: Some API keys may require activation by an administrator or confirmation via email before they become fully functional.

For OAuth 2.0 Credentials:

The process for obtaining OAuth 2.0 credentials, specifically a Client ID and Client Secret, is similar:

  1. Developer Portal Registration: As with API keys, start by registering on the Czech Television Developer Portal.
  2. Application Registration: Register a new application. For OAuth 2.0, you will need to provide additional details, most critically the Redirect URI(s). These are the URLs to which the user will be redirected after authorizing your application, and they must be pre-registered for security purposes.
  3. Client ID and Client Secret Generation: After registering your application and providing the necessary redirect URIs, the portal will issue a unique Client ID and Client Secret. The Client ID is publicly exposed, but the Client Secret must be kept confidential and never embedded directly in client-side code.
  4. Scope Definition: When configuring your application, you will also typically define the specific API scopes your application requires (e.g., read:program_guide, write:user_preferences). These scopes determine the permissions granted to your application after user authorization. Understanding and requesting only the necessary scopes is a critical security best practice, as detailed in the Google Identity OAuth 2.0 scopes documentation.

Always refer to the official Czech Television developer documentation for the most accurate and up-to-date instructions on credential acquisition, as specific steps and portal interfaces may evolve over time.

Authenticated request example

Here are examples demonstrating how to make authenticated requests using both API keys and OAuth 2.0. These examples assume you have already obtained your credentials.

API Key Example (GET request for program schedules):

Assuming your API key is YOUR_API_KEY_HERE and the endpoint is /api/v1/schedules, you would typically include the API key in the request header or as a query parameter, as specified by the Czech Television API documentation.

Using an HTTP Header:

curl -X GET \
  'https://api.ceskatelevize.cz/api/v1/schedules' \
  -H 'X-API-Key: YOUR_API_KEY_HERE'

Using a Query Parameter:

curl -X GET \
  'https://api.ceskatelevize.cz/api/v1/schedules?apiKey=YOUR_API_KEY_HERE'

OAuth 2.0 Example (Accessing user-specific watch history):

This example demonstrates making an authenticated request using an OAuth 2.0 access token. The process assumes you have already completed the OAuth 2.0 authorization flow and obtained a valid access_token.

First, obtain an access token. This involves redirecting the user to Czech Television's authorization server, where they grant permission to your application. Upon successful authorization, the user is redirected back to your pre-registered Redirect URI with an authorization code. Your application then exchanges this code for an access token and optionally a refresh token.

Example of exchanging authorization code for tokens (server-side):

curl -X POST \
  'https://auth.ceskatelevize.cz/oauth/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=authorization_code&code=YOUR_AUTHORIZATION_CODE&redirect_uri=YOUR_REDIRECT_URI&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET'

The response will contain the access_token (and potentially a refresh_token and expires_in). Once you have the access_token (e.g., YOUR_ACCESS_TOKEN_HERE), you include it in the Authorization header for subsequent API calls:

Using the Access Token in an API Request:

curl -X GET \
  'https://api.ceskatelevize.cz/api/v1/users/me/watch_history' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN_HERE'

Always ensure your server-side code handles token expiration and uses refresh tokens to obtain new access tokens without requiring the user to re-authorize, thereby maintaining a seamless user experience while adhering to security best practices.

Security best practices

Implementing strong authentication is only one part of securing your integration with Czech Television APIs. Adhering to the following security best practices is crucial for protecting your application, user data, and the integrity of the services:

  1. Protect your Credentials:
    • API Keys: Never hardcode API keys directly into your client-side code or public repositories. Store them securely in environment variables, a secrets manager, or a server-side configuration file.
    • Client Secrets: Client Secrets for OAuth 2.0 must be kept strictly confidential. They should only be used on your secure backend server and never exposed to the client-side (browser or mobile app).
    • Regular Rotation: Periodically rotate your API keys and OAuth Client Secrets, especially if there's any suspicion of compromise.
  2. Use HTTPS/TLS Everywhere: All communication with Czech Television APIs, including authentication requests and subsequent API calls, must occur over HTTPS (TLS). This encrypts data in transit, preventing eavesdropping and man-in-the-middle attacks. This is a fundamental web security principle, as highlighted by resources like the Mozilla Developer Network's secure contexts guide.
  3. Implement OAuth 2.0 Correctly:
    • Validate Redirect URIs: Always register and strictly validate Redirect URIs to prevent redirection attacks.
    • Use PKCE: For public clients (mobile apps, single-page applications), implement Proof Key for Code Exchange (PKCE) to mitigate authorization code interception attacks.
    • Secure Token Storage: Store access and refresh tokens securely. Access tokens should ideally be short-lived and stored in memory or secure, HTTP-only cookies. Refresh tokens should be stored encrypted in a secure database.
    • Scope Management: Request only the minimum necessary OAuth scopes. Over-privileging your application increases the potential impact of a security breach.
  4. Error Handling and Logging: Implement robust error handling for authentication failures. Avoid returning overly verbose error messages that could leak sensitive information. Log authentication attempts and failures for auditing and anomaly detection, but ensure logs do not contain sensitive credentials.
  5. Rate Limiting and Throttling: Be mindful of and respect any rate limits imposed by Czech Television APIs. Implement client-side rate limiting to prevent your application from being blocked or flagged as malicious.
  6. Input Validation: Always validate and sanitize any user-provided input before using it in API requests to prevent injection attacks and other vulnerabilities.
  7. Keep Dependencies Updated: Regularly update all libraries, frameworks, and SDKs used in your application to patch known security vulnerabilities.

By diligently following these best practices, developers can significantly enhance the security posture of their applications integrating with Czech Television APIs, protecting both their own systems and the data they handle.