Part of Amazon's success over the years was its Affiliate program that encouraged users to link to Amazon products and earn a small percentage from the sales in return. For many years Amazon also provided an API to let developers pull information from Amazon's catalog. Amazon's catalog is huge and they provide a plethora of data, from product names and categories over pictures and prizes to user reviews – all available to developers through the API. Naturally there are hundreds of applications and plugins making use of this data.
One of Amazon's requirement on using the API always was that all shown products had to link back to the product page at Amazon. Of course this link could be tied to a Affiliate ID as well. Many of the mentioned apps come with the Affiliate ID of their creator preinstalled and provide a steady income stream.
So the current API is well established, is sending millions of customers to Amazon and is providing income to many developers out there. A healthy little ecosystem. Until recently.
In May this year, Amazon renamed the API from Amazon Associates Web Service to Product Advertising API and added a new requirement:
In addition to the new name, signatures will be necessary to authenticate each call to the Product Advertising API.
The signing of requests will be required starting August the 15th 2009.
So what's so bad about it? For signing the request, you need to use a Secret Access Key. That key is tied to your account and Amazon states explicitly:
Your Secret Access Key is a secret and only you and AWS should know it. It is important to keep it confidential to protect your account. Never include it in your requests to AWS, and never e-mail it to anyone. Do not share it outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your Secret Access Key.
This means that no Open Source application can work out of the box using the Amazon API, because you can't put the secret key into your code obviously. For some apps it might be reasonable to let users sign up for their own keys, but user experience is clearly damaged.
But there is something else, one user in the Amazon developer forums summed up under Did new signature policy killed my income?:
I have developed open source software that displays Amazon products. It's being used by people who don't have an developers account, they might have an associate ID but if they don't my associate ID will be used, giving me some income.
The only solution is that, if people want to use my software, have to sign up for AWS and enter the AWS information in my program.
I see two potential problems with this:
1. People won't sign up and not use my software.
2. People who do sign up will in the process most likely sign up for an associate ID as well.
In both cases I will loose income.
Amazon didn't even care to respond to the forum post.
I haven't updated the DokuWiki Amazon Plugin yet and I guess many other scripts out there will stop working August the 15th. I wonder how large the impact of the revenue loss at Amazon through this will be, hopefully big enough to let them reconsider.