In order for users to write data to their account via the API, we have created a user specific authentication workflow. Upon being completed successfully, the session id that is created can be used to do things like rate movies, add or remove items to a personal watchlist, and also create and edit lists.
The workflow outlined below does not require the transferring or storing of passwords at any point. The user is simply required to log in to their account on our end just like they would in a regular browser. We recommend for extra security, all of this be done over SSL (HTTPS).
Create a new request token
The first step as a developer is to request a new token. This is a temporary token that is required to ask the user for permission to access their account. This token will auto expire after 60 minutes if it's not used.
Ask the user for permission
The next step is to take the token you got from step #1 and direct your user to the following URL:
This callback URL is also accessible via the
Authentication-Callback header that gets returned in step #1.
This step is where the user gets involved, authorizing your API key access to their account.
Create a session ID
Assuming the request token was authorized, you can now go and request a session ID.
The results of this query will return a
session_id value. You should treat this value like a password. Store it securely. This is the value required in all of our write methods.
Guest sessions are a type of session that doesn't require any user registration. This makes it very easy to help contribute some data back to TMDb. We currently only support the ability to rate movies with a guest session.
You should only issue 1 guest session per user though, as we still treat them as a unique account. In the future there will be the ability to sign up with one of these sessions so users can import all of their rated movies.
You can read the guest session documentation here.