docs
API

TMDB Integration

Internal TMDB access used by the current movie search and movie detail routes

TMDB requests are made internally through server/utils/tmdb/client.ts. This helper keeps the API key server-side, applies rate limiting, and only allows the TMDB paths the app currently needs.

Allowed TMDB Paths

The internal allow-list currently permits only:

  • search/movie
  • movie/popular
  • movie/:id

Any other TMDB path is rejected before an upstream request is made.

Where It Is Used

  • GET /api/movies/search
  • GET /api/movies/popular
  • GET /api/movies/:id
  • recommendation title-to-TMDB-ID resolution in the recommendation utilities

Request Behavior

The helper sends requests to TMDB with:

Accept: application/json
Authorization: Bearer [from NUXT_TMDB_API_KEY env]
language: en-US

Rate Limiting

TMDB-bound requests are limited before the outbound request is sent.

Current settings:

  • limiter: tmdbLimiter
  • strategy: fixed window
  • limit: 40 requests
  • window: 1 second
  • key: shared global key tmdb:global

The server includes these headers on TMDB-backed responses:

HeaderDescription
X-RateLimit-LimitTotal allowed requests in the window
X-RateLimit-RemainingRequests left in the current window
X-RateLimit-ResetUnix timestamp (ms) when the window resets

The same values are also emitted as X-TMDB-RateLimit-* headers.

Security Notes

  • The TMDB API key is never exposed to the browser
  • Absolute URLs are rejected
  • Requests are restricted to the TMDB API base URL
  • Only the current allow-listed paths are accepted

API Overview

Current API reference for the Movie Recommender server

Watched and My List APIs

Authenticated APIs for the user's watched movies and saved list

Copyright © 2026