Authentication

The public developer API is authenticated with API keys.

Public API keys

Issued keys currently look like:

```
sk_
```
+ 64 lowercase hex characters

Legacy

yt2t_...

keys are still accepted by the backend, but new integrations should use the

sk_...

keys issued by the dashboard.

Send credentials

Preferred header:

Authorization: Bearer <api_key>

Also supported:

X-API-Key: <api_key>

There is no supported query-parameter auth method for the public API.

What

/api/v1/auth/*

Actually Does

The

/api/v1/auth/*

routes are for API key management:

create key
list keys
update key
delete key
validate key

They do not provide user login, signup, refresh, or logout. User auth for the web app lives on the internal browser-oriented API.

Permission Model

Current public key permissions:

```
read
```
```
process
```
```
admin
```
admin users only

Route-specific notes:

```
POST /api/v1/videos/process-sync
```
requires
```
admin
```
```
/api/v1/proxies/*
```
requires
```
admin
```

Plan gates are separate from key permissions. For example, a valid key still cannot use Pro-only features on a non-Pro account.

Example

curl -X POST "https://api.yt2text.cc/api/v1/videos/process" \
  -H "Authorization: Bearer $YT2TEXT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
    "options": {
      "summary_modes": ["tldr"]
    }
  }'

Security Guidance

Keep keys server-side only.
Never embed production keys in browser code.
Rotate keys immediately if exposed.
Create separate keys per integration where possible.