Authentication
API key authentication and security
By YT2Text Team • Published January 15, 2025 • Updated February 23, 2026
Authentication
YT2Text API requests are authenticated with API keys on headers.
Authentication is enforced for production traffic by default. It can be relaxed only in local development setups.
API key format
Keys are secret, random tokens that use the same prefix/shape as the app UI and are 64 hex chars after the prefix:
- Format: + 64 lowercase hex characters
sk_
- Example:
sk_8f4e5c...
Pass credentials on every request
Use one of these headers:
Authorization: Bearer <api_key>
or
X-API-Key: <api_key>
There is no query parameter auth method.
Requests are rejected if the key is missing, unknown, disabled, or not allowed for the route.
Permission model
- Feature gating is plan-based (for example, webhook URL and custom instructions are Pro-only for job processing).
- is admin-only.
process-sync
- API keys are scoped to a workspace/account context rather than a browser session.
Example request
curl -X POST "https://api.yt2text.cc/api/v1/videos/process" \
-H "Authorization: Bearer $YT2TEXT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"video_url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
"summary_mode": "tldr"
}'
Security guidance
- Keep keys server-side only.
- Never embed production keys in browser code or public repos.
- Rotate keys immediately if they may have been exposed.
- Use short-lived CI/job credentials where possible.