YouTube API v2.0 – AuthSub

Note: The YouTube Data API (v2) has been officially deprecated as of March 4, 2014. Please refer to our deprecation policy for more information. Please use the YouTube Data API (v3) for new integrations and migrate applications still using the v2 API to the v3 API as well.

Important: The AuthSub authentication protocol has been officially deprecated as of April 20, 2012. It will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 authentication as soon as possible. If you are building a new application, you should use OAuth 2.0 authentication.

The AuthSub process is documented in more detail at https://developers.google.com/accounts/docs/AuthSub. In addition, please note that the base URL and scope of service for AuthSub authentication for the YouTube API – http://gdata.youtube.com – are different than the URL and scope specified in that document.

To obtain an authentication token, send a POST request to the following URL:


The POST request contains the following parameters:

  • The next parameter contains the URL to which the user will be redirected after logging in to a Google Account.

  • The scope parameter identifies the service that the user is enabling your site to access on his behalf. The value of this parameter must be http://gdata.youtube.com.

  • The secure parameter contains a boolean value (0 or 1) that indicates whether the authentication service will return a secure or nonsecure token. Secure tokens are issued only to websites that have registered with Google, and video upload requests that use a secure token must be digitally signed. Please see the Google AuthSub documentation for more details about secure tokens.

  • The session parameter contains a boolean value (0 or 1) that indicates whether the single-use authentication token that the authentication service returns can be exchanged for a session token, which can be used multiple times. Set this variable to 1 to indicate that the single-use token can be exchanged for a session token. Please see the Google AuthSub documentation for an explanation of how to request a session token.

The page that displays will prompt the user to log in to a Google Account. If the user is already logged in, the page will indicate that your application is requesting access to the user's Google Account to perform actions on YouTube. The user can then choose whether to grant or deny access to your application.

After choosing one of those options, the Google authentication service will redirect the user back to the URL identified in the next parameter in your AuthSub request. If the user granted access to your application, the redirect URL will contain a single-use authentication token, which will identified by the URL's token parameter as shown in the following example. If the value of the session parameter in your AuthSub request was 1, then you can exchange the single-use token for a session token by submitting an AuthSubSessionToken request.

The following URL shows how the token parameter will appear in the redirect to your site. Note that the URL for the redirect would have been provided as the value of the next parameter in the AuthSub request.


When you make an authenticated API request using an AuthSub authentication token, your request needs to specify the Authorization HTTP request header as shown in the example below. Note: Throughout this documentation, sample requests use AuthSub syntax unless otherwise specified.

Authorization: AuthSub token="<authentication_token>"
X-GData-Key: key=<developer_key>

Process flow diagram

The following diagram illustrates the steps involved in authenticating a user using the AuthSub authentication scheme. AuthSub authentication can be used with either direct uploading or browser-based uploading.

The image shows the following steps:

  1. The user clicks a link on your site to upload a video.

  2. Your site redirects the user to Google's Authentication Proxy service.

  3. The user's browser sends a request to the authentication service.

  4. Google displays an Access Consent page, prompting the user to log in to a Google Account.

  5. The user logs in to his account, and Google then asks the user to grant or deny the ability for your site to upload the user's video details.

  6. If the user grants access, Google redirects the user back to your site. The redirect URL contains the authentication token for your Upload API request.

  7. The user's browser sends a request, including the authentication token, to your site. The Google AuthSub documentation explains the optional step of exchanging the single-use authentication token for a session token that does not expire.

pagination links

« Previous
OAuth 1.0
Next »