Authentication overview
Watchmode's API provides access to a comprehensive database of streaming availability, movie, and TV show metadata. To interact with the API, developers must authenticate their requests. The primary method for authentication is through an API key, which serves as a unique identifier and authorization token for your application. This key is issued upon account creation and is tied to your Watchmode developer account, determining your access level and rate limits, including the free Developer Plan's 500 requests per day.
API keys are typically used to identify the calling application and track its usage, enabling Watchmode to enforce rate limits and manage access according to subscription tiers. For developers, understanding how to securely manage and use these keys is fundamental to building reliable and secure applications that integrate with Watchmode data.
Supported authentication methods
Watchmode primarily supports API key authentication. This method involves including a unique key in each request to the API, identifying the requester. While straightforward, proper handling of API keys is crucial to prevent unauthorized access and protect your allocated request quotas.
The following table outlines the supported authentication method, its typical use cases, and general security considerations:
| Method | When to Use | Security Level |
|---|---|---|
| API Key (Query Parameter) |
|
Moderate (requires secure storage and transmission) |
API keys are generally simpler to implement than more complex authentication flows like OAuth 2.0, but their simplicity also means they offer less granular control over permissions and can be vulnerable if not managed correctly. For instance, an exposed API key could allow an attacker to consume your request quota or access data, depending on the API's design. The Google Maps Platform API key security guide offers general advice on protecting API keys, which can be applied to Watchmode's API keys as well.
Getting your credentials
To obtain your Watchmode API key, you need to register for a developer account on the Watchmode website. The process typically involves:
- Sign Up: Navigate to the Watchmode API documentation page and locate the sign-up or get started section.
- Account Creation: Provide the necessary information to create your developer account. This usually includes an email address and password.
- API Key Generation: Once your account is active, log into your Watchmode developer dashboard. Your unique API key will typically be displayed or available for generation within a dedicated 'API Keys' or 'Settings' section.
- Key Management: The dashboard also provides options to regenerate your API key if it is compromised or if you need a new one for security reasons. It is advisable to regenerate keys periodically as part of a robust security posture.
Your API key is a sensitive credential and should be treated with the same care as a password. Avoid hardcoding it directly into your application's source code, especially for client-side applications or publicly accessible repositories. Instead, use environment variables or secure configuration management systems.
Authenticated request example
To make an authenticated request to the Watchmode API, you must include your API key as a query parameter named apiKey in the URL. Below are examples demonstrating how to make a simple request using common programming languages and tools.
cURL Example
This cURL example retrieves a list of titles, demonstrating how to include the API key:
curl "https://api.watchmode.com/v1/list-titles/?apiKey=YOUR_API_KEY&sort_by=popularity_desc&limit=10"
Replace YOUR_API_KEY with your actual Watchmode API key.
Python Example
Using the requests library in Python to fetch data:
import requests
import os
# It is recommended to store your API key in an environment variable
API_KEY = os.getenv("WATCHMODE_API_KEY")
if not API_KEY:
print("Error: WATCHMODE_API_KEY environment variable not set.")
exit()
url = "https://api.watchmode.com/v1/list-titles/"
params = {
"apiKey": API_KEY,
"sort_by": "popularity_desc",
"limit": 10
}
try:
response = requests.get(url, params=params)
response.raise_for_status() # Raise an exception for HTTP errors
data = response.json()
for title in data.get("titles", [])[:3]:
print(f"Title: {title.get('title')}, Watchmode ID: {title.get('id')}")
except requests.exceptions.RequestException as e:
print(f"An error occurred: {e}")
Node.js Example
An example using Node.js with the node-fetch library (or built-in fetch in newer Node.js versions):
const fetch = require('node-fetch'); // For older Node.js versions, or use built-in fetch
// Store your API key in an environment variable for security
const API_KEY = process.env.WATCHMODE_API_KEY;
if (!API_KEY) {
console.error('Error: WATCHMODE_API_KEY environment variable not set.');
process.exit(1);
}
async function getPopularTitles() {
const url = `https://api.watchmode.com/v1/list-titles/?apiKey=${API_KEY}&sort_by=popularity_desc&limit=10`;
try {
const response = await fetch(url);
if (!response.ok) {
throw new Error(`HTTP error! status: ${response.status}`);
}
const data = await response.json();
data.titles.slice(0, 3).forEach(title => {
console.log(`Title: ${title.title}, Watchmode ID: ${title.id}`);
});
} catch (error) {
console.error('Failed to fetch titles:', error);
}
}
getPopularTitles();
These examples illustrate how to correctly pass the API key in your requests. Always ensure your key is replaced with a valid one and handled securely.
Security best practices
Securing your Watchmode API key is critical to prevent unauthorized usage and protect your account's request quota. Adhering to security best practices minimizes the risk of credential exposure.
-
Never Expose API Keys in Client-Side Code: Directly embedding API keys in JavaScript for web browsers or mobile application binaries makes them publicly accessible. An attacker could extract the key and use it to make unauthorized requests against your quota. All API calls requiring authentication should be proxied through your own backend server, where the API key can be securely stored and managed.
-
Use Environment Variables: Store your API key as an environment variable on your server or in your deployment environment (e.g.,
.envfiles for local development, or cloud provider secret management services for production). This keeps the key out of your codebase and version control systems. For example, in a Linux/macOS environment, you might setexport WATCHMODE_API_KEY="your_key_here". -
Restrict API Key Usage (if applicable): While Watchmode's API keys are generally tied to your account for rate limiting, some APIs offer features to restrict API keys by IP address, HTTP referrer, or specific API methods. Always utilize such restrictions if the API provider supports them, to limit the impact of a compromised key. Review the Watchmode API documentation for any specific key restriction features.
-
Regularly Rotate API Keys: Periodically regenerate your API key from the Watchmode developer dashboard. This practice, known as key rotation, reduces the window of opportunity for a compromised key to be exploited. If you suspect a key has been exposed, regenerate it immediately.
-
Implement Server-Side Validation and Rate Limiting: Even with API key authentication, implementing your own server-side validation and rate limiting on requests to your backend can add an extra layer of protection. This can help mitigate abuse if an attacker manages to bypass other security measures.
-
Use HTTPS: Always ensure that all communication with the Watchmode API occurs over HTTPS. This encrypts the data in transit, protecting your API key and other sensitive information from interception during network transmission. Watchmode's API endpoints are served over HTTPS by default, but it's important to ensure your application enforces this.
-
Monitor Usage: Regularly monitor your API usage through your Watchmode dashboard. Unusual spikes in requests or activity can indicate a compromised key or an issue with your application, allowing you to react quickly.