All API requests require authentication. Developers are issued an API key and a secret access key when they register with Peel. Developers must then digitally sign their requests using the following HTTP scheme based on a keyed-HMAC (Hash Message Authentication Code). This authentication "signature" must be passed in the HTTP Authorization header. The following pseudo-grammar illustrates the construction of the HTTP Authorization header:
Authorization: "Peel" + " " + PeelAPIKey + ":" + Signature
Signature = Base64( HMAC-SHA1( UTF-8-Encoding-Of( SecretAccessKey, StringToSign ) ) )
StringToSign = HTTP-Method + "\n" + Content-Type + "\n" + Date + "\n" + Resource
HTTP-Method = <HTTP method, e.g., "GET", "POST">
Content-Type = <Value of HTTP Content-Type header>
Date = <Value of HTTP Date header>
Resource = <HTTP-Path of request, e.g, "/tvdb/search/shows", etc.>
HMAC-SHA1 is an algorithm that takes two byte strings as input: a key and a message. Use your secret access key as the key and the UTF-8 encoding of the StringToSign as the message. The output of HMAC-SHA1 is also a byte string, called the digest. The Signature is constructed by Base64 encoding this digest.
If a parameter in StringToSign isn't available, e.g., Content-Type, then use a blank string ("").
Here are the credentials and endpoint that a developer can use to experiment with Peel's Tune-in API:
Access key: 8d89e255456a45df90be94c680a89c17
Secret key: 3ba1ca087cc14cc7808f2987da3db9d0