Note: The YouTube Data API (v2) has been officially deprecated as of March 4, 2014. Please refer to our deprecation policy for more information.
Important: The ClientLogin authentication protocol has been officially deprecated as of April 20, 2012. It will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 authentication as soon as possible. If you are building a new application, you should use OAuth 2.0 authentication.
If you are already using ClientLogin and are encountering authentication failures with certain accounts, refer to the ClientLogin #FAIL blog post for recommendations.
ClientLogin is Google's proprietary authorization API that was designed for standalone, single-user, installed clients, such as desktop applications. An application would ask the user to enter his YouTube username and password and would then use those values to request a ClientLogin authentication token.
Note: You should never build a web application that implements ClientLogin authentication and requires users to enter their usernames and passwords.
To make an authenticated API request using YouTube's ClientLogin system for single-user authentication, you must identify the YouTube user account associated with the request. By providing the username and password for the user's YouTube user account, you are verifying that the user is authorized to perform operations associated with that account. The authenticated actions will then be associated with that account. Please note that the following instructions vary slightly from the standard ClientLogin instructions.
To obtain an authentication token, send a POST request to the following URL:
Note: This URL was updated in October 2010. The old URL has been deprecated in accordance with the policy explained in our Terms of Service. If you are updating an application that used the old URL (
https://www.google.com/youtube/accounts/ClientLogin), note that the new URL does not return the user's YouTube account name as the YouTubeUser value in response to a successful ClientLogin request. For any API request that requires you to specify a YouTube username, you can use the term default to identify the currently logged-in user as long as you also send an Authentication token with the request. See the Revision History for more details.
The following guidelines apply to the request:
The POST request must specify the value application/x-www-form-urlencoded for the Content-Type header.
The POST body must include a string in the following format:
You need to make the following changes to this string:
Replace the <username> and <password> strings with one of the following combinations of values:
- If the user's YouTube account is linked to a Google Account, specify either the YouTube account name or the email address associated with the Google Account as the <username> and specify the Google Account password as the <password>.
- If the user's YouTube account is not linked to a Google Account, specify the user's YouTube account name as the <username> and the user's YouTube account password as the <password>.
Replace the string <source> with a short string that identifies your application for logging purposes.
The <username>, <password> and <source> values must all be URL-encoded.
Google will return a response that contains the authentication token that you will need to execute API operations associated with the specified user's YouTube account. The authentication token will be the Auth value on that page. You must extract the authentication token from the page and then submit that value in API requests. Please note that authentication tokens expire periodically. As such, your application may need to repeat this authentication process and update the value of the authentication token when the token is rejected as expired.
Note: The Google ClientLogin documentation explains how to also incorporate a CAPTCHA challenge into an application using ClientLogin authentication.
For example, suppose you want to authenticate a YouTube account for which the username and password are testuser and testpassword, respectively. You can simulate the POST request using the Linux 'curl' command, as shown in the following example:
curl \ --location https://www.google.com/accounts/ClientLogin \ --data 'Email=testuser&Passwd=testpw&service=youtube&source=Test' \ --header 'Content-Type:application/x-www-form-urlencoded'
If your authentication request is successful, the response to your request will have the following format. (Please note that the token values have been shortened in the example.)
SID=DQAAALQAAAA6wx7byZp-s4BizDqS1OaT21j9dmY6wMjexpQdNC3 LSID=DQAAALUAAAARH_PvRXoaz23Dv_UmOSUz2_0vh-4XbUedCN9XTZ Auth=DQAAALUAAAARH_PvRXoaz23Dv_UmOSUz2_jxJVCGjoulKlhWbU
When you make an authenticated API request using a ClientLogin authentication token, your request needs to specify the Authorization HTTP request header as shown in the example below:
Authorization: GoogleLogin auth=<authentication_token> X-GData-Key: key=<developer_key>
Process flow diagram
The following diagram illustrates the steps involved in authenticating a user using the ClientLogin authentication scheme to upload a video. Like AuthSub authentication, ClientLogin authentication can be used with either direct uploading or browser-based uploading.
The image shows the following steps:
The user clicks a link on your site to upload a video.
Your application presents a form for the user to enter a username and password.
The user submits his username and password to your installed application.
Your application sends a ClientLogin authentication request to YouTube to obtain an authentication token for uploading the video. The request specifies a username and password that identify the YouTube account associated with the video. As described in the previous section, the username could be either a YouTube account name or a Google Account email address. The password will be the Google Account password for YouTube accounts that are linked to Google Accounts and the YouTube account password for YouTube accounts that are not linked to Google Accounts.
YouTube verifies the user's username and password and returns the authentication token to your application. If you are using browser-based uploading, the token will allow you to upload the video metadata. If you are using direct uploading, the token will allow you to upload the metadata and the actual video file.