Authentication and authorization protocols allow a user to access YouTube features that link content or information to a particular YouTube account.

• Authentication pertains to the idea of user identity. So, for example, a user authenticates when entering an account username and password.

• Authorization refers to the ability to retrieve, insert, update, and delete data. An authenticated user can authorize a third-party application to perform API operations on that user's behalf.

The API supports numerous functions that require user authorization, including all of the API functions for creating, updating or deleting content. For example, suppose an application allows users to capture videos and upload them to YouTube. To upload a video through the application, a user would need to authenticate by logging into a Google Account and then authorize the application to upload videos to the user's account.

Note: If you implement any functionality that requires user authorization, we recommend that you include the proper authorization headers in all of your API requests even if those requests do not explicitly require user authorization.

A request must include the following information to be properly authorized:

• An Authorization header that specifies a token that you obtain for each user.

• The X-GData-Key header or the key parameter, which specifies your developer key, a value that uniquely identifies your application(s). Using the X-GData-Key header is the preferred approach since it is more secure than the URL parameter.

We recommend that you use OAuth 2.0 authorization for your application, and the sample API requests throughout this documentation use the OAuth 2.0 syntax for their Authorization HTTP header values. The OAuth 2.0 protocol provides a standard way to access protected data on different websites and it is the recommended authorization mechanism for Google APIs. OAuth is an open protocol that may be implemented for many APIs, including Google APIs. All Google APIs, including the YouTube API, support the OAuth 2.0 authorization protocol. OAuth 2.0 relies on SSL for security instead of requiring your application to do cryptographic signing directly.

The OAuth 1.0, AuthSub, and ClientLogin authorization schemes also still work with the YouTube API. The APIs for those schemes have all been officially deprecated as of April 20, 2012. They will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 authorization as soon as possible. Similarly, if you are building a new application, you should use OAuth 2.0 authorization.

Using a developer key

A developer key uniquely identifies a product that is submitting an API request. Please visit http://code.google.com/apis/youtube/dashboard/ to obtain a developer key.

YouTube provides two ways to specify your developer key in an API request. The first option provides greater security and is the recommended approach.

• When you make an API request, use the X-GData-Key request header to specify your developer key as shown in the following example:

  X-GData-Key: key=<developer_key>
  

• Include the key query parameter in the request URL.

  https://gdata.youtube.com/feeds/api/videos?q=SEARCH_TERM&key=DEVELOPER_KEY
  

Note: Specifying your developer key is very simple if you are using one of our client libraries. In the client libraries, you provide your developer key when initializing the YouTube service object, and all subsequent requests sent using that object will contain the key.

Last updated August 17, 2012.