Netflix Authentication Walk-Through
This page walks you through the Netflix API authentication process. It ends with a demonstration in which you add, move, and delete movies from a Netflix instant queue, using your developer credentials and a Netflix subscriber’s credentials. You do not need to install or manage anything on your end; everything happens on this page.
Before You Begin
This walkthrough will only work if you have already registered your application and received your developer credentials. Note that no new applications can be registered at this time.
As you work your way through this walkthrough, rest assured that no sensitive information — including your Netflix or Netflix Developer Network credentials — will ever be submitted to or collected by anything that isn’t Netflix or the Netflix Developer Network. Everything that doesn’t go through the API happens on the client side (within your computer) by means of JavaScript, and all cookies will clear when you close your browser window.
1. Get your Request Token
To find your key and shared secret, visit http://developer.netflix.com/apps/mykeys.
- Key (consumer_key) :
- Shared Secret (consumer_secret) :
- Authorization URL :
- Signed URL
2. Save your OAuth Token Secret
Because you don’t use the OAuth token secret until after the subscriber signs in, you need to save it on your end. For the purposes of our our demo, we’ll save it as a browser cookie.
- oauth_token_secret : Please read carefully and be sure to copy from the equals-sign all the way to the next ampersand.
3. Sign In through Netflix
Next, send the subscriber to the Netflix-hosted login page to sign in, using your consumer_key, your application’s name, and the oauth_token you received in the previous step. This call also tells Netflix where to send the subscriber after he or she signs in, by means of the the oauth_callback parameter.
- oauth_token: This and application_name both come from the reply to Step 1.
- application_name: Some application names contain URL formatting such plus-signs. Paste it in exactly as given above in the reply to Step 1.
- oauth_callback: If you’re testing your own callback, feel free to change this.
- consumer_key: This has not and never will change.
- Netflix Login Page: Important: you’re not signing this call, so consumer_secret and oauth_token_secret don’t come into play. When you click the button below, you’ll be sent to Netflix to sign in. You must sign in to that page with a valid Netflix subscriber account credentials (not your developer account credentials).
- Signed URL
4. Get your Authorized OAuth Token and Authorized OAuth Token Secret
There’s nothing to enter here that you don’t already have on file, so you don’t have to fill anything in. The callback does nothing except say to your page “Okay, looks like the subscriber has signed in; feel free to request an access token now.” Don’t dawdle here; if you get an expired token message back, you’ve taken too long and will need to start over.
- consumer_key:
- consumer_secret :
- oauth_token:
- oauth_token_secret :
- Access Token URL :
- Signed URL
5. Save the Authorized User Credentials
Save the subscriber’s encrypted ID, oauth_token, and oauth_token_secret, which will be good until he or she revokes your permission. (For the purposes of our demo, we’re saving it in the browser state only.)
- oauth_token: This is the authorized oauth_token from the last step. It’s very long.
- user_id : This will never change, and may be used as this subscriber’s primary key in your local database.
- oauth_token_secret : As above, this is the authorized oauth_token_secret from the last step.
6. Make Authorized Calls
- consumer_key:
- consumer_secret :
- oauth_token:
- oauth_token_secret :
- Run Query:
- HTTP Method:
- Signed URL
Things to Do and Notice
- See all the link href values? You can plug any of these into the “Run Query” field to make another call.
- Once you start running endpoints that show individual titles, you’ll start to see link href values that point into the catalog. These will also work fine.
7. Writing to the Netflix Database
Adding
Here we will use our new-found powers to add the movie Rosencrantz & Guildenstern Are Dead to your subscriber’s instant queue.
- First, you’ll need to read your subscriber’s queue. Run the following query:
http://api-public.netflix.com/users/user_ID/queues/instant/available - In the API response, find the queue’s etag. To help keep everything in sync, the API needs to know the current ETag for every add, change, or delete. For the walk-through to continue to work, you will need to change the value my_etag in the examples to the ETag value returned by the previous call.
- Set the HTTP Method to POST.
- Send the following request to add the movie to the end of your subscriber’s queue:
http://api-public.netflix.com/users/user_ID/queues/instant?title_ref=http://api-public.netflix.com/catalog/titles/movies/60034967&etag=my_etag
- If it worked, you’ll get an HTTP 201 reply, with a success message. A bit further down you’ll see the new movie’s queue position, plus lots of interesting information about the movie.
Moving
Let’s bump Rosencrantz & Guildenstern Are Dead up to position #3:
- You’ll need the updated etag, which will be the first thing you see in the response from the Add step, and the movie ID you just used. Here’s your query:
http://api-public.netflix.com/users/user_ID/queues/instant?title_ref=http://api-public.netflix.com/catalog/titles/movies/60034967&position=3&etag=my_etag
- Be sure your HTTP method is still set to POST.
- If it worked, you’ll get an HTTP 201 reply, with a Move successful message, and the position will show as 3.
- You can also use this method to add a movie directly into a particular slot in a subscriber’s queue. Caution: most subscribers do not use Netflix in this fashion and may find it annoying or unexpected.
Deleting
Assuming Rosencrantz & Guildenstern Are Dead is still in your subscriber’s queue, here’s how to delete it:
- Make the following query, with your HTTP method set to POST:
http://api-public.netflix.com/users/user_ID/queues/instant/available/60034967?method=delete&etag=my_etag
- Again, be sure to set your HTTP Method to POST. Because Web browsers don’t have access to the HTTP DELETE verb, we’re going to use POST with a method override: method=delete. This won’t be necessary for non-browser-based applications that have access to DELETE.
- If it worked, you'll get an HTTP 200 reply, with a Title deleted from queue message.
That’s it for our demonstration. Feel free to use this page to test signed-in calls whenever you like.
For further information, please consult the REST API Reference.
